Subscribe to the Non-Human & AI Identity Journal

What should organisations measure to know if microsegmentation is working?

Measure reachable asset count, critical-path exposure, and the time it takes to contain a suspicious connection. Those signals show whether the environment is actually harder to traverse, which is the point of breach readiness. If attackers can still move from low-value zones to crown jewels with little resistance, the control is not yet doing enough.

Why This Matters for Security Teams

microsegmentation is only useful if it measurably reduces lateral movement, shrinks blast radius, and forces attackers to hit controls instead of open pathways. Security teams often overfocus on policy counts or the number of zones created, but those are configuration outputs, not proof of protection. The real question is whether the environment has become harder to traverse in a way that changes attacker options and incident response outcomes. NIST frames this as a core resilience and protective-services issue in the NIST Cybersecurity Framework 2.0.

For identity-heavy environments, the same logic applies to Non-Human Identities. NHIMG’s Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which makes segmentation and privilege containment inseparable. If service accounts, API keys, and workloads can still reach sensitive systems broadly, segmentation is not enforcing meaningful trust boundaries. In practice, many security teams discover this only after an internal foothold or compromised credential has already been used to move laterally, rather than through intentional validation of containment.

How It Works in Practice

To know whether microsegmentation is working, measure the security effect, not the policy intent. Start with reachable asset count from a given foothold and compare it before and after segmentation changes. Then map critical-path exposure, which shows whether low-trust systems can still reach high-value services, data stores, or control planes. Finally, measure containment time for a suspicious connection: how quickly monitoring, policy enforcement, or response actions stop the session once it is detected.

These measurements are most useful when they are tied to realistic attack paths. A segment boundary may look strong on paper, but if a stolen credential, compromised workload, or exposed automation token can still authenticate across trust zones, the control has not materially reduced risk. That is why microsegmentation should be validated alongside identity and access telemetry, not in isolation. For NHI-heavy estates, the control surface includes service accounts, secrets, and API-driven workloads, all of which are covered in NHIMG’s Ultimate Guide to NHIs.

  • Count the number of systems reachable from a compromised endpoint, workload, or account.
  • Track whether crown jewel services remain directly reachable from lower-trust zones.
  • Measure how many policy hops an attacker would need to cross a boundary.
  • Record mean time to block or isolate suspicious east-west traffic.
  • Validate that alerting, policy enforcement, and response actions line up.

Current guidance suggests the strongest evidence comes from testing with realistic paths, not static diagrams or compliance inventories. Microsegmentation metrics become meaningful when paired with attack simulations, so the team can see whether allowed flows still support abuse cases that matter. These controls tend to break down when legacy applications depend on broad east-west trust, because exceptions quietly recreate the flat network segmentation is meant to remove.

Common Variations and Edge Cases

Tighter segmentation often increases operational overhead, requiring organisations to balance stronger containment against application complexity and response speed. That tradeoff is especially visible in hybrid cloud, Kubernetes, and SaaS-integrated environments, where service discovery and short-lived connections can make allowlisting difficult. Best practice is evolving here, and there is no universal standard for how many exceptions is too many; the better test is whether exceptions preserve measurable reductions in reachable assets and critical-path exposure.

Microsegmentation can also look successful while leaving identity paths wide open. If an attacker can pivot using a valid token, workload identity, or service account, network restrictions alone may not meaningfully constrain movement. This is where NHI governance matters. NHIMG data shows that only 5.7% of organisations have full visibility into their service accounts, so many teams cannot accurately see which non-human identities are still able to cross segmentation boundaries. That gap can hide the very movement the control is supposed to stop.

For regulated environments, align the metric set to operational resilience and access control outcomes rather than just topology changes. The practical question is not whether every flow is blocked, but whether the remaining flows are justified, monitored, and rapidly containable. If the environment still allows a low-value compromise to reach secrets stores, identity providers, or production control planes with limited resistance, the segmentation model needs redesign, not minor tuning.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-4 Segmentation must limit authorized access paths and reduce lateral reach.
NIST Zero Trust (SP 800-207) SC-7 Microsegmentation implements network boundary control for zero trust segmentation.
OWASP Non-Human Identity Top 10 Non-human identity reachability is a common bypass path in segmented environments.

Review reachable paths and remove any access that is not needed for operations.