All posts
June 18, 20263 min read

SOC 2 for non-human identities: governing machine access end to end (on on-prem)

Many teams believe that simply assigning service accounts is enough to satisfy soc 2, but that view ignores the need for continuous, auditable control over machine‑initiated actions. In most on‑prem environments, non‑human identities – service accounts, CI/CD tokens, and automation bots – are provisioned once and then left to run indefinitely. Credentials are often stored in shared files or environment variables, and the same secret may be reused across dozens of pipelines. When a job fails or

Free White Paper

End-to-End Encryption + Non-Human Identity Management: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Many teams believe that simply assigning service accounts is enough to satisfy soc 2, but that view ignores the need for continuous, auditable control over machine‑initiated actions.

In most on‑prem environments, non‑human identities – service accounts, CI/CD tokens, and automation bots – are provisioned once and then left to run indefinitely. Credentials are often stored in shared files or environment variables, and the same secret may be reused across dozens of pipelines. When a job fails or a script misbehaves, there is rarely any record of which identity issued which command, what data was returned, or whether the operation complied with policy. The result is a black box that auditors cannot inspect.

Even when organizations adopt modern identity providers and enforce least‑privilege roles, the enforcement point remains at the identity layer. An OIDC token may prove who the caller is, and an IAM role may restrict which resources can be touched, but nothing stops the caller from issuing a destructive SQL statement, reading raw logs, or exfiltrating data once the connection is established. The audit trail is limited to authentication events; the actual activity inside the session is invisible.

What soc 2 expects for machine access

soc 2 focuses on five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. For the security criterion, auditors look for evidence that every access request – human or machine – is authorized, monitored, and recorded. Specific artifacts include:

  • Authenticated identity logs showing who or what initiated a connection.
  • Authorization decisions that tie a request to a policy (e.g., least‑privilege, just‑in‑time approval).
  • Detailed activity logs that capture each command or query executed during a session.
  • Evidence of data protection, such as masking of sensitive fields in responses.
  • Retention of session recordings that can be replayed for forensic analysis.

Without a mechanism that captures these artifacts at the point of interaction, organizations rely on ad‑hoc scripts or manual log collection, which are error‑prone and often incomplete. Auditors will flag the lack of granular, immutable evidence as a control weakness.

The missing control surface

Identity management and role‑based policies address “who may access,” but they do not address “what is done once access is granted.” The missing piece is a data‑path enforcement layer that sits between the non‑human identity and the target system. This layer must be able to:

  • Inspect each request in real time and enforce command‑level policies.
  • Require a human approval step for high‑risk operations before they are forwarded.
  • Mask or redact sensitive fields in responses to protect confidentiality.
  • Record the full session for later replay and audit.

Only when such a gateway exists can an organization produce the full set of soc 2 artifacts that auditors demand.

How hoop.dev fulfills the data‑path requirement

hoop.dev is a Layer 7 gateway that sits in the data path for every connection made by a non‑human identity. By proxying traffic to databases, Kubernetes clusters, SSH servers, and HTTP services, hoop.dev can apply the controls listed above without exposing credentials to the calling process. The gateway records each session, masks configured fields, and can pause a request for a just‑in‑time approval workflow. Because the enforcement happens outside the agent that runs the workload, the agent never sees the secret, and the policy engine cannot be bypassed by the workload itself.

From an auditor’s perspective, hoop.dev generates the evidence required by soc 2:

Continue reading? Get the full guide.

End-to-End Encryption + Non-Human Identity Management: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • Per‑session logs that tie every command to the originating service account.
  • Approval records that show who authorized a privileged operation and when.
  • Masked data snapshots that demonstrate confidentiality controls.
  • Replay‑able session recordings that support forensic investigations.

The gateway retains the artifacts in a location that can be protected and accessed for audit purposes, making extraction straightforward.

Mapping hoop.dev capabilities to the trust service criteria

Security: The gateway enforces least‑privilege policies and blocks disallowed commands before they reach the target system.

Availability: By centralising access through a resilient proxy, organizations can monitor health and apply rate‑limiting to protect downstream services.

Processing integrity: Inline masking ensures that sensitive data is never inadvertently logged or exposed downstream.

Confidentiality: Masked fields are redacted in real time, satisfying requirements for data‑in‑transit protection.

Privacy: Session recordings can be retained or purged according to data‑retention policies, providing control over personal data exposure.

Getting started

To adopt this approach, begin by deploying the gateway in your on‑prem network. The official getting‑started guide walks you through a Docker‑Compose deployment, OIDC configuration, and connection registration for common targets such as PostgreSQL, SSH, and Kubernetes. Once the gateway is running, define masking rules, approval policies, and access scopes for each non‑human identity. Detailed feature documentation is available on the learn site.

FAQ

Q: Do I still need IAM roles for my service accounts?
A: Yes. IAM roles define the baseline permissions for each identity. hoop.dev adds a second enforcement layer that validates each request against policy before it reaches the target.

Q: How long are session recordings retained?
A: Retention is configurable. Choose a period that satisfies your internal policies and the evidence‑retention requirements of soc 2.

Q: Can I audit existing workloads without changing them?
A: Because hoop.dev operates as a network‑resident proxy, you can route traffic through it without modifying the workload code, preserving existing deployment pipelines.

By placing a transparent, policy‑driven gateway in the data path, organizations can turn opaque machine activity into a rich, auditable evidence set that satisfies soc 2 requirements.

Explore the open‑source implementation on GitHub and start building the audit trail your auditors expect.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot