By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: SecureframePublished February 11, 2026

TL;DR: Security researchers counted more than 48,000 new CVEs in 2025, roughly 20% above 2024’s record pace, underscoring why vulnerability management must operate continuously rather than as a quarterly checklist, according to Secureframe. The article frames vulnerability management as an operational control loop, not a point-in-time assessment, and that shift now drives both security and compliance outcomes.


At a glance

What this is: This guide argues that vulnerability management is a continuous process for finding, prioritising, and reducing security weaknesses across systems, code, and cloud resources.

Why it matters: It matters because IAM, NHI, and broader security programmes depend on continuous visibility into exposed assets, weak controls, and remediation ownership before those weaknesses become access paths.

By the numbers:

👉 Read Secureframe's step-by-step guide to the vulnerability management process


Context

Vulnerability management fails when organisations treat exposure as a periodic audit task instead of an ongoing control process. The article’s core argument is that the growth rate of published CVEs, combined with cloud, code, and configuration drift, makes static checklists obsolete for modern security programmes.

That matters for identity programmes because vulnerable systems often become identity problems quickly: leaked credentials, weak authentication defaults, over-permissioned service accounts, and unrotated secrets create the conditions for lateral movement. In practice, vulnerability management increasingly intersects with IAM, PAM, and NHI governance even when the original weakness looks purely technical.


Key questions

Q: How should security teams prioritise vulnerabilities when remediation capacity is limited?

A: Prioritise by exposure, business criticality, and the identities attached to the affected asset. A remotely reachable flaw on a system with privileged access or sensitive data deserves earlier attention than a technically severe issue on an isolated low-value system. Tie severity scoring to ownership, exploitability, and blast radius so remediation decisions reflect real risk, not just scanner output.

Q: Why do vulnerabilities become identity risks so quickly in modern environments?

A: Because many systems do not just process data, they also carry credentials, tokens, certificates, and service accounts that control other systems. Once an attacker reaches the vulnerable asset, those identities can provide lateral movement, privilege escalation, or persistence. That is why vulnerability management and identity governance must be linked rather than run as separate programmes.

Q: What do security teams get wrong about vulnerability management in complex environments?

A: They often treat the software flaw as the whole problem. In practice, the risk also depends on deployment topology, third-party dependencies, privileged identities and how quickly the environment can absorb a fix without disruption. Effective vulnerability management is therefore a coordination problem across architecture, operations and identity governance.

Q: What frameworks should vulnerability management programmes align to?

A: Most programmes map cleanly to NIST Cybersecurity Framework, NIST SP 800-53, and CIS Controls v8, with identity-sensitive environments also needing IAM and NHI governance references. The key is to use frameworks to structure ownership, logging, remediation, and validation, not to turn compliance into a substitute for operational risk reduction.


Technical breakdown

Why vulnerability management needs to be continuous

Vulnerability management is the lifecycle discipline of discovering weaknesses, deciding which ones matter, fixing them, and verifying that remediation actually held. The difference from assessment is timing and ownership: assessment finds issues, management creates a loop that keeps finding new issues as assets, code, and cloud configurations change. That matters because modern environments change faster than most quarterly review cycles. Continuous monitoring, integrated ticketing, and risk scoring turn vulnerability data into an operational queue rather than a static report.

Practical implication: teams should treat scanning results as inputs to a standing remediation workflow, not as an end state.

How configuration baselines reduce exploitable exposure

A secure baseline defines how systems, workloads, and cloud resources should be configured before they are exposed to users or the internet. This includes patching discipline, logging, anti-malware, encryption, and hardened defaults such as approved authentication settings. The key point is that many vulnerabilities are not created by malicious code but by inconsistent build standards and drift after deployment. In identity terms, weak defaults often appear as broad access, insecure authentication, or unmanaged credentials that sit outside normal governance.

Practical implication: standardise secure build baselines and validate them before deployment, especially where identities or secrets control access.

Where scanning, risk assessment, and pen testing fit together

Scanning tells you what exists, risk assessment tells you what it means, and penetration testing shows whether the control environment can actually withstand abuse. Static application security testing and dynamic testing cover different parts of the lifecycle, while infrastructure scans catch exposed services and known CVEs. Risk assessment then maps these findings to business criticality, while pen testing validates that the assumptions behind those controls are real. The strongest programmes connect all three into one decision chain.

Practical implication: align scanning, risk scoring, and testing so the remediation queue reflects business impact rather than raw vulnerability volume.


Threat narrative

Attacker objective: The attacker aims to convert a known weakness into unauthorized access, persistence, or data exposure before defenders can remediate it.

  1. Entry occurs through exposed software, weak configuration, or an unpatched service that presents a known vulnerability to attackers.
  2. Escalation follows when the exposed weakness enables privilege gain, credential theft, or access to adjacent systems that were not intended to be reachable.
  3. Impact lands as data exposure, unauthorized system control, or a wider attack path that turns one overlooked weakness into operational compromise.

