Containerised workloads need drift prevention because a workload can be approved at build time and still behave maliciously at runtime. Malware that uses fileless execution or hidden startup logic may never appear in the image scan, so the security team needs controls that compare live behaviour against the expected state.
Why This Matters for Security Teams
Containerised workloads are not defended effectively by image trust alone because malware can arrive after deployment, persist in memory, or trigger only under specific runtime conditions. That is why drift prevention matters: it detects when a running container departs from its approved behaviour, rather than assuming the scan at build time remains valid. Current guidance suggests pairing image assurance with runtime enforcement, especially for workloads that handle secrets, tokens, or API access.
The operational risk is familiar in NHI security as well. The Critical Gaps in Machine Identity Management report found that 53% of organisations have already experienced a security incident directly related to machine identity management failures, which is a useful signal of how quickly identity controls can fail once runtime reality diverges from policy. In container environments, that divergence can be caused by injected code, altered startup commands, or compromised sidecars that never appear in the original artifact review. Runtime control is therefore a malware defence control, not just an operational hardening measure. In practice, many security teams discover drift only after a benign-looking container has already been used to pivot, exfiltrate, or establish persistence.
How It Works in Practice
Drift prevention compares what a container is allowed to do with what it is actually doing. The expected state is usually defined from the signed image, declared entrypoint, approved command line, known network destinations, mounted paths, and permitted process tree. At runtime, policy enforcement watches for deviations such as a shell spawning unexpectedly, a new binary executing from a writable layer, outbound traffic to an unapproved host, or a process reading secrets it should never touch. This is where workload identity becomes important: the defender needs to know not only what the container is, but what it is authorised to do in this specific runtime context.
For identity-backed controls, many teams use SPIFFE workload identity specification patterns to bind cryptographic identity to the running workload, then enforce policy at request time rather than relying on static IPs or image labels. NHIMG guidance on the Guide to SPIFFE and SPIRE is particularly relevant because it shows how short-lived workload identity can support tighter runtime decisions. For container drift defence, the practical stack often includes:
- immutable image provenance checks before deploy
- runtime process and syscall monitoring for unexpected execution paths
- policy-as-code to block unauthorised network, file, or privilege changes
- ephemeral credentials with aggressive TTLs so stolen secrets expire quickly
- automatic quarantine or kill actions when behaviour deviates materially
When these controls are in place, the goal is not to prove the container is harmless forever. The goal is to reduce the window in which a workload can change state, abuse secrets, or persist after compromise. These controls tend to break down when privileged containers, hostPath mounts, or broad service-account permissions allow the workload to reshape its own environment faster than policy can respond.
Common Variations and Edge Cases
Tighter drift prevention often increases operational overhead, requiring organisations to balance malware containment against deployment speed and debugging flexibility. That tradeoff is especially visible in CI/CD-heavy environments, where legitimate jobs may spawn helper processes, fetch dependencies at runtime, or mutate files in temporary paths. Current guidance suggests treating those exceptions explicitly rather than weakening the baseline policy for every workload.
The biggest edge case is legitimate dynamism. Service mesh sidecars, init containers, and auto-updaters can look like drift even when they are expected, so policy must distinguish approved orchestration from unauthorised behaviour. Another common gap is that image scanning still matters, but it is not sufficient on its own. runtime drift prevention complements build-time controls by catching fileless malware, hidden startup logic, and post-deploy compromise. That distinction aligns with NHIMG research on the Shai Hulud npm malware campaign and the DeepSeek breach, both of which reinforce how quickly secrets exposure and runtime abuse can outpace static review. Best practice is evolving, but the consistent theme is clear: if the workload can execute, fetch, or authenticate at runtime, it needs enforcement that tracks actual behaviour, not just approved artifacts.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Runtime drift often exposes weak secret rotation and lifecycle control. |
| OWASP Agentic AI Top 10 | A-04 | Behavioural drift and unauthorized actions are core runtime abuse signals. |
| NIST AI RMF | Risk-based runtime monitoring fits AI governance for dynamic workloads. |
Apply continuous monitoring and incident response to detect and contain behavioural deviation.
Related resources from NHI Mgmt Group
- What makes Shai Hulud 2.0 different from a normal npm malware event?
- How should security teams build cloud threat detection for short-lived workloads?
- How should teams apply seccomp to containerised workloads without breaking applications?
- How should security teams think about a compromised integration like Drift?
