Subscribe to the Non-Human & AI Identity Journal

Dynamic Code Execution

A runtime behaviour where software fetches, builds, decodes, or runs code after installation instead of containing all logic up front. In extension security, this is a red flag because it can hide payload delivery, evade static review, and turn a simple plugin into a loader.

Expanded Definition

Dynamic code execution refers to runtime behavior where a system creates, retrieves, decodes, or invokes executable logic after deployment. In NHI and extension security, that matters because the trust decision shifts from source code review to runtime behavior, where hidden logic can arrive through configuration, network calls, reflection, or embedded interpreters.

Definitions vary across vendors on whether this includes simple plugin loading, script evaluation, bytecode generation, or full remote payload execution. For NHI Management Group, the security concern is not the language feature itself but the loss of pre-execution visibility and control. A benign extension model can become risky when it can fetch a script, transform a token into executable instructions, or run code from an untrusted source without a clear approval boundary. The NIST Cybersecurity Framework 2.0 is useful here because it emphasizes managing risk across the full system lifecycle, not just during development.

The most common misapplication is treating all runtime loading as equivalent, which occurs when teams approve flexible extension points without distinguishing signed plugins from arbitrary code evaluation.

Examples and Use Cases

Implementing dynamic code execution controls rigorously often introduces flexibility constraints, requiring organisations to weigh rapid extensibility against the operational risk of unseen logic.

  • A browser extension downloads a remote script at startup and executes it to add features. That may be convenient, but it also creates a path for payload substitution if the delivery channel is compromised.
  • An AI agent uses a tool wrapper that turns model output into executable commands. This is high risk when output validation is weak, because the agent can be induced to generate unexpected instructions.
  • A security product unpacks obfuscated code before running it to inspect or transform data. This is sometimes necessary, but it must be bounded by allowlists and integrity checks.
  • A service account runs a plugin system where new modules are pulled from an internal repository. The pattern is safer when modules are signed, version-pinned, and reviewed before deployment.
  • The article Analysis of Claude Code Security is relevant because code-assist tooling often exposes the same runtime trust issues when generated or fetched code is executed without strong guardrails.

In many implementations, the key question is whether the code source is trusted, whether execution is observable, and whether the surrounding NHI has enough privilege to make the outcome dangerous.

Why It Matters in NHI Security

Dynamic code execution is especially dangerous in NHI environments because service accounts, API keys, and agent identities often operate with broad privileges and little human oversight. If malicious or malformed code runs under an NHI, the blast radius can include secret theft, lateral movement, unauthorized API calls, and persistence across automation pipelines. NHI Management Group research shows that 30.9% of organisations store long-term credentials directly in code, a condition that becomes far more damaging when that code can also be executed or replaced at runtime.

This is why dynamic execution should be evaluated alongside secret handling, runtime policy, and privileged access boundaries, not as a standalone application concern. The risk is amplified when code is fetched from external sources, generated by an agent, or interpreted from user-controlled input. Related guidance from the NIST Cybersecurity Framework 2.0 reinforces the need for continuous monitoring and access governance across the full control plane, while NHI Mgmt Group research on the Ultimate Guide to NHIs shows how often secrets and privileges remain too exposed for comfort.

Organisations typically encounter the consequences only after a compromised extension, poisoned update, or agent-triggered payload has already executed, at which point dynamic code execution becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Dynamic execution often hides secret use and payload loading, which NHI-02 is meant to reduce.
OWASP Agentic AI Top 10 AGENT-04 Agent toolchains can turn model output into executable actions or code at runtime.
CSA MAESTRO MAESTRO-03 MAESTRO addresses agent autonomy and the risks of untrusted runtime action generation.
NIST CSF 2.0 PR.AC-4 Least-privilege access is critical when runtime code can act under NHI authority.
NIST Zero Trust (SP 800-207) SC-7 Zero Trust emphasizes continuous verification before allowing runtime actions or code fetches.

Limit the privileges available to any identity that can trigger or host dynamic execution.