By NHI Mgmt Group Editorial TeamPublished 2026-05-28Domain: Governance & RiskSource: Oligo Security

TL;DR: Static scans produce 90 to 99 percent noise because they flag libraries and functions that never execute, while runtime inspection shows which code is actually live in production, according to Oligo Security. That shift turns compliance from assumption-based paperwork into evidence-based decision-making, especially where FedRAMP, PCI DSS 4.0, and SOC 2 depend on current execution context.


At a glance

What this is: This is an analysis of why runtime application inspection is replacing static scan assumptions for compliance evidence, with the key finding that most findings are noise until execution is observed.

Why it matters: For IAM-adjacent security programmes, the same evidence-first shift matters because governance breaks down when teams manage identities, privileges, or application risk from stale assumptions instead of current runtime truth.

By the numbers:

👉 Read Oligo Security's analysis of runtime compliance and evidence-based vulnerability management


Context

Runtime compliance is the practice of proving what is actually running in production, rather than inferring exposure from build-time artefacts. In the article's primary keyword, runtime compliance, the central problem is that static scans, SBOMs, and patch tickets often describe possible risk instead of observed execution, which weakens both audit evidence and operational prioritisation.

That matters for identity and access programmes because the same assumption problem appears whenever teams make decisions from stale inventories, delayed reviews, or theoretical privilege scope. If the evidence is not current, governance becomes paperwork rather than control, whether the subject is machine identity, human access, or application runtime context.

For identity and security leaders, the article is really about evidentiary quality. A control is only as useful as the truth it produces, and in dynamic environments the most defensible truth is what was observed in execution, not what was merely present in a manifest.


Key questions

Q: How should security teams decide which vulnerabilities matter when runtime data is available?

A: Teams should prioritise vulnerabilities that are both present and executed, because runtime evidence separates theoretical exposure from active risk. A package in a dependency tree is not enough on its own. Use function calls, load state, and anomalous behaviour to decide whether a finding belongs in urgent remediation, monitored acceptance, or closure.

Q: Why do static scans create so much noise in modern environments?

A: Static scans overstate risk because they infer exposure from artefacts such as SBOMs, manifests, and dependency trees. In dynamic systems, many flagged libraries never execute in production, so the scanner reports a condition that does not materially exist. That is why runtime proof is more useful than build-time assumption.

Q: How do compliance teams use runtime evidence in an audit?

A: Compliance teams use runtime evidence to show current control effectiveness, especially when proving that a vulnerable component did not execute during the review period. The strongest records are timestamped and directly tied to production behaviour. That gives auditors defensible evidence instead of delayed paperwork.

Q: When should organisations treat a scan finding as lower priority?

A: Organisations should lower priority only when they can prove non-execution in the relevant production context and can retain that proof for review. If the environment is changing quickly, a stale report is not enough. The decision should be documented so it can survive audit and incident review.


Technical breakdown

Static SBOMs versus runtime evidence

Static SBOMs tell you what was shipped, not what was executed. That distinction matters because a dependency tree can include vulnerable libraries that never load in production, while other code paths become relevant only under specific traffic, configuration, or session conditions. Runtime evidence replaces probabilistic assumptions with observed behaviour, which makes vulnerability scoping and audit defence materially stronger. In practice, this is the difference between inventory and exposure. It also changes how teams interpret findings: a CVE in a dormant component is not the same as a CVE in an executed code path.

Practical implication: use runtime execution data to separate theoretical findings from in-scope exposure before assigning remediation priority.

How runtime observation supports compliance evidence

Runtime observation produces timestamped proof of whether a vulnerable function was actually called, whether a library was loaded, and whether anomalous behaviour occurred in production. That evidence is more persuasive than retrospective artefacts because it answers the auditor's real question: what happened in the environment during the period under review? Frameworks such as FedRAMP, PCI DSS 4.0, and SOC 2 all depend on current control effectiveness, so observed non-execution can materially strengthen the case for reduced likelihood or impact. This is evidence collection, not just detection.

Practical implication: retain runtime records in a form that can be retrieved quickly during audit, risk acceptance, and exception review.

Why dynamic environments break build-time compliance assumptions

Modern application environments change faster than traditional review cycles. Containers are rebuilt, dependencies are updated, feature flags alter code paths, and AI-assisted attack methods compress the exploit window. A control model that assumes slow change will always lag behind those realities. That is why static compliance artefacts age into historical documents almost immediately. The architectural issue is not merely scan quality, but the mismatch between the speed of production systems and the speed of governance processes.

Practical implication: align vulnerability governance to live execution states, not to infrequent scan or ticketing cycles.



