TL;DR: Black Hat 2025 discussions on microsegmentation, AI in security, and defense in motion reflected a wider problem: organisations are spending more while attackers still win on speed, lateral movement, and alert overload, according to Zero Networks and cited industry data. The practical shift is from detection-first posture to containment-first governance, especially where identity-based access and segmented workloads intersect.
At a glance
What this is: This Black Hat 2025 recap argues that modern network defence must move from reactive detection toward automated containment, microsegmentation, and identity-aware controls.
Why it matters: It matters because IAM, PAM, NHI, and cloud security teams all depend on segmentation and access boundaries that stop lateral movement when credentials, workloads, or agents are compromised.
By the numbers:
- 83% of organizations currently use endpoint security while just 5% leverage microsegmentation.
- Attackers achieved a record-low breakout time of just 51 seconds in 2024.
- 194 days.
- Gartner projects that global cybersecurity spending will reach $212 billion this year.
👉 Read Zero Networks' Black Hat 2025 analysis of microsegmentation and defense in motion
Context
Microsegmentation is a control that limits how systems can talk to each other, reducing the blast radius when an attacker gets in. The Black Hat 2025 recap uses that lens to argue that many enterprises are still over-investing in detection while under-investing in containment, even as identity-driven access and hybrid traffic patterns get more complex.
For identity teams, the relevance is not just network hygiene. Identity-based access, privileged accounts, service credentials, and AI systems all depend on the same assumption that access can be scoped tightly enough to stop movement after initial compromise. That makes the article useful to IAM, PAM, NHI, and cloud security practitioners, not just network teams.
Key questions
Q: What breaks when microsegmentation is not in place in hybrid networks?
A: When microsegmentation is absent, a single foothold can often reach far more internal systems than defenders expect. That creates a lateral movement problem, especially where service accounts, admin tools, and cloud workloads share broad internal trust. The practical failure is not just exposure, but the attacker’s ability to turn one compromise into a larger operational event before containment catches up.
Q: Why does microsegmentation matter for IAM and PAM teams?
A: Microsegmentation matters because identity controls are only as strong as the paths an identity can use after authentication. IAM and PAM may limit who gets access, but segmentation limits where that access can go. That is critical for privileged accounts, service credentials, and administrative workflows that could otherwise pivot across environments.
Q: How do security teams know if segmentation is actually reducing risk?
A: Teams know segmentation is working when unnecessary workload communications disappear, exception volume falls, and policy changes are validated continuously rather than assumed. A good signal is that one compromised workload cannot reach adjacent systems without hitting an explicit control. If internal traffic remains widely open, the organisation still has a propagation problem, not a containment strategy.
Q: How should organisations combine AI-driven operations with containment controls?
A: Organisations should keep AI-assisted operations inside tighter blast-radius boundaries than manual work. AI can accelerate change, but it also accelerates mistakes if it can act across too many systems. The safest pattern is to pair automation with identity-aware segmentation so AI outputs do not become unrestricted internal movement.
Technical breakdown
Why detection-first security fails against fast lateral movement
Detection-first programmes assume defenders will see and triage malicious behaviour before attackers can meaningfully expand. That assumption breaks when breakout time is measured in seconds and breach identification takes months. Microsegmentation changes the control plane by shrinking reachable paths between workloads, so compromise of one node does not automatically create a path to the next. In practice, this makes containment an architectural control rather than a response after the fact. The article’s argument is that resilience depends less on perfect detection and more on constraining the environment so alerts have less room to turn into material impact.
Practical implication: reduce east-west reachability before you rely on deeper detection or response tuning.
How identity-based access controls support defense in motion
Defense in motion combines network controls with identity-aware policy so access can change as users, devices, or applications change. Identity-based access controls are especially important in hybrid environments because static network rules age quickly, while workload identity, user identity, and device posture can provide current context. This is where IAM and PAM intersect with segmentation: privileged access should be narrowly scoped, time-bound, and segmented so it cannot pivot across zones. The article’s core technical point is that dynamic policy beats static perimeter thinking when environments are constantly changing.
Practical implication: bind segmentation policies to identity, posture, and role context, not only IP or subnet boundaries.
Why automation matters more than manual microsegmentation policy design
Manual microsegmentation often fails because policy creation, tagging, and exception handling become too slow for real operational change. Automation helps by grouping workloads, generating deterministic rules, and keeping policy aligned with application movement and infrastructure change. That matters because the control only works if it can be maintained at machine speed. For security teams, the technical lesson is that segmentation is not just a design choice, it is an operating model. If policy drift is left to humans alone, the control becomes brittle and attackers regain movement paths.
Practical implication: automate policy generation and maintenance or the segmentation programme will decay into exceptions.
Threat narrative
Attacker objective: The attacker objective is to move from a single foothold to high-value systems with minimal resistance, then steal data or extend control before defenders can stop propagation.
- Entry occurs when attackers bypass perimeter detection or compromise a foothold in a hybrid environment, then use the reachable network paths that remain open.
- Escalation follows through lateral movement, where poorly segmented east-west traffic allows access to additional workloads, identities, or administrative surfaces.
- Impact occurs when attackers reach higher-value systems, abuse privileged access, or exfiltrate data before detection and response can contain the spread.
NHI Mgmt Group analysis
Microsegmentation has moved from a network optimisation topic to an identity governance issue. The article is really about who and what can move after compromise, which is the same governance question IAM and PAM teams already ask about standing privilege. Once workloads, service accounts, and administrative paths are all potential lateral movement channels, segmentation becomes part of access governance, not just network design. Practitioners should treat containment boundaries as identity boundaries.
Defense in motion is the right phrase for a hybrid world, but only if policy is tied to actual access context. Static rules cannot keep pace with cloud change, branch expansion, and AI-assisted operations. That is why identity-aware controls matter: they let organisations link user, workload, and device posture to permitted reach. The field should read this as validation that access policy must be continuously evaluated, not periodically assumed. Practitioners should rework policy around current context rather than inherited network structure.
AI in security only becomes tolerable when the environment already limits blast radius. The article’s AI discussion points to a broader truth: confidence in tooling is not a substitute for containment. If AI systems or automated workflows are allowed broad internal reach, their errors become operational incidents instead of contained mistakes. This is where NHI governance intersects directly with cyber resilience. Practitioners should assume AI-assisted operations need tighter segmentation than manual processes, not looser controls.
Microsegmentation is becoming a governance control because insurers, compliance teams, and boards now care about containment evidence. The article notes rising compliance and cyber insurance pressure, which turns segmentation from a technical preference into an assurance signal. That shifts the conversation from whether a team can detect compromise to whether it can prove the compromise cannot spread freely. Practitioners should expect segmentation posture to become part of broader risk reporting and control validation.
Identity segmentation is the named concept this article surfaces most clearly. It describes the practice of constraining access paths based on user, device, application, or privileged context rather than trusting broad internal network reach. That matters because hybrid environments increasingly fail at the boundary between identity and transport. Practitioners should align segmentation with identity lifecycle and privilege governance, or the control will remain incomplete.
What this signals
Identity segmentation is increasingly a resilience requirement, not just a network design choice. As attackers move faster and internal environments become more dynamic, teams need evidence that lateral movement will fail even when detection lags. That pushes microsegmentation into the same governance conversation as PAM, workload identity, and AI system access because all three shape post-authentication reach.
Static internal trust is the real control gap exposed by this article. Hybrid networks, privileged workflows, and AI-assisted operations all become harder to defend when the default assumption is that internal access is safe. For practitioners, the signal is clear: if internal paths remain broad, identity controls will not prevent a breach from spreading.
From our research: Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to The State of Non-Human Identity Security. That same preparedness gap shows up in containment design, where organisations talk about automation faster than they redesign blast radius. The practical next step is to align segmentation, NHI governance, and AI access policy before autonomy expands internal reach.
For practitioners
- Map east-west exposure before tuning detection Inventory the internal pathways that allow workloads, service accounts, and admin tools to talk to each other. Prioritise the paths that would let an attacker pivot after one foothold, then segment those paths first. Use the result to target the highest-blast-radius zones before investing in deeper alerting.
- Bind segmentation policy to identity context Require user identity, workload identity, device posture, and privilege scope to inform what can communicate with what. This keeps network policy aligned with actual access decisions instead of static IP or subnet assumptions, which drift quickly in hybrid estates.
- Automate policy creation and exception handling Use deterministic rule generation and automated grouping to reduce manual policy drift. Treat exceptions as temporary and track them against application or service change windows so they do not become permanent movement paths.
- Segment privileged administration paths separately Isolate administrative sessions, service accounts, and other high-trust paths from general east-west traffic. That separation limits how far stolen credentials or compromised tools can move after initial access and reduces the chance that one breach becomes a multi-system event.
- Test containment as a resilience control Run exercises that measure how quickly an intruder can traverse the environment if detection is delayed. Use the findings to validate that segmentation, identity controls, and incident response work together under real attack timing.
Key takeaways
- This article argues that detection-first security is too slow for modern attack speeds, so containment has to become a primary control.
- The evidence points to a persistent gap between heavy security spending and the much smaller share of organisations using microsegmentation.
- For practitioners, the operational move is to combine identity-aware segmentation, privileged access controls, and automation before lateral movement becomes inevitable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0004 , Privilege Escalation; TA0040 , Impact | The article centres on containment against attacker movement through hybrid networks. |
| NIST CSF 2.0 | PR.AC-4 | Identity-aware access restriction aligns with least-privilege and segmented trust boundaries. |
| NIST SP 800-53 Rev 5 | AC-4 | Information flow enforcement fits microsegmentation and internal traffic control. |
| CIS Controls v8 | CIS-6 , Access Control Management | Segmentation and privileged path control support access governance in hybrid estates. |
| NIST Zero Trust (SP 800-207) | Zero Trust principles support continuous verification across dynamic environments. |
Map internal reachability gaps to lateral movement paths and segment the highest-value privileges first.
Key terms
- Microsegmentation: Microsegmentation is the practice of dividing a network or environment into small, tightly controlled zones so that systems can only communicate when policy allows it. It reduces the blast radius of compromise by limiting east-west movement between workloads, users, and administrative paths.
- Defense in Motion: Defense in motion is an operating model where network, identity, and policy controls continuously adapt as traffic, workloads, and user context change. The goal is to keep protections aligned with the current environment rather than rely on static perimeter rules that age quickly.
- East-West Traffic: East-west traffic is internal communication between systems inside an environment, such as workload-to-workload or service-to-service traffic. Attackers often exploit this traffic to move laterally after gaining a foothold, which is why limiting it is a core containment strategy.
- Identity Segmentation: Identity segmentation is the use of user, device, application, or workload identity to decide what communication paths are allowed. It connects access policy to who or what is acting, which helps limit privileged abuse and keeps internal reach aligned with actual trust context.
What's in the full article
Zero Networks' full article covers the operational detail this post intentionally leaves for the source:
- The Black Hat session context and speaker-led commentary on why detection-only defence is failing in practice.
- The specific microsegmentation and automation capabilities the vendor associates with reduced implementation complexity.
- The joint firewalls-plus-segmentation operating model described for north-south and east-west protection.
- The vendor's framing of how these controls fit compliance and cyber insurance expectations.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity boundaries to broader security controls across modern environments.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org