Teams should prioritise vulnerabilities that are both present and executed, because runtime evidence separates theoretical exposure from active risk. A package in a dependency tree is not enough on its own. Use function calls, load state, and anomalous behaviour to decide whether a finding belongs in urgent remediation, monitored acceptance, or closure.
Why This Matters for Security Teams
Runtime data changes vulnerability management from a static exposure review into a risk decision. A package can look dangerous on paper but never load, never execute the vulnerable function, and never touch sensitive paths. Security teams that ignore execution evidence usually waste effort on dormant findings while active abuse is missed. This is especially true in software supply chains and credential-driven systems, where attacker speed can be measured in minutes, as seen in the LLMjacking research from NHI Management Group. Guidance from the NIST Cybersecurity Framework 2.0 supports this shift by tying prioritisation to impact and risk context, not just inventory presence. The practical question is no longer “is it vulnerable?” but “is it reachable, executed, and observable in production?” In practice, many security teams encounter the real risk only after an exploit path has already been exercised in production, rather than through intentional review.How It Works in Practice
The most effective workflow combines vulnerability intelligence with runtime telemetry so teams can separate theoretical exposure from active exploitability. That means correlating package and image scans with signals such as process execution, library load state, network reachability, file access, function calls, and abnormal control flow. If a vulnerable component exists only in a dependency tree and never loads, it may justify monitored acceptance. If the same component is loaded inside a live service path, it moves into urgent remediation. A practical triage model usually looks like this:- Confirm whether the vulnerable code path is actually loaded at runtime.
- Check whether the affected function or endpoint is reachable from an external or internal trust boundary.
- Look for execution evidence, such as stack traces, unexpected child processes, or anomalous API sequences.
- Weight the finding by asset criticality, privilege level, and blast radius.
- Use runtime context to suppress noise from dormant libraries, test code, and unused transitive dependencies.
Common Variations and Edge Cases
Tighter runtime-based triage often increases instrumentation overhead, requiring organisations to balance better precision against collection cost and operational complexity. That tradeoff becomes sharper in environments with heavy autoscaling, ephemeral containers, or mixed managed and self-hosted services, where telemetry may be incomplete or delayed. Current guidance suggests treating missing runtime data as an uncertainty signal, not proof of safety. There is also no universal standard for how much runtime evidence is “enough” to downgrade a vulnerability. Some teams require direct function execution, while others accept load-state plus network reachability for low-complexity flaws. The right threshold depends on exploitability, privilege level, and whether the vulnerable component can be invoked through indirect chains such as plugins, schedulers, or message queues. This is where the Ultimate Guide to NHIs — Key Research and Survey Results is useful for understanding how runtime identity and access patterns shape exposure in modern systems. For teams handling secrets-heavy workloads, the State of Secrets in AppSec findings reinforce that remediation should focus on what is both present and actively used, not merely stored. In practice, the hardest edge case is a dormant vulnerability inside a component that becomes reachable only during rare failure handling, because that is where exploit paths often hide.Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.RA-5 | Runtime evidence improves risk assessment beyond static vulnerability presence. |
| OWASP Non-Human Identity Top 10 | NHI-04 | Execution context helps distinguish active NHI abuse from dormant exposure. |
| NIST AI RMF | AI risk decisions should account for observed behaviour and operational context. |
Use live telemetry to rank findings by actual exposure and exploitability before assigning remediation priority.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org