NHI Mgmt Group analysis

Build-time theory is the wrong control model for runtime compliance: Static artefacts assume that the presence of a dependency means meaningful exposure, but runtime systems only create risk when code actually executes. That assumption fails in dynamic environments where libraries sit idle, execution paths vary, and audit evidence decays quickly. The implication is that compliance teams must stop treating inventory as proof of risk.

Runtime truth is an evidence standard, not a tooling feature: The real shift is from speculative risk to observed behaviour. When a platform can show that a vulnerable function never executed, it changes both remediation priority and audit posture. That is why this category belongs alongside broader governance and evidence management, not just application scanning.

FedRAMP, PCI DSS 4.0, and SOC 2 all reward current evidence over historical artefacts: These frameworks are built on the idea that teams can demonstrate control effectiveness in the present tense. When static reports arrive months late, they describe a past state that no longer exists. Practitioners should treat runtime evidence as the control signal that keeps compliance tied to reality.

Runtime compliance reduces noise, but noise reduction is not the whole story: The deeper value is decision quality. If 90 to 99 percent of scanner output never executes, then teams are spending governance effort on the wrong population of findings. The field should reframe compliance as evidence selection, not report accumulation.

Runtime evidence changes the governance assumption behind remediation SLAs: Remediation windows were designed for environments where exposure could only be inferred from static inventories. That assumption fails when execution can be observed continuously and non-execution can be proven. The implication is that compliance programmes should rethink when a finding is truly time-critical, not just when it appears in a scan.

From our research:

What this signals

Runtime compliance is becoming the evidence layer for broader identity governance: the same operational weakness that affects static vulnerability scanning also appears in identity programmes that rely on stale inventories and delayed reviews. When 90 to 99 percent of flagged items never execute, the governance lesson is simple: current state matters more than declared state, especially in high-churn environments.

That shift will force security teams to merge compliance operations with live telemetry rather than treating them as separate disciplines. For IAM and GRC leaders, the practical question is whether your evidence model can prove what is active right now, not what was once approved.

The next maturity step is less about adding another control and more about tightening the evidence chain. If runtime observation can tell you what is truly in use, it can also help distinguish between routine exposure, exceptional exposure, and exposure that exists only on paper.


For practitioners

  • Prioritise findings by runtime execution, not by package presence Use observed load and function-call data to decide which CVEs are genuinely in scope before opening remediation work. Treat dormant libraries as a different governance class from executed code paths.
  • Preserve runtime evidence for audit retrieval Store timestamped records that show library load status, function invocation, and anomalous behaviour so auditors can validate control effectiveness without recreating the evidence later.
  • Map scan noise to risk acceptance thresholds Define when a static finding can be downgraded because runtime non-execution is proven, and document the criteria used to make that decision. That keeps exceptions defensible and repeatable.
  • Align vulnerability workflows to production reality Synchronise triage with live execution state, deployment cadence, and change windows so remediation is based on what is actually running rather than what was once shipped.

Key takeaways

  • Static compliance artefacts often describe theoretical exposure, not active risk.
  • Runtime observation gives auditors and security teams current evidence, which can materially change remediation priority and SLA handling.
  • Security programmes should align vulnerability governance to observed execution, because evidence quality now drives compliance quality.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST CSF 2.0 set the technical controls, while PCI DSS v4.0 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.RM-01Runtime evidence improves risk decisions based on current system state.
NIST CSF 2.0DE.CM-08Continuous monitoring supports visibility into what is actually executing in production.
PCI DSS v4.06.3.1Risk-ranked vulnerability management depends on evidence of real exploitability.

Tie remediation priority to observed execution so risk decisions reflect live conditions.


Key terms

  • Runtime Compliance: Runtime compliance is the practice of proving control effectiveness from what is actually happening in production rather than from static documentation. It uses observed execution, current system state, and timestamped evidence to support audit, remediation, and risk decisions in changing environments.
  • Runtime Evidence: Runtime evidence is proof collected from live systems showing which libraries, functions, or behaviours actually executed during a defined period. It is stronger than build-time artefacts because it reflects current reality, not historical intent or assumed exposure.
  • Software Bill of Materials: A software bill of materials is an inventory of software components and dependencies included in an application. It is useful for supply chain visibility, but on its own it cannot prove whether a vulnerable component ever executed in production.

What's in the full article

Oligo Security's full article covers the operational detail this post intentionally leaves for the source:

  • How Deep Application Inspection distinguishes executed code paths from dormant dependencies in live environments.
  • The specific FedRAMP, PCI DSS 4.0, and SOC 2 clauses the vendor maps runtime evidence to in audit workflows.
  • Examples of how runtime findings were reduced in customer environments, including backlog reductions and compliance handling.
  • Sensor overhead and deployment considerations for teams evaluating runtime inspection in production.

👉 Oligo Security's full post covers the runtime evidence model, framework mappings, and performance details.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org