NHI Mgmt Group analysis

Continuous vulnerability management is now an access-control problem as much as a patching problem. Vulnerable systems increasingly become the easiest route into identity systems, cloud workloads, and privileged tools. When attackers exploit exposed services or insecure defaults, they often inherit the permissions attached to those systems rather than bypass them. The operational conclusion is that vulnerability workflows must include identity and privilege review, not only software remediation.

From our research: Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs. That lack of visibility means vulnerability management teams may be fixing technical issues while missing the identities those systems depend on. If service accounts, API keys, and certificates are not inventoried, the remediation plan is incomplete. Practitioners should treat identity inventory as part of exposure management.

The named concept here is exposure-to-identity drift: weaknesses in software or configuration quickly become identity risk once credentials, service accounts, or admin paths are attached to the affected system. This is why vulnerability severity alone does not describe operational risk. A low-severity flaw on a system holding privileged credentials can be more dangerous than a higher-severity issue on a low-value asset. The practical conclusion is that privilege context must shape prioritisation.

Automation changes the scale of the problem, but it does not change the governance obligation. Faster scanning and ticket creation help teams keep up with CVE volume, yet they can also create noise if ownership, remediation SLA, and validation are unclear. Mature programmes tie scanning to clear accountability, exception handling, and closure evidence. The practitioner takeaway is to automate the workflow, not the decision-making responsibility.

What this signals

Vulnerability management programmes are becoming identity-adjacent whether teams planned for it or not. As exposed software, cloud drift, and weak defaults converge with privileged accounts and secrets, remediation has to include visibility into the identities attached to the affected systems.

Exposure-to-identity drift: this is the point at which a technical weakness becomes a governance issue because the affected asset also carries credentials or administrative access. Teams that cannot inventory those identities will struggle to prove remediation actually reduced risk, especially where the asset controls production workloads or sensitive data.

For practitioners, the next maturity step is to connect vulnerability queues to identity inventory, service account ownership, and remediation validation. That is the only way to move from volume management to blast-radius reduction, and it aligns well with the control intent of the NIST Cybersecurity Framework 2.0 and NIST SP 800-53 Rev 5 Security and Privacy Controls.


For practitioners

  • Build a continuous remediation queue Feed scanner findings directly into a triaged workflow that assigns owners, severity, remediation SLA, and validation status so the queue stays live between assessment cycles.
  • Add identity context to vulnerability prioritisation Flag assets that host service accounts, API keys, certificates, or admin interfaces so exposure scores reflect the identity impact of a compromise, not just the technical CVSS score.
  • Harden configuration baselines before deployment Use approved build standards for cloud resources, logging, encryption, and authentication defaults, then verify those baselines as part of release gating instead of post-deployment cleanup.
  • Close the loop with validation testing Require evidence that fixes removed the exposure, then rescan or retest the affected service to confirm the vulnerability is no longer reachable in the live environment.

Key takeaways

  • Vulnerability management only works when it operates as a continuous control loop, not a quarterly review task.
  • The real risk is not just the CVE count, but the identities and privileges attached to the exposed asset.
  • Teams should prioritise remediation by exploitability, ownership, and blast radius, then validate that the fix actually closed the exposure.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0ID.RA-1Risk identification and analysis fit a continuous vulnerability programme.
NIST SP 800-53 Rev 5RA-5RA-5 directly governs vulnerability scanning and analysis.
CIS Controls v8CIS-7 , Continuous Vulnerability ManagementThis article is fundamentally about continuous vulnerability management.
MITRE ATT&CKTA0006 , Credential Access; TA0004 , Privilege Escalation; TA0008 , Lateral MovementExposed weaknesses often become the entry point for credential theft and follow-on movement.

Use ATT&CK to map vulnerability exposure to likely attack paths and prioritise systems with privileged reach.


Key terms

  • Runtime Vulnerability Management: Runtime Vulnerability Management prioritises flaws based on what software actually does in production, not only on static scan results or catalogue entries. It combines execution telemetry, reachability, and exploit signals to determine whether a finding is genuinely actionable in the current environment.
  • Vulnerability Assessment: A structured review of systems to identify weaknesses before they are exploited. It is broader than a scan because it includes judgement about exposure, business context, and which findings matter enough to drive remediation or mitigation.
  • Configuration Baseline: The approved reference state for a system, policy, or controlled asset. A baseline defines what the environment should look like after a legitimate change. Security teams use it to compare current state against intended state and to spot drift, tampering, or incomplete implementation.
  • Exposure-to-Identity Drift: The condition where a technical weakness becomes an identity and privilege problem because the affected asset also carries credentials, service accounts, or administrative access. It is a practical risk pattern, not a formal standard, and it often increases blast radius more than the vulnerability score suggests.

What's in the full article

Secureframe's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step vulnerability management policy template language for formal programme ownership and review.
  • Detailed guidance on automating scanner output, ticketing, and continuous monitoring workflows.
  • Practical examples of using Secureframe with AWS Inspector and GitHub integrations for vulnerability tracking.
  • The article's FAQ section with process definitions and program-building prompts for compliance teams.

👉 Secureframe's full post covers the process steps, policy template, and automation details in more depth.

Deepen your knowledge

NHI Mgmt Group’s NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It gives practitioners a structured way to connect identity controls to the broader security programme they operate.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org