By NHI Mgmt Group Editorial TeamPublished 2026-04-24Domain: Best PracticesSource: Zero Networks

TL;DR: Identity weaknesses now appear in nearly 90% of cyber incidents and 89% of cases in Unit 42’s 2026 incident response report, while 99% of cloud users, roles, and services hold excessive permissions, often unused for 60 days or more. Static perimeter controls cannot contain valid-credential abuse when identities themselves are the attack path.


At a glance

What this is: This is an analysis of why perimeter-based security fails when identities, not network boundaries, determine access and lateral movement.

Why it matters: It matters because IAM, PAM, and NHI teams need controls that constrain identity use in real time, not just at login or provisioning.

By the numbers:

👉 Read Zero Networks' analysis of identity-centric least privilege and segmentation


Context

Identity-centric access control is the idea that permissions should follow the identity and the actual workload path, not just the network location. That matters because modern attacks increasingly use valid credentials, over-privileged accounts, and lateral movement rather than obvious perimeter breaks.

The article argues that identity sprawl has made static perimeter models too blunt for cloud, SaaS, and hybrid estates. For IAM, PAM, and NHI programmes, the problem is not only who can sign in, but where an identity can operate once it does.


Key questions

Q: How should security teams implement least privilege across hybrid environments?

A: Security teams should start with identity segmentation around the most sensitive systems, then expand to cloud, SaaS, and on-prem paths. The goal is to make each identity usable only where the business function requires it. That reduces blast radius when credentials are stolen and makes lateral movement much harder.

Q: Why do excessive permissions make valid credentials so dangerous?

A: Excessive permissions turn any stolen or abused credential into a much larger problem because the attacker inherits the identity’s existing reach. If a service account or user has broad access, the compromise is no longer limited to one system. The risk is lateral movement, privilege escalation, and faster operational impact.

Q: What do teams get wrong about perimeter security in identity-heavy environments?

A: They assume the perimeter still decides trust, when in reality many attacks now begin with valid access and then move internally. Perimeter controls can slow entry, but they do not stop an over-privileged identity from reaching other assets. Identity reachability is the missing control layer.

Q: How can organisations reduce lateral movement without breaking normal operations?

A: They should use human-on-the-loop automation to learn normal access patterns, then enforce granular identity-aligned policies with exception handling. That approach limits unnecessary movement while preserving legitimate traffic. The key is to control where identities can operate, not to block everything indiscriminately.


Technical breakdown

Identity segmentation and least privilege enforcement

Identity segmentation limits where a user, service account, or workload can authenticate and what it can reach after authentication. In practice, this turns identity into an enforcement boundary, so a domain admin, machine account, or third-party credential only works in the places it genuinely needs. The technical value is not just access reduction, but containment: if an attacker steals a credential, the credential cannot roam freely across servers, workstations, SaaS tenants, or cloud services. This is the operational form of least privilege in distributed environments.

Practical implication: Map each high-value identity to explicit allowed destinations and block everything else by default.

Why human-on-the-loop automation is required

Manual identity segmentation does not scale across hybrid estates because access paths change faster than teams can review them. Human-on-the-loop automation learns normal behaviour, then generates and enforces granular policies based on confirmed operational need. That differs from static allowlists because the policy engine continuously adapts to changing applications, cloud services, and remote access patterns. The important architectural point is that automation is used to keep least privilege current, not to replace governance judgement.

Practical implication: Use automated policy generation to keep segmentation current, then validate the resulting rules against business use cases.

North-south, east-west, and up-down protection

The article frames enforcement across three traffic dimensions. North-south controls limit ingress and egress at the perimeter, east-west controls constrain lateral movement inside the environment, and up-down controls restrict access between layers using identity. Together they reduce the chance that one compromised identity becomes a broad breach path. This matters because attackers rarely stay at the first entry point. They use whatever identity path is least constrained, then pivot until they reach data or administrative control.

Practical implication: Evaluate whether your current controls stop movement across all three traffic dimensions, not just at the edge.


Threat narrative

Attacker objective: The attacker wants to turn a single valid identity into broad, stealthy control over systems and data.

  1. Entry occurs when attackers obtain valid credentials, because the article describes phishing, third-party credential exposure, and malware-free abuse of legitimate access as common initial paths.
  2. Escalation happens when excessive permissions and weak identity segmentation let those credentials reach systems they should not control, enabling privilege escalation or lateral movement.
  3. Impact follows when the attacker uses the expanded access to move across assets, steal data, or disrupt business services without relying on obvious malware signals.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity segmentation is now the practical boundary for least privilege. Perimeter controls can still matter, but they no longer determine whether a stolen credential can spread across cloud, SaaS, and on-prem environments. The governance question is no longer whether an account can authenticate, but where that identity can operate after authentication. Practitioners should treat identity reachability as a first-class control surface.

