Putting access controls around Devin: session recording for AI coding agents (on Snowflake)

If an AI coding agent can run unchecked against Snowflake, you have no way to prove what data it touched. Session recording is the only reliable way to create an immutable audit trail of every query, transformation, and export the agent performs.

Why the default setup fails

Devin, an LLM‑driven coding assistant, typically receives a static Snowflake credential from a CI pipeline and connects directly with the standard Snowflake client. The credential is scoped to a role that can read and write across multiple schemas, and the connection is established over the internet without any intermediate control point. Because the agent runs the client itself, any logs it produces are under its own control and can be altered or omitted.

Most teams rely on OIDC or SAML authentication to verify that the request originates from a trusted service account. That identity check decides who can start a session, but it does not capture what the session does. The request still reaches Snowflake unmediated, leaving the organization without a verifiable record, without real‑time masking of sensitive columns, and without a chance to intervene if Devin attempts a dangerous operation.

The missing enforcement layer

To achieve true session recording, the enforcement must happen on the data path – the point where the request travels from the agent to Snowflake. Only a gateway that sits in that path can inspect the Snowflake wire protocol, duplicate the traffic for log storage, and apply policy decisions before the query reaches the database.

Without such a gateway, any attempt to add session recording at the agent level is ineffective. If the agent is compromised, the recorded logs can be tampered with, and the organization loses the evidentiary value needed for audits or incident response.

Continue reading? Get the full guide.

AI Session Recording + Snowflake Access Control: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Introducing hoop.dev as the data‑path gateway

hoop.dev is a Layer 7 identity‑aware proxy that sits between Devin and Snowflake. It runs a lightweight network‑resident agent inside the same VPC or subnet as Snowflake, while the gateway itself is deployed as a Docker Compose stack or a Kubernetes service. The gateway holds the Snowflake credential; the AI agent never sees it.

When Devin initiates a connection, hoop.dev validates the OIDC token, extracts group membership, and decides whether the request is allowed. Once authorized, the gateway forwards the Snowflake wire protocol to the database, simultaneously recording every request and response. The recorded stream is stored in a secure audit log that can be replayed for forensic analysis.

Because the enforcement happens in the gateway, the organization can also enable inline masking of sensitive columns, block dangerous commands (such as DROP DATABASE), and route high‑risk queries to a human approver before they execute. All of these controls are impossible to guarantee when the agent talks directly to Snowflake.

Common mistakes to avoid

Relying on the agent’s own logs. Agent‑generated logs are mutable and can be suppressed. Use a gateway‑level recorder instead.
Embedding the recorder inside the AI container. If the container is compromised, the recorder can be disabled. Keep the recorder external to the agent process.
Granting overly broad Snowflake roles. Broad roles increase blast radius and make masking harder. Scope the role to the minimum objects needed for each request.
Skipping just‑in‑time approval. Allowing all queries by default defeats the purpose of session recording. Configure hoop.dev to require approval for DDL or data‑exfiltration patterns.

Best‑practice checklist

Deploy hoop.dev using the getting‑started guide and place the gateway in the same network segment as Snowflake.
Register the Snowflake connection in hoop.dev, letting the gateway store the credential.
Configure OIDC authentication so that only authorized service accounts can request a session.
Enable session recording in the gateway settings; verify that the audit store receives a complete stream for each session.
Define inline masking rules for columns that contain PII or secrets, and test them using the learn section.
Set up approval workflows for high‑risk queries, ensuring that a human can veto destructive commands before they reach Snowflake.

FAQ

Does hoop.dev store Snowflake credentials?

Yes. The gateway holds the credential and presents it to Snowflake on behalf of the AI agent. The agent never receives the secret, reducing exposure.

Can I retrieve a replay of a recorded session?

hoop.dev stores a chronological log of the Snowflake wire protocol. The logs can be streamed back to a forensic tool for replay, showing exactly what queries were sent and what responses were returned.

Is session recording enough for compliance?

Session recording provides the core evidence required by most audit frameworks. Combined with approval workflows and masking, it gives a complete picture of who did what, when, and why.

Ready to protect your AI‑driven Snowflake workloads? Explore the open‑source repository and follow the getting‑started documentation to deploy hoop.dev and enable session recording today.