All posts
June 22, 20263 min read

Segregation of Duties for ReAct

When a single credential can both fetch data and issue commands, a lack of segregation of duties can turn a harmless query into a costly data breach or an unintended configuration change. The financial impact of a rogue write operation, regulatory fines, and the loss of trust can far outweigh the convenience of shared access. ReAct agents are powerful because they combine retrieval and reasoning in a single loop. In practice, the same LLM that extracts customer information may also be prompted

Free White Paper

DPoP (Demonstration of Proof-of-Possession): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When a single credential can both fetch data and issue commands, a lack of segregation of duties can turn a harmless query into a costly data breach or an unintended configuration change. The financial impact of a rogue write operation, regulatory fines, and the loss of trust can far outweigh the convenience of shared access.

ReAct agents are powerful because they combine retrieval and reasoning in a single loop. In practice, the same LLM that extracts customer information may also be prompted to update a record, delete a file, or trigger a deployment. Without clear separation of duties, the system cannot tell whether the action aligns with the operator’s intent, nor can auditors prove who approved the change.

Segregation of duties (SoD) requires that distinct responsibilities be assigned to different identities or roles, and that any crossing of those boundaries be explicitly authorized. For ReAct, this means separating the "read" function from the "write" or "execute" function, and ensuring that any escalation is subject to human review, masking of sensitive output, and immutable logging.

Why the data path must enforce segregation of duties

Identity providers (OIDC or SAML) can verify who is making a request, but they cannot enforce what the request does once it reaches the target service. The enforcement point has to sit in the data path – the place where traffic actually flows between the ReAct agent and the downstream resource. Only a gateway that inspects the protocol can decide whether a command should be allowed, masked, or sent for approval.

hoop.dev provides that gateway. It sits between the ReAct runtime and the infrastructure it talks to (databases, HTTP APIs, or SSH hosts). The gateway receives the user’s identity token, checks the attached groups or roles, and then applies policy decisions in real time.

Setup: identity and role definition

First, define two minimal roles in your identity provider: a reader that can issue only SELECT‑type queries, and a writer that can issue INSERT, UPDATE, DELETE, or any command that changes state. Assign engineers to the reader role by default; grant writer privileges only after a separate approval workflow.

The data path: hoop.dev as the enforcement boundary

When a ReAct prompt triggers a database call, the request passes through hoop.dev. The gateway examines the SQL verb, matches it against the caller’s role, and takes one of three actions:

Continue reading? Get the full guide.

DPoP (Demonstration of Proof-of-Possession): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • Allow – if the command matches the caller’s permitted verbs.
  • Mask – if the response contains sensitive fields, hoop.dev redacts them before they reach the LLM.
  • Require approval – if the command exceeds the caller’s role, the request is held for a human approver and only forwarded once approved.

Because hoop.dev is the only component that sees the full command, it is the sole source of segregation enforcement. Without it, the ReAct agent would talk directly to the database and bypass any duty checks.

Enforcement outcomes that realize SoD

hoop.dev records every session, providing a replayable audit trail that shows who asked for what, which command was executed, and whether an approval was required. It masks sensitive columns in query results, preventing the LLM from learning privileged data it should not retain. It also blocks disallowed commands outright, ensuring that a reader cannot accidentally perform a write.

These outcomes exist only because hoop.dev sits in the data path; the identity system alone cannot guarantee that a read‑only token will never be used for a write.

Practical steps to implement segregation of duties for ReAct

  1. Map your ReAct workflows to concrete actions (e.g., data lookup, record update, service restart).
  2. Create minimal roles in your IdP that reflect those actions. Keep the default role read‑only.
  3. Deploy hoop.dev using the getting‑started guide. The quick‑start Docker compose places the gateway and its agent on the same network as the target resource.
  4. Register each target (PostgreSQL, HTTP API, SSH host) as a connection in hoop.dev. The gateway stores the credential; the ReAct runtime never sees it.
  5. Define policies in hoop.dev that bind SQL verbs or HTTP methods to the roles created in step 2. Enable inline masking for columns such as SSN, credit‑card number, or API keys.
  6. Turn on just‑in‑time approvals for any write‑type operation. Approvers receive a concise request description and can approve or deny from the hoop.dev UI.
  7. Verify that every session is recorded by reviewing the audit logs in the feature documentation. Use the replay function to demonstrate compliance during audits.

Following these steps gives you a clear separation of duties: the ReAct engine can retrieve data under a read‑only identity, while any state‑changing action must be explicitly authorized and logged.

FAQ

Can I use the same identity for both read and write?

Technically you could, but segregation of duties loses its protective value. hoop.dev will still enforce the policy, but you would need to rely on separate role assignments in the IdP to make the enforcement meaningful.

What happens if a command is blocked?

hoop.dev returns a clear error to the ReAct runtime, indicating that the operation requires approval or is disallowed. The agent can then decide to halt the workflow or request human intervention.

Is the audit data tamper‑proof?

hoop.dev stores session records in a durable store within the gateway, making them available for replay and audit. The logs are suitable for audit purposes and are designed to resist unauthorized modification.

Ready to see the code in action? Explore the open‑source repository on GitHub and start securing your ReAct pipelines today.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot