Prioritise based on where the risk appears first. If the main issue is insecure logic and code quality, start with static testing. If the main concern is deployed behaviour, APIs, or authentication flow, runtime testing deserves earlier attention. Mature programmes eventually need both to avoid false confidence.
Why This Matters for Security Teams
Static testing and runtime testing answer different questions, so the right first move depends on where exposure is most likely to appear. Static testing is best at finding insecure patterns before deployment, while runtime testing exposes how identity, APIs, secrets, and controls behave under real conditions. For NHI-heavy environments, that distinction matters because weakness often sits in service accounts, tokens, and automation paths rather than obvious application code. NHI Mgmt Group research shows that 96% of organisations store secrets outside secrets managers in vulnerable locations, which means code-level review alone is rarely enough to prove safety. See the Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0 for the broader governance context.
Security teams often get misled by passing static scans because they focus on source code quality while missing live privilege paths, broken authentication flows, or secrets reused across pipelines. Runtime testing can catch those failures, but it will not replace secure design. Current guidance suggests treating the first test as a risk placement decision, not a blanket rule. In practice, many security teams encounter identity abuse only after a workflow has already reached production, rather than through intentional design review.
How It Works in Practice
A practical sequence starts with the control surface that is easiest to observe. If the system is still being built, static testing should look for hard-coded credentials, unsafe handling of service tokens, weak RBAC mappings, and code paths that can expand NHI privilege. If the system is already deployed, runtime testing should validate authentication, authorisation, token scope, session expiry, and error handling under real requests. The goal is not to choose one forever, but to place the first investment where the failure mode is most likely to surface.
For teams governing NHIs, the most useful approach is to combine static findings with live evidence from access logs, secret usage, and privileged action traces. The Ultimate Guide to NHIs is a useful reference for how excessive privilege, rotation gaps, and poor visibility create hidden risk, while the NIST Cybersecurity Framework 2.0 helps teams connect detection, protection, and recovery instead of treating testing as a one-time gate. A mature workflow usually includes:
- Static review for secrets in code, misconfigured policy files, and overbroad permissions.
- Runtime testing for API authorisation, token scope, mTLS or workload identity enforcement, and revocation behaviour.
- Correlation of findings with actual NHI inventories so that tests map to real service accounts, agents, and automation jobs.
- Re-testing after secret rotation, policy changes, or pipeline updates, since those changes often alter live behaviour more than source code.
Runtime testing becomes especially important where short-lived credentials, JIT access, or delegated automation create behaviour that static analysis cannot predict. These controls tend to break down when credentials are injected dynamically by CI/CD, Kubernetes, or external identity brokers because the live trust chain is not fully visible in source code.
Common Variations and Edge Cases
Tighter runtime testing often increases operational overhead, requiring organisations to balance confidence against release speed. That tradeoff is real, especially when teams rely on ephemeral environments, third-party APIs, or production-like test data. In those cases, current guidance suggests prioritising static testing earlier in the pipeline, then reserving runtime testing for the highest-risk journeys, such as authentication, secret retrieval, and privileged API calls.
There is no universal standard for this yet because different environments fail in different ways. Infrastructure-as-code heavy platforms often benefit from static policy analysis first, while SaaS integrations and agent-driven workflows need runtime checks sooner because actual behaviour depends on external systems. The same is true when a system uses RBAC on paper but enforces access through context, delegation, or token exchange in practice. In that situation, static review can confirm intent, but only runtime validation can prove that the policy is actually enforced. For broader governance framing, NHI Mgmt Group research in the Ultimate Guide to NHIs highlights how hidden secrets and weak rotation amplify risk even when code appears clean.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Static review is the first chance to find unsafe NHI design and credential handling. |
| NIST CSF 2.0 | DE.CM-8 | Runtime testing supports continuous monitoring of identity and access behaviour. |
| NIST Zero Trust (SP 800-207) | AC-4 | Authorisation must be enforced at request time, not assumed from code review alone. |
Scan code and configs for hard-coded secrets, excessive privilege, and insecure NHI patterns before release.
Related resources from NHI Mgmt Group
- When should organisations prioritise Zero Standing Privilege for non-human identities?
- What is the difference between code scanning and runtime identity monitoring?
- Should organisations prioritise external exposure or internal credential governance first?
- How can organisations reduce secret leakage in ServiceNow at scale?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 3, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
