A network control approach that divides environments into small security zones with explicit rules between them. Its purpose is to limit lateral movement and reduce blast radius when an identity, workload, or device is compromised.
Expanded Definition
Microsegmentation is a control plane for limiting east-west traffic by enforcing explicit policy between narrowly defined security zones. In NHI security, those zones may be tied to workloads, service accounts, APIs, containers, or agent runtimes rather than only to hosts or subnets. The goal is not just to separate systems, but to ensure every connection is intentional, authenticated, and policy checked before it is allowed.
Definitions vary across vendors, especially when microsegmentation is blended with zero trust, identity-based access, or network access control. NHI Management Group treats the term as a practical enforcement layer that supports NIST Cybersecurity Framework 2.0 outcomes by shrinking blast radius and constraining lateral movement. In modern environments, microsegmentation is often paired with workload identity, policy-as-code, and service-to-service authorization so that a compromised credential does not automatically inherit broad network reach. The most common misapplication is treating VLANs, perimeter firewalls, or cloud security groups as if they were microsegmentation, which occurs when coarse network boundaries are mistaken for granular identity-aware enforcement.
Examples and Use Cases
Implementing microsegmentation rigorously often introduces policy complexity and operational overhead, requiring organisations to weigh reduced blast radius against the cost of designing, testing, and maintaining precise rules.
- A production payment service can only call its tokenization service on approved ports, while all other east-west paths are denied by default.
- A CI/CD runner is restricted to the exact artifact repository and secret manager it needs, reducing exposure if the runner is compromised.
- A privileged service account used by an internal agent can reach only the API endpoints required for its workflow, not the broader cluster network.
- Microsegments can be created around sensitive data stores so that backup jobs, analytics jobs, and admin tooling each receive different access paths.
- Teams validating control design can map segmentation assumptions to the governance and lifecycle concerns described in the Ultimate Guide to NHIs and then verify how policy aligns with the NIST Cybersecurity Framework 2.0.
When implemented well, microsegmentation becomes most valuable in environments where NHIs are numerous, dynamic, and highly privileged. NHI Management Group notes that NHIs outnumber human identities by 25x to 50x in modern enterprises, and 97% of NHIs carry excessive privileges, which means segmentation often serves as the last practical constraint when identity sprawl has already grown faster than governance. The same guide shows that only 5.7% of organisations have full visibility into their service accounts, making traffic policy a compensating control when identity inventory is incomplete.
Why It Matters in NHI Security
Microsegmentation matters because compromised NHIs rarely fail in isolation. A leaked API key, overprivileged service account, or hijacked agent can move laterally unless the environment enforces narrow communication paths. That is why segmentation is commonly used alongside least privilege, secret rotation, and workload identity, rather than as a stand-alone defense. It supports containment after a breach, but it also exposes design weaknesses when teams discover that critical services rely on broad trust between zones.
Operationally, the control is most important in cloud-native and agentic environments where identities are ephemeral and connections are machine-speed. NHI Management Group reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation. Microsegmentation helps convert that principle into enforcement by preventing a single compromised identity from becoming a platform-wide incident. Organisations typically encounter the cost of weak segmentation only after an incident spreads beyond the original entry point, at which point microsegmentation becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-08 | Microsegmentation limits lateral movement from compromised NHIs and service accounts. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access enforcement depends on restricting machine-to-machine reach. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero Trust requires policy enforcement at network boundaries for each transaction. |
Apply segmentation as a transaction-level control that verifies and constrains every path.
