Subscribe to the Non-Human & AI Identity Journal

What breaks when IoT devices rely on VLANs for security?

VLANs break down because they group devices by location rather than by trust, and they usually allow broad east-west communication inside the same segment. If one camera is compromised, the attacker can often scan and pivot to every other device in that zone. That makes VLANs useful for organisation, but weak for containment.

Why This Matters for Security Teams

VLANs are often treated as a containment control, but they are primarily a network segmentation tool, not an identity boundary. That distinction matters because IoT devices rarely behave like fixed, predictable endpoints. Cameras, printers, badge readers, and building sensors often share firmware patterns, default services, and vendor dependencies that make lateral movement easy once one device is exposed. NHI Management Group’s research shows why this is dangerous in practice: 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and broad trust zones amplify that same failure mode in device fleets. See Ultimate Guide to NHIs for the governance gap behind these exposures, and pair that with the NIST Cybersecurity Framework 2.0 to anchor segmentation in risk management rather than convenience. In practice, many security teams discover VLAN weakness only after one compromised device is used to enumerate everything else in the same broadcast domain.

How It Works in Practice

A VLAN can reduce accidental traffic and create administrative order, but it does not prove device identity, restrict tool use, or stop a trusted endpoint from abusing allowed east-west access. If the device can talk to peers, the attacker can usually talk too once the device is compromised. That is why modern IoT containment needs identity-aware controls layered above the network.

Effective practice usually combines:

  • Device identity enrollment, so each endpoint is authenticated before it is trusted on the network.
  • Per-device or per-role policy, so a camera can reach only its recorder, broker, or management service.
  • Microsegmentation or software-defined access, so allowed traffic is explicit rather than implicit inside the VLAN.
  • Continuous monitoring for unusual east-west patterns, including scans, DNS abuse, and new peer discovery.
  • Credential and secret hygiene, because many IoT compromises become far worse when long-lived tokens or shared admin credentials are reused.

This is where NHI thinking becomes useful for IoT: each device behaves like a non-human identity that needs authentication, lifecycle control, and revocation. The same governance logic described in The State of Non-Human Identity Security applies when devices depend on shared keys or long-lived access. Current guidance also aligns with the NIST Cybersecurity Framework 2.0, which pushes teams toward stronger asset visibility and access control rather than relying on subnet boundaries alone. These controls tend to break down in flat legacy networks with shared admin credentials and unrestricted east-west service discovery because the VLAN still behaves like a permissive trust zone.

Common Variations and Edge Cases

Tighter segmentation often increases deployment and operational overhead, so organisations must balance containment against manageability and vendor compatibility. That tradeoff is especially visible in industrial IoT, building automation, and OT-adjacent environments where devices may not support modern agents, certificates, or frequent re-enrollment.

Best practice is evolving, but the common edge cases are clear:

  • Legacy devices that cannot support 802.1X or per-device certificates may need compensating controls such as strict ACLs, monitored jump hosts, and dedicated management networks.
  • Vendor cloud dependencies can bypass local VLAN assumptions if the device maintains outbound control channels or receives remote updates.
  • Shared services inside a VLAN, such as NTP, DNS, or telemetry collectors, can become high-value pivot points if they are not isolated.
  • Guest, contractor, and third-party maintenance access often introduces the biggest gap, because temporary access is rarely revoked with the same discipline as network placement.

The practical lesson is that VLANs still have value for organization and traffic reduction, but they should be treated as one control in a broader containment model. For organisations facing device compromise or supply-chain exposure, the Schneider Electric credentials breach is a useful reminder that identity and access failures often matter more than the subnet itself. The right question is not whether the device is on the correct VLAN, but whether it should be allowed to authenticate, communicate, and persist at all.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 IoT devices behave like NHIs and need lifecycle and access controls.
CSA MAESTRO IAM-1 MAESTRO emphasizes identity-first control patterns over network trust.
NIST AI RMF Risk-based governance applies when device behavior and exposure are dynamic.
NIST CSF 2.0 PR.AC-3 Access enforcement should limit lateral movement inside network segments.
NIST Zero Trust (SP 800-207) AC-4 Zero Trust requires explicit, context-aware access decisions for devices.

Inventory device identities and restrict each one to the minimum required access path.