Container drift is the gap between the workload state that was approved and the state that actually runs. In practice, drift can include unexpected binaries, altered startup behaviour, or hidden execution paths, and it matters because build-time trust does not guarantee runtime trust.
Expanded Definition
Container drift describes the divergence between the container image or workload configuration that was approved during build, review, or admission, and the version that actually executes in production. In NHI and agentic AI environments, that gap can appear through altered startup commands, injected sidecars, modified environment variables, extra binaries, or runtime filesystem changes that were never part of the trusted baseline.
This matters because container assurances are often treated as durable once an image is scanned or signed, yet runtime state can still be changed by orchestration mistakes, mutable tags, compromised delivery paths, or post-deployment tampering. In practice, drift is easier to detect when teams compare declared state against observed state using policy and telemetry, a model that aligns well with the NIST Cybersecurity Framework 2.0 focus on continuous governance.
Definitions vary across vendors when they stretch the term to include every configuration difference, but NHI Management Group uses it specifically for unexpected runtime deviation from the approved workload state. The most common misapplication is assuming that a clean image scan means the running container is still trustworthy, which occurs when runtime mutation is not continuously checked.
Examples and Use Cases
Implementing drift controls rigorously often introduces operational friction, because teams must balance fast deployment pipelines against tighter runtime verification and change detection.
- A service account container is approved with one entrypoint, but a later deployment injects a wrapper script that quietly forwards tokens to another process.
- An AI agent container is built from a known image, then a mutable tag is repointed and the running pod pulls a newer layer with different tool access.
- A sidecar added for observability changes outbound network behaviour, creating an execution path that was never reviewed during admission.
- Secrets or API keys are mounted differently at runtime than in the original manifest, which can alter how an agent reaches tools or data stores.
- Investigators compare baseline manifests to observed runtime state after a compromise, using evidence from incidents such as the Salesloft OAuth token breach to understand how authorised paths were abused after trust assumptions changed.
For workload integrity modelling, teams often pair admission control with supply-chain verification guidance from the NIST Cybersecurity Framework 2.0 and runtime checks that flag deviations from the intended container spec. In investigations involving models or agentic systems, runtime drift can also be read alongside the DeepSeek breach as a reminder that exposed content and altered execution paths often coexist.
Why It Matters in NHI Security
Container drift is especially dangerous for NHI because non-human credentials, tool permissions, and workflow logic are often embedded in the workload itself. If the runtime state changes without review, an attacker may inherit the same execution authority that was intended for the legitimate service. That turns a deployment issue into an identity and access problem, with compromised containers potentially exfiltrating secrets, calling internal APIs, or impersonating trusted automation.
NHIMG research on the LLMjacking: How Attackers Hijack AI Using Compromised NHIs article shows that when credentials are exposed publicly, attackers can attempt access within 17 minutes on average, which means drift that exposes new paths can become dangerous almost immediately. The State of Secrets in AppSec research also shows the average time to remediate a leaked secret is 27 days, creating a long window in which drift-related exposure can persist unnoticed. Organisations typically encounter the consequences only after an unexpected process, token theft, or lateral movement event, at which point container drift becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Runtime drift often signals unexpected changes to NHI-bound workload behaviour. |
| NIST CSF 2.0 | DE.CM-8 | Continuous monitoring is needed to detect unauthorized changes in workload state. |
| NIST Zero Trust (SP 800-207) | SC.L2-3 | Zero trust depends on verifying the workload state before trusting its actions. |
Continuously compare running containers to approved baselines and alert on unauthorized runtime deviation.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
