By NHI Mgmt Group Editorial TeamPublished 2026-04-07Domain: Cyber SecuritySource: Illumio

TL;DR: At RSAC 2026, cybersecurity keeps adding tools and activity without improving outcomes, because teams still measure progress by compliance and alert volume rather than reduced blast radius or containment, according to Illumio. The practical shift is to treat breaches as inevitable and optimise for limiting spread, not pretending prevention alone will solve the problem.


At a glance

What this is: This panel-based analysis argues that cybersecurity is underperforming because organisations measure activity, not reduced impact, and containment has become the missing control model.

Why it matters: That matters to IAM and NHI programmes because identity and access decisions determine how far an attacker can move once a foothold exists, especially where service accounts, tokens, and elevated access are in play.

By the numbers:

👉 Read Illumio's panel analysis of why cybersecurity outcomes are not improving


Context

Cybersecurity often looks busy on the surface while still failing to change breach outcomes. Tooling expands, dashboards fill, and compliance activity increases, but attackers still move through environments that were assumed to be controlled. The primary keyword here is cybersecurity outcomes, and the article is really about why those outcomes stay stubbornly flat even as spend rises.

For identity and access teams, the relevance is direct. Once an attacker lands, service accounts, API keys, tokens, and privileged access define how quickly the incident expands. That makes containment a governance issue as much as a detection issue, because access design determines blast radius long before an incident reaches the SOC.


Key questions

Q: What breaks when organisations measure security activity instead of containment outcomes?

A: When organisations measure activity instead of containment, they can look mature while leaving the same attack paths open. Dashboards, audits, and completed tasks do not show whether an attacker can still move laterally, abuse privilege, or reach critical systems. The better test is whether compromise is contained before it becomes enterprise-wide impact.

Q: Why do service accounts and privileged access matter so much to cyber resilience?

A: Service accounts and privileged access determine how far an attacker can travel after the first foothold. If those identities carry broad or standing access, a small intrusion can become a major incident quickly. Cyber resilience depends on scoping those identities tightly enough that compromise does not automatically become propagation.

Q: How do security teams know whether containment controls are actually working?

A: Containment controls are working when a compromised identity cannot reach additional systems, escalate privilege, or access sensitive data outside its intended scope. Teams should test this through simulations, access-path mapping, and identity reviews that focus on reachable impact rather than policy completion. If compromise still spreads, the control is only partial.

Q: Who is accountable when cyber incidents spread because access boundaries were too broad?

A: Accountability sits with the teams that own identity governance, privileged access, platform segmentation, and resilience design, because those choices determine how far an intrusion can spread. Frameworks such as NIST Cybersecurity Framework and NIST SP 800-53 both expect control design that limits impact, not just control presence.


Technical breakdown

Why activity-based maturity fails to reduce attack surface

Security programmes often equate more controls, more alerts, and more audit activity with better defence. In practice, that measures effort, not exposure. A mature-looking programme can still leave the same paths open for credential theft, privilege misuse, and lateral movement. The problem is not the absence of controls, but the absence of a model that ties those controls to reduced attacker reach. In identity-heavy environments, this is especially visible when standing access remains available after the control has “passed” review.

Practical implication: measure whether controls reduce reachable access, not whether teams are simply executing more security tasks.

Containment vs prevention in modern cyber resilience

Prevention assumes attacks can be blocked before material harm occurs. Containment assumes some attacks will succeed and focuses on limiting what happens next. That shift changes architecture: segmentation, identity scoping, least privilege, and policy boundaries become central because they constrain propagation after initial compromise. In NHI terms, the equivalent is reducing the duration and scope of accessible credentials so a single token or service account cannot unlock an entire environment.

Practical implication: design control paths that shrink blast radius after compromise, especially around service accounts and tokens.

Why AI increases the value of runtime control

AI lowers the cost of reconnaissance, adaptation, and persistence for attackers, which means defenders need more than static control sets. Runtime control matters because attackers can now vary tactics quickly, probe for weak identity paths, and exploit whatever access remains persistent. For identity programmes, that means account lifecycle, privilege boundaries, and just-in-time access become operational controls, not governance paperwork. If access persists, AI-assisted attackers can learn and move faster than review cycles can react.

Practical implication: pair access governance with runtime enforcement so access can be constrained at the moment of use.


Threat narrative

Attacker objective: The attacker aims to turn one successful entry point into broad operational disruption or data theft by exploiting uncontrolled access paths.

  1. Entry occurs when an attacker gains a foothold through a weak or stolen credential and starts probing the environment for reachable access paths.
  2. Escalation follows when over-privileged accounts, shared access, or weak segmentation let the attacker expand from the initial point of compromise.
  3. Impact emerges when the attacker moves laterally, disrupts multiple systems, or exfiltrates data before containment limits are enforced.

NHI Mgmt Group analysis

Cybersecurity has a containment problem, not only a detection problem. The panel’s core message is that many organisations are still optimising for visibility, activity, and audit completion while attackers continue to exploit the gap between control presence and control effect. That is why outcomes do not improve even when programmes look more mature on paper. In identity-heavy environments, the missing variable is how far an attacker can move after compromise. Practitioners should treat blast radius as the real measure of control value.

Containment is now a governance discipline for IAM, PAM, and NHI alike. Once identity, service accounts, and machine credentials become the route into production systems, security cannot separate “identity control” from “resilience control.” This is where least privilege, lifecycle enforcement, and access scoping become operational safeguards rather than policy statements. Teams that leave standing access in place are not just taking identity risk, they are preserving the attacker’s mobility. Practitioners should design for constrained failure, not perfect prevention.

AI changes the economics of attacker persistence, which makes static identity controls less defensible. When attackers can automate discovery and adapt faster, review-heavy governance models become too slow to matter unless they are paired with runtime enforcement. That does not replace governance, it makes governance incomplete without operational control. The practical conclusion is that identity programmes need to govern session boundaries, delegation paths, and privilege duration with the same seriousness as authentication. Practitioners should align identity governance to runtime risk.

Blast-radius control is the right concept for the next phase of cyber resilience. The article’s strongest implication is that outcome-driven security needs a named operating model, and blast-radius control captures that shift better than generic resilience language. It reframes success around limiting damage, not claiming total prevention. For identity architects, that means the highest-value controls are the ones that prevent one compromised credential from becoming many compromised systems. Practitioners should prioritise controls that break propagation chains.

Visibility without containment creates a false sense of readiness. Many organisations can describe where their controls are, but not what damage remains possible if those controls fail. That gap is especially visible in service-account-heavy and cloud-native environments where privileges persist across systems. The governance lesson is that reporting on coverage is not enough. Practitioners should build reporting around reachable impact, not just policy adherence.

What this signals

Cyber resilience programmes should now be judged on how quickly they can constrain compromise, not just how much telemetry they produce. That means identity boundaries, session scoping, and segmentation need to be operationally testable, not just documented. The most useful metric is the amount of reachable damage remaining after first access, especially in environments where service accounts and tokens drive production workflows.

Blast-radius drift: this is the slow expansion of reachable impact as identities, permissions, and trusted paths accumulate over time. When organisations stop trimming those paths, a single compromise becomes materially more dangerous. Teams should inspect whether [Ultimate Guide to NHIs](https://nhimg.org/the-ultimate-guide-to-non-human-identities#key-challenges-and-risks) and [NIST Cybersecurity Framework 2.0](https://www.nist.gov/cyberframework) guidance are being translated into actual access boundaries, not just policy language.

AI-assisted attacker workflows make static assurance less valuable unless the identity layer can enforce limits in real time. That pushes IAM, PAM, and NHI governance toward runtime controls such as short-lived access, tighter delegation, and more aggressive removal of standing privilege. For programmes under pressure, the signal is clear: reduce the space an attacker can occupy, not only the chance they enter it.


For practitioners

  • Measure reachable impact, not control volume Replace activity-based scorecards with metrics that show how much lateral movement, privilege spread, and data exposure remain possible after a foothold is gained. Tie those metrics to critical identities, service accounts, and privileged sessions.
  • Map containment paths for high-risk identities Identify which service accounts, API keys, tokens, and privileged roles could move an attacker from first access to production impact, then isolate or segment those paths. Use the mapping to prioritise where identity controls reduce blast radius the most.
  • Shorten the lifetime of access that matters most Use just-in-time access, tighter session duration, and removal of standing privilege for identities that can reach sensitive systems. Focus first on credentials whose compromise would create the largest operational spread.
  • Tie identity governance to resilience scenarios Test whether a compromised credential can still reach backup systems, admin paths, orchestration tools, or data stores. If it can, treat that as a resilience failure, not only an IAM issue.
  • Review access boundaries after every incident exercise After tabletop or red-team testing, update the access model to close the exact paths used in the simulation. Use the exercise to prove whether segmentation and privilege scoping actually limit propagation.

Key takeaways

  • Cybersecurity programmes can look mature while still failing to reduce the damage an attacker can cause after initial access.
  • Identity and machine credentials are central to containment because they often define the attacker’s next move, not just the first one.
  • The practical response is to measure and enforce blast-radius reduction through tighter privilege, shorter access duration, and stronger segmentation.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access scoping and least privilege are central to containment in the article.
NIST SP 800-53 Rev 5AC-6Least privilege directly supports the containment model described in the article.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , ImpactThe article’s containment focus maps to credential abuse, movement, and downstream impact.
OWASP Non-Human Identity Top 10NHI-03NHI lifecycle and rotation reduce the exposure window highlighted by the article.
NIST Zero Trust (SP 800-207)Zero Trust supports the article’s call to limit spread after compromise.

Use ATT&CK to test whether identity controls stop credential abuse from becoming lateral movement and impact.


Key terms

  • Blast Radius: Blast radius is the amount of damage an attacker can cause after gaining a foothold. In security governance, it is the practical measure of whether identities, privileges, and network paths are constrained enough to keep a small incident from becoming an enterprise-wide one.
  • Containment: Containment is the discipline of limiting what an attacker can do after initial compromise. It relies on segmentation, privilege scoping, and runtime restrictions so that access to one system does not automatically open routes to others or to sensitive data.
  • Standing Privilege: Standing privilege is persistent elevated access that remains available without a specific just-in-time need. It increases the probability that a compromised account, token, or service identity can move quickly across critical systems before defenders can intervene.
  • Reachable Impact: Reachable impact is the amount of real damage still possible from a compromised identity, workload, or account. It is a more useful programme measure than simple control coverage because it shows whether access boundaries are actually limiting attacker options.

What's in the full article

Illumio's full article covers the operational detail this post intentionally leaves for the source:

  • The panel-specific discussion on how leading practitioners are redefining cyber success around containment and resilience.
  • The examples of how breach impact can be limited through architecture choices such as isolation, access scoping, and restricted communications paths.
  • The article’s direct commentary from panel speakers on why measurement, risk assessment, and AI-driven attacker scale are changing security priorities.
  • The closing section on how the vendor frames breach containment as a practical response to lateral movement and spread.

👉 Illumio's full article expands on the panel discussion, containment framing, and the role of AI in attacker scale.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and lifecycle control. It gives security and identity practitioners a practical foundation for reducing exposure across modern access programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org