Subscribe to the Non-Human & AI Identity Journal
Threats, Abuse & Incident Response

CVE exception

← Back to Glossary
By NHI Mgmt Group Updated July 14, 2026 Domain: Threats, Abuse & Incident Response

A CVE exception is a deliberate decision to leave a known vulnerability unpatched for a stated reason. It should include the affected asset, the compensating control, an owner, and a review date, otherwise it becomes unmanaged exposure rather than accepted risk.

Expanded Definition

A CVE exception is a formal, time-bounded decision to defer patching a known vulnerability because the operational cost or outage risk of immediate remediation is higher than the current risk of leaving it exposed. In NHI security, the exception must be tied to the exact asset, the vulnerable package or service, the compensating control, the approving owner, and the review date. Without those elements, the decision is not a risk acceptance record but an unmanaged gap.

Definitions vary across vendors on whether a CVE exception must include explicit business justification, but the governance standard is consistent: the exception should be auditable, reversible, and narrow in scope. It is also distinct from compensating control design, which reduces risk; the exception is the decision to rely on those controls instead of immediate patching. Guidance from CISA's Known Exploited Vulnerabilities Catalog reinforces that known exploited issues require active tracking, not passive waiver.

The most common misapplication is treating a one-time patch delay as a standing exemption, which occurs when teams fail to bind the decision to a review date and asset owner.

Examples and Use Cases

Implementing CVE exceptions rigorously often introduces administrative overhead, requiring organisations to balance uptime and change-control stability against the cost of maintaining a disciplined review process.

  • A production API gateway cannot be patched during peak season, so security approves a 14-day exception while enforcing WAF rules, restricted network paths, and heightened monitoring. The exception is logged with a rollback plan and a named owner.
  • A legacy build agent depends on an old library with a known CVE, but replacing it would break release pipelines. The team grants a temporary exception after confirming that the agent has no internet egress and only signs artifacts for internal use.
  • An externally facing service account is affected by a vulnerable runtime. The organisation uses a compensating control pattern documented in the Ultimate Guide to NHIs, then tracks remediation alongside the hard-coded key exposure cases discussed in Gladinet Hard-Coded Keys RCE Exploitation.
  • A third-party integration uses a vulnerable connector, and the business issues an exception only after confirming that token scope is minimal and renewal is monitored. This approach aligns with the operational lessons reflected in the 52 NHI Breaches Analysis.

Why It Matters in NHI Security

CVE exceptions matter because NHIs often run continuously, hold broad privileges, and are embedded in automation where patch delays can quietly expand attack paths. NHIMG research shows that 91.6% of secrets remain valid five days after notification, which means remediation is frequently slower than the threat window. When exceptions are poorly governed, they become a hiding place for exposed service accounts, API keys, and CI/CD-linked components that attackers routinely target.

This is especially important in agentic environments, where a vulnerable dependency may sit behind automated execution authority and tool access. The operational lesson from Anthropic's first AI-orchestrated cyber espionage campaign report is that automation compresses attacker dwell time and makes weak exception handling more consequential. Organisations typically encounter the true cost of a CVE exception only after a service account is abused or an incident review reveals that the “temporary” waiver survived multiple release cycles, at which point the exception becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-02Known vulnerable NHIs and secrets need strict exception tracking and remediation discipline.
NIST CSF 2.0PR.IP-12Change and patch management must control exceptions to preserve operational resilience.
NIST Zero Trust (SP 800-207)SC-7Zero Trust assumes compromised components can persist, so exceptions need strong isolation.
NIST AI RMFGV.2AI risk governance calls for accountable decisions on deferred remediation and residual risk.
CSA MAESTROTR-4Agentic systems need controlled trust boundaries when vulnerable components cannot be patched immediately.

Register each CVE exception with owner, scope, compensating controls, and a mandatory expiry review.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org