By NHI Mgmt Group Editorial TeamPublished 2026-04-23Domain: Governance & RiskSource: Zero Networks

TL;DR: Enterprises are being pushed to prove cyber resilience while downtime can cost as much as $5 million per hour, according to Gartner, which makes lateral movement containment and business continuity a single governance problem rather than separate goals. Zero Trust segmentation now has to be judged on whether it narrows blast radius without creating operational dead zones.


At a glance

What this is: This is a practitioner guide on cyber resilience, zero trust segmentation, and business continuity, with the key finding that lateral movement controls must contain spread without breaking legitimate operations.

Why it matters: It matters because IAM, PAM, and NHI teams increasingly have to coordinate identity-based access decisions with network containment, so resilience programmes cannot treat availability and least privilege as separate design tracks.

By the numbers:

👉 Read Zero Networks' guide to cyber resilience, segmentation, and business continuity


Context

Cyber resilience in this context means keeping critical business functions running while limiting the spread of compromise. The article centres on a familiar identity and network governance problem: controls that are too blunt create outages, while controls that are too loose allow lateral movement to continue inside the environment.

For IAM, PAM, and NHI programmes, the practical issue is not whether access should be restricted. It is how to make access decisions that are explicit, temporary, and recoverable without forcing teams into a choice between operational friction and uncontrolled exposure.


Key questions

Q: How should security teams stop lateral movement without breaking business operations?

A: They should start with the business flows that must keep working, then segment only the communication paths those flows truly require. The goal is not to block everything. It is to make access explicit, temporary, and identity-aware so a compromise cannot spread freely while legitimate operations continue.

Q: Why do zero trust and cyber resilience need to be designed together?

A: Because resilience is no longer just about recovering after an incident. If lateral movement can traverse the environment before containment activates, the business continuity problem becomes part of the security design problem. Zero trust gives teams a way to reduce blast radius without relying on delayed detection alone.

Q: What do organisations get wrong about microsegmentation in production networks?

A: They often treat it as a pure perimeter or subnet exercise, when it actually depends on identity, application behaviour, and operational exceptions. If those dependencies are not understood first, policies become either too loose to matter or too strict to survive production traffic.

Q: Who is accountable when segmentation still allows a breach to spread?

A: Accountability sits with the teams that own identity policy, privileged access, and network containment together, because failures usually happen at the boundary between those domains. NIST SP 800-207 Zero Trust Architecture is the clearest reference point for assigning explicit verification and least-privilege responsibilities.


Technical breakdown

How microsegmentation contains lateral movement

Microsegmentation breaks a network into smaller trust zones and enforces communication rules between them. Instead of assuming that any authenticated session can reach everything, policy is applied to specific assets, ports, and identity contexts. In the article’s framing, this is what stops an attacker who has already reached one machine from moving freely to another. The technical value is not only packet filtering. It is the combination of visibility, learned traffic patterns, and policy enforcement that reduces the blast radius of a compromised endpoint without requiring a full network redesign.

Practical implication: Map high-value assets and identity paths first, then restrict east-west communication to explicit business need.

Just-in-time access at the network layer

Just-in-time access in this context means privileged communication is opened only when a verified identity, device, or session needs it, then removed after use. That changes privileged access from a standing condition into a temporary network permission. The article connects this to identity providers and conditional access, which matters because network segmentation is not just about devices. It also governs which elevated relationships are allowed to exist at the moment of access. That makes JIT a containment mechanism as much as an entitlement mechanism.

Practical implication: Use temporary elevation for rare administrative paths instead of leaving privileged network routes permanently open.

Why identity-based visibility is required for resilient containment

The article repeatedly ties resilience to understanding what is communicating, from application layer down to identity level. That is the key technical point: without identity-aware visibility, segmentation rules become either too permissive to matter or too restrictive to survive production use. The challenge is especially acute when systems appear to behave like legitimate users, because attacks increasingly begin through valid logins rather than obvious malware. Resilient containment therefore depends on observing normal traffic, identifying exceptions, and enforcing policy that reflects real operational dependencies rather than assumptions.

Practical implication: Build policies from observed identity and application relationships, then validate exceptions before enforcing them.


Threat narrative

Attacker objective: The attacker aims to turn one compromised foothold into an environment-wide incident by moving across systems before containment controls stop the spread.

  1. Entry occurs when an attacker gains access through a legitimate-looking login or compromised endpoint, rather than by immediately dropping obvious malware.
  2. Escalation happens when the attacker leverages unsegmented paths or over-permissive communication to move from one system to another.
  3. Impact follows when lateral movement reaches high-value assets, allowing broader compromise, operational disruption, or ransomware spread.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
  • DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity-based resilience is now a governance problem, not just a network design problem. The article correctly shows that segmentation only works when identity, device, and communication paths are understood together. A control that ignores legitimate business dependencies will either be bypassed or rejected by operations, which is why resilience programmes need shared ownership across IAM, PAM, and network security. The practitioner implication is that blast-radius reduction must be measured as a governance outcome, not a technology purchase.

Microsegmentation exposes the identity blast radius hidden inside normal operations. Once an attacker reaches a valid session, the real question becomes how far that identity can travel before encountering a policy boundary. That makes identity blast radius a useful concept for programme design because it links privileged access, segmentation, and operational continuity into one control objective. Practitioners should treat every always-on path as a latent spread path until proven otherwise.

Zero Trust is being used here as a continuity framework, not a slogan. The article’s practical value is in showing that trust decisions must be contextual, temporary, and revocable when business needs change. That aligns with NIST SP 800-207 Zero Trust Architecture, where explicit verification and least privilege are operational requirements rather than aspirational language. The implication for teams is that resilience planning must include how access is granted, narrowed, and removed during live operations.

Standing privileged pathways are the failure mode this article makes visible. The assumption that elevated access can remain available without materially increasing risk was designed for stable, reviewable environments. That assumption fails when attackers can imitate legitimate traffic and traverse the network faster than manual response cycles can react. The implication is that resilience programmes must rethink persistent reachability as a control premise, not just a tuning issue.

For NHI governance, network segmentation is increasingly a compensating control for excess connectivity. Service accounts, workload identities, and automation often depend on broad internal reach to function, which creates hidden lateral movement potential when credentials are abused. The article’s framing suggests that NHI access scope and network path scope cannot be managed separately. Practitioners should align entitlement review with communication review so one does not silently undermine the other.

From our research:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
  • For a broader control perspective, NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding shape the same risk surface over time.

What this signals

Identity blast radius is becoming the practical metric for resilience programmes. When containment is measured only after compromise, teams discover too late that legitimate internal reach was wider than they expected. As segmentation, PAM, and NHI governance converge, the question shifts from whether access exists to how far that access can travel before it encounters a policy boundary.

With 92% of organisations exposing NHIs to third parties, according to the Ultimate Guide to NHIs, resilience planning has to account for partner-connected credentials as potential spread paths. That means identity reviews, network path reviews, and third-party access reviews need to be coordinated rather than run as separate exercises.


For practitioners

  • Inventory high-value communication paths Map the specific assets, ports, and identity relationships that support business-critical workflows, then identify which of them are unnecessarily open across the environment.
  • Convert standing admin routes into just-in-time access Replace permanently available privileged communication with temporary, verified access tied to the exact task and revoke it as soon as the session completes.
  • Enforce identity-aware segmentation policies Tie network rules to the identities and applications that actually need them, instead of relying on broad subnet trust or static allow lists.
  • Test containment against realistic spread paths Use red-team and recovery exercises to measure whether one compromised endpoint can reach domain controllers, databases, or administrative consoles before controls intervene.
  • Review NHI pathways alongside privileged network access Assess service accounts, automation, and elevated credentials together with the internal routes they can use, because overbroad connectivity can turn NHI abuse into lateral movement.

Key takeaways

  • Cyber resilience fails when security teams treat lateral movement as a network problem alone instead of an identity-and-containment problem.
  • The strongest evidence in the article is the speed of spread, which shows why reactive controls often arrive after internal movement has already begun.
  • The control that changes outcomes is not blanket blocking, but identity-aware segmentation with temporary, task-scoped access paths.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST Zero Trust (SP 800-207), NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST Zero Trust (SP 800-207)3.4Zero Trust Architecture is directly cited as the governing model for containment.
NIST CSF 2.0PR.AC-4Identity-based access restriction is the core control theme in this article.
NIST SP 800-53 Rev 5AC-6Least privilege governs who can reach high-value systems after authentication.
CIS Controls v8CIS-6 , Access Control ManagementThe article’s containment logic depends on managing and narrowing access paths.
MITRE ATT&CKTA0008 , Lateral Movement; TA0040 , ImpactThe article is fundamentally about preventing internal spread and operational disruption.

Map segmentation and JIT access to explicit verify-every-request controls and limit internal reach by policy.


Key terms

  • Microsegmentation: Microsegmentation is the practice of dividing an environment into smaller trust zones and controlling communication between them. In identity security terms, it limits how far a compromised account, workload, or device can move by making every path explicit and policy-driven.
  • Identity Blast Radius: Identity blast radius is the amount of system reach an identity has if it is compromised or misused. It is a useful governance measure because it links access scope, network paths, and privilege into one operational view of how far an attacker can move.
  • Just-In-Time Access: Just-in-time access is temporary privilege granted only when a specific task requires it. It reduces standing exposure by opening access for the shortest useful period, then removing it so the entitlement cannot be reused as a persistent movement path.
  • Cyber Resilience: Cyber resilience is the ability to keep business functions operating while preventing or containing security incidents. It is broader than recovery because it includes the design of controls that preserve continuity under attack, especially where identity and network paths intersect.

What's in the full article

Zero Networks' full post covers the operational detail this post intentionally leaves for the source:

  • The vendor’s practical segmentation workflow for mapping business traffic before enforcement.
  • Examples of how just-in-time privileged access is applied at the network layer during real operations.
  • The article’s discussion of isolating infected systems without shutting down the whole network.
  • Details on how the vendor frames frictionless rollout and continuous learning across assets and identities.

👉 The full Zero Networks post covers the network containment approach, just-in-time access model, and rollout framing in more operational detail.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or NHI programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org