All posts
June 16, 20263 min read

SOC 2 for AI coding agents: guardrails for code and data access

An AI coding agent opened a connection to your production database at 2am, ran a migration, and read three tables that hold customer records. Nobody was awake. When the SOC 2 auditor asks who accessed that data and under what authorization, "the agent did it" is not an answer they accept. SOC 2 for AI coding agents comes down to one principle the controls all serve: every action against a real system must be attributable to a named identity, scoped to what that identity was allowed to do, and r

Free White Paper

AI Guardrails + AI Code Generation Security: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

An AI coding agent opened a connection to your production database at 2am, ran a migration, and read three tables that hold customer records. Nobody was awake. When the SOC 2 auditor asks who accessed that data and under what authorization, "the agent did it" is not an answer they accept.

SOC 2 for AI coding agents comes down to one principle the controls all serve: every action against a real system must be attributable to a named identity, scoped to what that identity was allowed to do, and recorded where the actor cannot alter the record. An agent that writes and runs code does not change that principle. It raises the volume of activity that has to satisfy it.

What SOC 2 actually expects around access

The Trust Services Criteria do not name AI agents. They expect logical access controls (CC6) that restrict access to systems, authorize each principal, and produce evidence that the controls operated over the audit period. The relevant questions an auditor will put to you are concrete:

  • Which identity initiated this database session, and how was it authenticated?
  • Was its access scoped to the minimum needed, or did it hold standing privileges?
  • Where is the command-level record, and could the actor have edited it?
  • Were sensitive fields exposed in the output, or redacted before they left the system?

Answer those four for a human engineer and you have most of a SOC 2 access story. The agent breaks it because the agent runs continuously, holds whatever credential you handed it, and logs to its own context, which it controls. SOC 2 enforcement of the access principle has to move off the agent and onto the boundary the agent crosses.

Where the boundary belongs

The architectural requirement is simple to state and easy to get wrong. The control that authorizes and records the agent's access to infrastructure must live outside the agent process. If the agent can reconfigure the policy or rewrite the log, the evidence is worthless, because the actor under audit also controls the audit. The record has to accumulate somewhere the agent cannot reach.

This is the model hoop.dev's access gateway is built around. The coding agent does not connect to your database directly. It connects through an identity-aware proxy that authenticates the request against your identity provider, applies just-in-time scope instead of a standing credential, records the session at the command level outside the agent, and masks sensitive fields in the returned data before they reach the agent. To be precise about what that boundary does and does not touch: it governs the infrastructure connection the agent opens, not the model. hoop.dev does not read the agent's prompt or its generated output. It governs the queries and commands the agent runs against your systems.

Continue reading? Get the full guide.

AI Guardrails + AI Code Generation Security: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How an agent running through the gateway produces SOC 2 evidence

Run the agent's database and infrastructure access through the gateway and the evidence accumulates as a byproduct of normal work, which is the only way it stays honest over a year-long audit period:

  1. Named identity per session. The agent authenticates through your OIDC or SAML provider, so each session ties to a specific service identity, not a shared key. That satisfies the "who" question for CC6.1.
  2. Just-in-time scope. Access is granted for the task and bounded, so the agent does not carry production privileges between runs. That answers the least-privilege question without a quarterly access review scramble.
  3. Command-level recording outside the process. Every query the agent issues is recorded at the gateway, where the agent cannot edit it. That is the tamper-evident record an auditor wants for CC7.
  4. Inline masking. Where a connection supports it, sensitive values in query results are redacted before they reach the agent, so customer data is not exposed to a process you do not fully trust.

hoop.dev holds SOC 2 Type II itself, and it generates the access evidence teams use for their own SOC 2 program. It does not make a connection "SOC 2 certified," because no tool can; it produces the per-identity logs, approval records, and masking proof that an auditor reviews.

The failure mode to avoid

The tempting shortcut is to give the agent a long-lived database credential and turn on verbose logging inside the agent's runtime. That fails the audit on its own terms. The credential is standing access nobody reviews, and the log lives inside the process being audited. When the auditor asks whether the actor could have altered the record, the answer is yes, and the control fails.

FAQ

Does SOC 2 require special controls for AI coding agents?

No. SOC 2 treats an agent as another principal that accesses systems. The same logical access criteria apply. The agent simply makes per-identity attribution and recording harder to fake, so the boundary has to enforce them.

Can hoop.dev make my AI agent SOC 2 compliant?

No tool makes anything SOC 2 compliant. hoop.dev generates the evidence for SOC 2 that auditors review: who connected, what command ran, what was approved, and what was masked.

Does hoop.dev inspect what the agent generates?

No. hoop.dev governs the database and infrastructure connections the agent uses. It does not read the model's prompt or output.

The control that proves SOC 2 access has to sit where the agent cannot rewrite it. Read how the gateway model works on the hoop.dev getting started guide, then explore the open-source code at github.com/hoophq/hoop to see exactly where the boundary records each session.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot