Putting access controls around Devin: audit trails for AI coding agents (on Snowflake)

Devin, an AI‑powered coding assistant, has been granted a service account that can run arbitrary queries against a Snowflake warehouse, but the organization lacks audit trails for those actions. When a developer asks Devin to pull a customer list, the request is executed without any human eyes on the command, and the result streams back to the IDE. The same credential is also used by CI pipelines to generate reports, meaning every automated job inherits the same level of unrestricted access. If Devin is compromised, an attacker could exfiltrate data, delete tables, or create hidden back‑doors, and the organization would have no reliable way to prove what happened.

Because Devin operates through a shared secret, the team cannot attribute a specific query to a particular user or job. There is no chronological record of who asked for what, no way to replay a suspicious session, and no mechanism to hide sensitive columns from logs. In short, the environment lacks the audit trails that security and compliance programs demand for any access to production data.

Why audit trails matter for Devin

Audit trails give visibility into every interaction with a data platform. They let you answer three critical questions after an incident: who initiated the request, what exact statements were sent to Snowflake, and what data was returned. Without that visibility, a breach investigation stalls, and auditors cannot verify that privileged access was controlled.

In the current model, the service account token is stored in a CI secret manager and handed directly to the AI agent. The token travels straight to Snowflake, bypassing any enforcement point. The request reaches the database, the query runs, and the response is sent back. No intermediate system records the transaction, masks personally identifiable information, or requires a human to approve high‑risk operations. The organization therefore remains blind to the very actions it needs to monitor.

What a complete control model requires

A solid model starts with strong identity foundations. Each developer, CI job, or AI agent must authenticate against an OIDC or SAML provider, receiving a short‑lived token that conveys group membership. Those tokens decide whether a request is allowed to start, but they do not enforce per‑query policies. The next layer must sit on the network path between the identity system and Snowflake. That layer is the only place where you can inspect, record, and intervene on every SQL statement before it touches the database.

Even with perfect identity, the request still flows directly to Snowflake. The missing piece is a gateway that can capture each command, attach a timestamp, and store the full session for later replay. It must also be able to redact credit‑card numbers or social security numbers in real time, and it should offer just‑in‑time approval for destructive statements like DROP TABLE. Those enforcement outcomes exist only when a dedicated data‑path component is present.

hoop.dev as the data‑path gate for Devin

hoop.dev sits exactly where enforcement belongs – between the authenticated identity and the Snowflake endpoint. It receives the OIDC token, validates the user’s groups, and then proxies the SQL traffic to Snowflake. While the connection passes through hoop.dev, every statement is examined. hoop.dev records each query, timestamps it, and writes a complete session log that can be replayed on demand. If a query contains a column marked as sensitive, hoop.dev masks that field in the response before it reaches the AI agent.

Because hoop.dev is the only point that can block or approve commands, it is also the component that creates audit trails. When a developer asks Devin to delete a table, hoop.dev can pause the request and route it to an approver. Once approved, the command proceeds and the full interaction, including the request, approval step, execution, and response, is logged for later replay.

The setup phase still relies on OIDC or SAML providers to issue short‑lived tokens. Those tokens tell hoop.dev who is calling, but the enforcement – the audit trails, masking, and just‑in‑time approvals – happens inside hoop.dev’s gateway. This separation ensures that even a compromised token cannot bypass logging, because the gateway enforces policy on every packet that traverses it.

Deploying hoop.dev is straightforward. A Docker Compose file can launch the gateway and a network‑resident agent that lives next to Snowflake’s private endpoint. The agent holds the Snowflake credentials, so users and AI agents never see the secret. Detailed steps are covered in the getting‑started guide and the broader learn section. The source code and contribution guidelines are available on GitHub.

Key enforcement outcomes

• Full audit trails for every Devin‑initiated Snowflake query.
• Real‑time masking of sensitive columns before data reaches the AI agent.
• Just‑in‑time approval workflows for destructive or high‑risk statements.
• Session recording that can be replayed for forensic analysis.
• Zero‑knowledge handling of Snowflake credentials – the gateway, not the agent, ever sees the secret.

FAQ

Do I need to change my existing Snowflake users?

No. hoop.dev uses its own service identity to connect to Snowflake. Existing users and roles remain untouched; the gateway simply proxies the traffic.

Can I still use my CI pipelines with Devin?

Yes. CI jobs obtain an OIDC token, pass it to hoop.dev, and the gateway applies the same audit‑trail logic as interactive sessions.

What happens if the gateway is unavailable?

All traffic to Snowflake is forced through hoop.dev, so if the gateway is down the request fails. This fail‑closed behavior protects the database from untracked access.

By placing the enforcement point in the data path, hoop.dev gives you the audit trails you need to trust AI‑driven access to Snowflake while keeping credentials secure and providing real‑time visibility into every query.