All posts
June 18, 20263 min read

Putting access controls around Devin: production access for AI coding agents (on BigQuery)

How can you safely grant production access to an AI coding agent like Devin for your BigQuery datasets? Most teams hand an AI agent a static service‑account key or embed a privileged credential in the CI pipeline. The agent then talks directly to BigQuery, bypassing any human review. In that model the credential never changes, the same token is reused for every request, and there is no record of which query was run, who triggered it, or whether the result contained sensitive fields. If Devin ac

Free White Paper

AI Model Access Control + Customer Support Access to Production: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

How can you safely grant production access to an AI coding agent like Devin for your BigQuery datasets?

Most teams hand an AI agent a static service‑account key or embed a privileged credential in the CI pipeline. The agent then talks directly to BigQuery, bypassing any human review. In that model the credential never changes, the same token is reused for every request, and there is no record of which query was run, who triggered it, or whether the result contained sensitive fields. If Devin accidentally generates a SELECT that pulls PII, the data leaves the environment unchecked.

Even when you add an identity provider and enforce that only a specific service account may be used, the enforcement stops at authentication. The request still reaches BigQuery over the network, and there is no inline guardrail to stop a dangerous command, no just‑in‑time approval workflow, and no audit trail that survives beyond the client process. In short, the setup gives you identity, but it does not give you control over production access.

The gap is the data‑path enforcement layer. Without a gateway that sits between Devin and BigQuery, you cannot mask column values, require an on‑demand approval step, or capture a replayable session for later review. Those capabilities are essential when you are granting an autonomous agent production access to a data warehouse that holds regulated information.

hoop.dev fills that gap. It acts as a Layer 7 gateway that proxies every BigQuery request. Identity is still handled by your OIDC or SAML provider, which tells hoop.dev who is trying to run a query. The gateway then applies the policy you define: it can mask fields such as social security numbers in query results, pause a query that matches a risky pattern until an authorized reviewer approves it, and record the full request‑response exchange for replay. Because hoop.dev sits in the data path, the enforcement outcomes exist only because the gateway is present.

Why production access needs a dedicated gateway

Production access to a data warehouse carries three distinct risks:

  • Data leakage: An unrestricted query can return raw PII or proprietary metrics.
  • Unintended impact: Heavy analytical queries can consume quota, affect latency for downstream services, or trigger cost spikes.
  • Lack of accountability: Without a reliable audit log, it is impossible to prove who ran what and when.

Each of those risks can be mitigated only when the request passes through a component that can inspect, transform, and log the traffic before it reaches BigQuery. hoop.dev provides exactly that inspection point.

Continue reading? Get the full guide.

AI Model Access Control + Customer Support Access to Production: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How hoop.dev enforces production access for Devin

When Devin initiates a query, the following logical flow occurs:

  1. Authentication: Devin presents an OIDC token issued by your identity provider. hoop.dev validates the token and extracts group membership to determine the user’s role.
  2. Policy evaluation: The gateway checks the request against the production‑access policy you have defined. If the query touches a protected table, hoop.dev either masks the protected columns or requires a human approver before forwarding the request.
  3. Inline masking: For columns marked as sensitive, hoop.dev replaces the actual values with tokenised placeholders in the response stream, ensuring that downstream consumers never see raw data.
  4. Just‑in‑time approval: If the query matches a high‑risk pattern (for example, a DELETE or a full‑table export), hoop.dev pauses execution and sends a notification to the designated reviewer. Only after explicit approval does the gateway let the query continue.
  5. Session recording: Every request and response packet is stored in a replayable log. The log includes the identity of the caller, the exact query text, and the masked result set, giving you immutable evidence of production access.

Because hoop.dev holds the credential for BigQuery internally, Devin never sees the underlying service‑account key. The gateway is the only component that can speak to BigQuery, which means all enforcement happens where it can be trusted.

Getting started

To put this control plane in place, start with the official getting‑started guide. It walks you through deploying the gateway via Docker Compose, registering a BigQuery connection, and configuring the production‑access policy that includes masking rules and approval workflows. The documentation also explains how to hook your OIDC provider into hoop.dev so that Devin’s token can be verified automatically.

For deeper details on the masking and approval features, see the learn section of the site. Both pages assume you have already provisioned the gateway and registered the target resource.

FAQ

Can hoop.dev block a query after it has started executing?

Yes. The gateway inspects the query before it reaches BigQuery. If the policy requires approval, the request never leaves the gateway until an authorized reviewer grants permission.

Does hoop.dev store the raw data returned by BigQuery?

No. The session log contains the masked result set. Sensitive columns are replaced with placeholders at the gateway, so the raw values never get persisted.

What happens if an AI agent tries to bypass the gateway?

Because the credential for BigQuery is stored only inside the gateway, the agent cannot connect directly. Any attempt to use a static key will be rejected by the network topology if the gateway is the sole egress point.

By placing the enforcement layer in the data path, hoop.dev gives you the production access controls you need for autonomous agents like Devin while preserving auditability and data protection.

Ready to try it out? Explore the open‑source repository on GitHub and follow the getting‑started guide to secure your AI‑driven workloads today.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot