By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: IllumioPublished October 2, 2025

TL;DR: 80% of organisations monitor hybrid communications and 77% monitor east-west traffic, yet almost 40% of that traffic still lacks enough context to be useful, according to Illumio’s 2025 Global Cloud Detection and Response Report. That makes visibility a weak control unless teams can explain why connections exist, not just that they exist; the real governance issue is context, because detection without decision quality still leaves lateral movement and alert fatigue intact.


At a glance

What this is: The report argues that cloud-security teams have visibility, but not enough context to turn network telemetry into actionable understanding.

Why it matters: For IAM, NHI, and security teams, the lesson is that access and connection data must be interpretable if they are going to support containment, privilege decisions, and trustworthy response.

By the numbers:

👉 Read Illumio’s analysis of the 2025 Global Cloud Detection and Response Report


Context

Cloud detection programs often fail at the interpretation layer, not the collection layer. Teams can see traffic, alerts, and control-plane activity, but still struggle to decide whether a connection is expected, risky, or malicious. That matters for identity and access governance as much as it does for network defence, because the same lack of context that hides lateral movement also obscures whether human or non-human identities are acting within their intended scope.

Illumio’s report uses the human cost of detection work to show why this gap persists. Analysts are buried in noisy telemetry, SOC teams lose confidence in triage, and leaders struggle to turn monitoring into containment. In this case, the starting position is typical of many hybrid environments: visibility has improved, but decision quality has not kept pace.


Key questions

Q: What fails when cloud visibility has no context?

A: Without context, visibility produces telemetry but not decisions. Teams can see connections, alerts, and traffic volumes, yet still cannot determine whether a flow is necessary, risky, or malicious. That makes containment slower, increases alert fatigue, and lets lateral movement blend into routine operations. Context must be tied to owners, dependencies, and expected behaviour to be useful.

Q: Why do hybrid environments make lateral movement harder to detect?

A: Hybrid environments create complex east-west traffic patterns, shared services, and automation flows that can look normal even when an attacker is moving laterally. If the team lacks a baseline for expected internal communications, abnormal activity is easy to miss or misclassify. That is why detection quality depends on environment-specific dependency mapping, not raw traffic volume.

Q: How do teams know if cloud threat detection is actually working?

A: The strongest signal is whether security teams can validate an alert with evidence captured during execution, not after the fact. If investigations routinely end in partial logs, missing traces, or unresolved assumptions, the programme has visibility gaps that runtime monitoring should be closing.

Q: Who is accountable when telemetry shows suspicious internal movement?

A: Accountability should sit with the teams that own the systems, service accounts, and dependencies involved, not only with the SOC. Detection teams can surface the event, but application and platform owners must define what is normal and what should be blocked. Governance works when ownership, escalation, and containment authority are explicit before an incident occurs.


Technical breakdown

Why cloud visibility still fails without context

Visibility means data is being collected. Context means the data can be interpreted against a baseline, ownership model, and business purpose. In hybrid cloud environments, that distinction is critical because east-west traffic often looks legitimate at packet level even when it is operationally unnecessary or risky. Without context, a security team cannot reliably rank connections by exposure or decide whether a path supports business function or attacker movement. This is why monitoring alone does not close the gap. Practical implication: build baselines that map communications to applications, identities, and expected dependencies.

Practical implication: build baselines that map communications to applications, identities, and expected dependencies.

How lateral movement hides inside normal network patterns

Lateral movement succeeds when defenders cannot tell the difference between legitimate internal traffic and an attacker moving laterally after initial access. The challenge is not simply volume, but ambiguity. If teams do not know what “normal” looks like in their own environment, every connection becomes a research project and real attacker activity blends into routine service communication. That is especially relevant where service accounts, workload identities, and automation traffic create dense east-west relationships that are hard to classify by hand. Practical implication: maintain environment-specific allowlists and dependency maps that separate expected flows from high-risk paths.

Practical implication: maintain environment-specific allowlists and dependency maps that separate expected flows from high-risk paths.

AI security graph analytics and the context problem

AI-assisted analytics can help bridge the gap between raw telemetry and actionable meaning by correlating connections, baselines, and deviations. Used well, this is not about replacing analysts. It is about reducing false investigation paths and surfacing the small number of events that merit containment. The underlying problem is governance as much as technology: organisations need a control model that turns observations into decisions fast enough to matter. Practical implication: use graph-based analytics to prioritise response, but tie the output to clear containment criteria and ownership rules.

Practical implication: use graph-based analytics to prioritise response, but tie the output to clear containment criteria and ownership rules.


Threat narrative

Attacker objective: The attacker aims to move laterally inside the environment while remaining indistinguishable from normal service traffic long enough to expand access and increase impact.

  1. Entry occurs when an attacker gains a foothold in a hybrid environment and begins using internal communications to blend in with ordinary traffic.
  2. Escalation follows when the attacker exploits weak context and unclear baselines to move laterally across systems without standing out as anomalous.
  3. Impact occurs when the defender cannot distinguish legitimate from malicious movement quickly enough, allowing the intrusion to expand before containment.

NHI Mgmt Group analysis

Visibility without interpretive context is a governance failure, not a tooling win. The report’s central lesson is that collecting hybrid traffic data is no longer the hard part. The hard part is deciding what the data means for risk, ownership, and containment. That maps directly to identity programmes, where access telemetry is only useful when it can be tied to a human, workload, or service purpose. Practitioners should treat context as a control objective, not an optional enhancement.

Cloud detection is now inseparable from identity governance because machine traffic is identity-bearing traffic. In hybrid estates, workload identities, service accounts, and automation flows create the same accountability problem that human identity programmes faced earlier: who or what is allowed to talk to whom, under what conditions, and why. If those answers are unclear, lateral movement becomes easier to hide and harder to contain. Practitioners should align cloud detection with identity ownership and dependency mapping.

Detection fatigue is a symptom of unresolved security design debt. When analysts face thousands of alerts and still cannot validate whether a connection is necessary, the issue is not analyst effort. It is the absence of a usable baseline. That is a classic control gap in cloud and NHI-adjacent environments, where access patterns change faster than manual review can follow. Practitioners should prioritise controls that reduce ambiguity before they add more alerting.

Security graphs are becoming the practical bridge between monitoring and response. The report points toward a model where security teams use relationship data to explain behaviour, not just record it. That matters across NIST-CSF, NIST-800-53, and Zero Trust programmes because the effective control is no longer simple observation. It is the ability to make a defensible decision quickly enough to stop spread. Practitioners should evaluate whether their current telemetry can support that decision path.

Named concept: context debt. The article describes a situation where organisations have accumulated more observation than interpretation. Context debt means the environment generates enough data to satisfy monitoring requirements, but not enough meaning to drive action. For practitioners, this is the difference between compliance visibility and operational understanding, and it should be treated as a remediation priority rather than an analyst training issue.

What this signals

Context debt is the operational risk signal here. When organisations can monitor most of their traffic but still cannot interpret enough of it to act, the programme has outgrown manual triage and needs a decision model that links telemetry to ownership, dependency, and containment.

For practitioners, the priority is not more alerts but better decisions. That means using dependency graphs, identity-aware telemetry, and containment logic together, then measuring whether analysts can classify internal traffic fast enough to stop spread before it becomes a response exercise.

Where identity is involved, the lesson extends beyond human access. Workload identities and service accounts create hidden internal paths that can either be normal business dependencies or attacker movement channels, so teams need The 52 NHI breaches Report and cloud telemetry tuned to the same governance standard.


For practitioners

  • Define connection baselines for hybrid traffic Map expected east-west flows by application, workload, and business function so analysts can tell whether a connection is necessary or suspicious before escalation begins.
  • Link telemetry to identity ownership Bind service accounts, workload identities, and automation paths to accountable owners so every internal communication has a clear business and security context.
  • Use containment triggers for high-risk lateral paths Predefine which internal routes justify quarantine, segmentation, or step-up review when a deviation appears, and test those triggers regularly.
  • Reduce alert load with prioritised graph analytics Feed relationships and dependency data into triage workflows so analysts see the few connections most likely to represent abuse instead of chasing every alert equally.

Key takeaways

  • The report’s core finding is that many organisations can observe hybrid traffic but still cannot interpret it well enough to make fast security decisions.
  • That gap matters because lateral movement, alert fatigue, and containment failure all get worse when network activity lacks business and identity context.
  • Practitioners should treat context as a control objective, then tie telemetry, ownership, and containment into one operational decision path.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0DE.CM-1Continuous monitoring of hybrid traffic is central to the article’s detection gap.
NIST SP 800-53 Rev 5SI-4The article focuses on monitoring, detection, and response quality in cloud environments.
NIST Zero Trust (SP 800-207)The article aligns with zero trust concepts of continuous verification and reduced implicit trust.
MITRE ATT&CKTA0008 , Lateral Movement; TA0011 , Command and ControlThe article centres on lateral movement hidden inside hybrid traffic patterns.
CIS Controls v8CIS-8 , Audit Log ManagementThe article depends on effective telemetry and triage from cloud communications data.

Map internal traffic baselines to lateral movement tactics and tune detections around suspicious deviation.


Key terms

  • Context debt: A governance condition where security tools hold partial or stale information about data, identity, or workflow state, so decisions are made with incomplete context. The result is noisy enforcement, missed risk, and controls that cannot keep pace with distributed cloud and AI use.
  • Lateral Movement: Lateral movement is attacker activity inside an environment after initial access, where the goal is to reach other systems, accounts, or data. It often succeeds when internal traffic looks normal enough to evade detection, especially in hybrid networks with many legitimate east-west connections.
  • Security Graph: A security graph is a relationship model that links systems, identities, applications, and communication paths so teams can see how assets depend on one another. In practice, it helps turn raw telemetry into context by showing what should exist, what has changed, and what deserves immediate attention.

What's in the full article

Illumio's full blog covers the operational detail this post intentionally leaves for the source:

  • The report’s survey framing and respondent context, useful if you need to assess how representative the findings are.
  • The human-factor commentary from Illumio’s interview with Raghu Nandakumara, including how teams experience alert fatigue and response friction.
  • Illustrative examples of AI-assisted prioritisation and breach containment workflows that go beyond the high-level governance view.
  • The vendor’s explanation of how its security graph and one-click containment are positioned to reduce noise and speed decisions.

👉 Illumio’s full post adds the human-side commentary, survey framing, and containment context behind the findings.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity in a way that complements cloud and identity programmes. It helps practitioners connect machine identity controls to broader security operations and governance responsibilities.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org