Putting access controls around Claude: guardrails for AI coding agents (on Azure)

How can you make sure an AI coding assistant like Claude doesn’t expose secrets or run unsafe commands on your Azure resources? When Claude is used as a coding partner, it talks directly to your databases, storage accounts, and compute endpoints. Without a control layer, every request it generates is treated as a legitimate call from a human operator, and the organization loses visibility into what the model is actually doing. In that raw state there is no guardrails, no audit trail, and no way to stop a stray query that could leak a password or delete a critical table.

Most teams today hand Claude a static credential or a service‑account key and let it connect straight to the target service. The credential is stored in a configuration file or environment variable that the model can read on each invocation. Because the connection bypasses any mediation point, the AI can issue any command the credential permits, from reading entire customer tables to modifying infrastructure settings. There is no record of which prompt triggered the action, no inline filtering of sensitive fields, and no opportunity for a human to approve a high‑risk operation before it runs.

This lack of control creates three concrete risks. First, secret leakage: a prompt that asks Claude to “show me the connection string” will be answered with the raw secret, which could be logged or exfiltrated. Second, command abuse: a seemingly harmless request to “list all containers” could be expanded by the model into a destructive bulk delete if the underlying credential allows it. Third, audit gaps: security teams cannot answer who asked the model to run a particular query, making incident response and compliance reporting extremely difficult.

Guardrails, in this context, are runtime governance mechanisms that sit between the AI agent and the Azure resource. They include command‑level approval workflows, inline data masking of sensitive response fields, session recording for replay, and the ability to block or rewrite dangerous commands before they reach the target. The goal is to treat every AI‑generated request as if it were coming from a human operator, subject to the same checks, logs, and approvals that an engineer would face.

The missing piece in many deployments is a place where those guardrails can be enforced. Even if you provision a least‑privilege service account (the setup step) and you federate it with Azure AD, the request still travels directly to the database or storage endpoint. Without a dedicated data‑path component, the guardrails remain theoretical; the AI still reaches the target unfiltered, and no enforcement outcomes are guaranteed.

hoop.dev provides that data‑path enforcement point. It runs as a Layer 7 gateway that proxies every Claude connection to Azure services. The gateway validates the user’s OIDC token, extracts group membership, and then sits in the traffic flow, inspecting each protocol message before it is forwarded. Because hoop.dev is the only component that can see the request and the response, it can apply masking, require just‑in‑time approval for privileged commands, and record the entire session for later replay.

From a setup perspective, you configure an Azure OIDC identity provider, grant the service account only the permissions it truly needs, and point hoop.dev at the target resource. The gateway holds the credential, so the Claude agent never sees it. When a prompt generates a SQL statement, hoop.dev examines the statement, masks any column that matches a configured sensitive pattern, and checks whether the operation exceeds a predefined risk threshold. If it does, the request is paused and routed to an approver; only after explicit consent does hoop.dev forward the command to the database.

Because hoop.dev is the active enforcement engine, it delivers the core guardrails outcomes. hoop.dev records each session, providing a complete replayable audit trail. hoop.dev masks sensitive fields in responses, preventing accidental exposure of secrets. hoop.dev blocks commands that match a deny list, protecting the resource from destructive actions. hoop.dev routes high‑risk operations to a human approver, ensuring that no privileged change occurs without oversight. All of these outcomes exist solely because the gateway sits in the data path.

The result is a measurable reduction in blast radius and a clear evidence trail for auditors. Security teams can answer who initiated a particular AI‑driven change, what data was returned, and whether the operation was approved. Because the enforcement point is independent of the Azure resource, you can apply the same guardrails across databases, storage accounts, and compute services without rewriting application code.

hoop.dev is open source, MIT‑licensed, and can be self‑hosted in your own network. The project includes a Docker Compose quick‑start that pulls the gateway, an agent, and the necessary OIDC configuration. For a step‑by‑step walkthrough, see the getting started guide. The broader feature set, including inline masking and approval workflows, is documented on the learn page. Both resources walk you through provisioning the Azure identity, registering the target, and enabling guardrails for Claude.

FAQ

Can I use hoop.dev with other AI models besides Claude?

Yes. The gateway is model‑agnostic; any LLM that issues network calls can be routed through hoop.dev, and the same guardrails apply.

Do I need to change my existing Azure credentials?

No. You grant hoop.dev a service‑account credential with the minimum required permissions. The AI never sees the credential directly.

How does hoop.dev handle compliance reporting?

All sessions are recorded and can be exported for audit purposes, giving you the evidence needed for standards that require access logs and approval records.

Explore the open‑source repository on GitHub to get the code, contribute, or customize the guardrails for your environment.