Excessive permissions turn identity sprawl into a containment failure. When cloud users, roles, and services carry more privilege than they need, attackers inherit that overreach the moment they obtain valid access. The article’s numbers show why this is not a marginal issue: excessive entitlements are the default condition, not the exception. Teams should reframe access reviews around blast radius, not just entitlement lists.

Three-dimensional enforcement is the missing architecture for hybrid estates. North-south, east-west, and up-down controls solve different movement problems, and none of them alone is sufficient once identities are everywhere. That is why the identity security market keeps converging on segmentation and policy enforcement rather than point tools. Practitioners need one operating model that constrains access at each movement plane.

Automated policy generation changes the economics of least privilege. Manual segmentation fails because the environment changes faster than governance cycles. The article shows that deterministic, human-on-the-loop automation is what makes identity-aligned enforcement operational at scale, especially for machine accounts and hybrid workloads. The implication is straightforward: without automation, least privilege remains a design principle rather than an enforceable control.

Identity-centric controls are becoming the common language across IAM, PAM, and NHI governance. The same access problem appears whether the subject is a human user, a service account, or a third-party credential. That convergence matters because programme owners can no longer manage each identity type as if it were isolated from the others. The practical conclusion is to align identity segmentation, privileged access, and lifecycle controls around shared enforcement logic.

From our research:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing that remediation windows often outlast attacker dwell time.
  • 52 NHI Breaches Analysis shows how over-privileged machine identities repeatedly turn small exposures into multi-system incidents.

What this signals

Identity reachability is becoming the real programme metric. For most organisations, the question is no longer whether identities exist in excess, but whether those identities can move farther than their job requires. With 97% of NHIs carrying excessive privileges, according to Ultimate Guide to NHIs, the programme risk is architectural, not isolated.

Blast radius will matter more than entitlement volume in the next phase of IAM maturity. Teams that can prove they are reducing where identities can operate will have a stronger control story than teams that only count dormant accounts or completed reviews. That shift aligns naturally with NIST SP 800-53 Rev 5 Security and Privacy Controls because access control has to be enforced, not merely documented.


For practitioners

  • Inventory identity-to-asset reachability Document which users, service accounts, and applications can reach each critical asset, then remove paths that are not required for the current business function. Use that map to prioritise segmentation work around the most exposed identities.
  • Apply identity segmentation to privileged accounts first Start with domain admins, cloud operators, and high-risk machine identities because those credentials create the largest blast radius if stolen. Restrict them to the specific hosts, services, or management planes they actually need.
  • Replace static trust with contextual enforcement Tie network access to identity, device, and workload context so access decisions can change with the connection, not just the login. This is especially important when third-party credentials or shared environments are involved.
  • Use human-on-the-loop automation for policy upkeep Let automated learning propose segmentation rules, but keep a review step for exceptions, business-critical workflows, and change control. That avoids drift without turning least privilege into a brittle deny-all posture.

Key takeaways

  • Perimeter trust models fail when valid identities can still move laterally inside the environment.
  • The scale problem is already visible, with excessive permissions and identity sprawl widening the blast radius for attackers.
  • Identity segmentation plus automation is the practical path to least privilege at enterprise scale.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03The article centers on over-privileged non-human identities and access enforcement.
NIST CSF 2.0PR.AC-4Identity permissions and least privilege are the core control objective here.
NIST SP 800-53 Rev 5AC-6Least privilege and permission scoping align directly to AC-6.
CIS Controls v8CIS-5 , Account ManagementThe article’s privilege creep and dormant account issues fall within account management.
NIST Zero Trust (SP 800-207)The piece uses zero trust logic to constrain identity-based access.

Review NHI entitlements against NHI-03 and remove unnecessary reach before expanding segmentation.


Key terms

  • Identity segmentation: Identity segmentation is the practice of restricting where an identity can authenticate and what it can reach after authentication. It treats the identity itself as an enforcement boundary, which is especially useful in hybrid environments where network location no longer predicts trust.
  • Blast radius: Blast radius is the amount of damage an attacker can cause after compromising one identity or system. In identity governance, it is shaped by entitlement scope, reachable assets, and how quickly access can be constrained once misuse begins.
  • Human-on-the-loop automation: Human-on-the-loop automation uses machine learning or policy engines to propose and enforce access controls while keeping people in charge of exceptions and oversight. For identity programmes, it reduces manual toil without turning governance into blind automation.
  • Lateral movement: Lateral movement is an attacker’s attempt to move from one system or identity to another after initial access. In identity-centric security, the goal is to make that movement difficult by limiting where each identity can operate and what it can authenticate against.

What's in the full article

Zero Networks' full article covers the operational detail this post intentionally leaves for the source:

  • The webinar discussion on identity segmentation design across SaaS, cloud, and on-prem environments.
  • The practical trade-offs between blocking, containing, and allowing identity-based traffic in production.
  • The role of automated learning in building least-privilege policies without hand-crafting every rule.
  • The examples of how microsegmentation and just-in-time network-layer MFA fit into a broader control stack.

👉 The full Zero Networks article covers the webinar discussion, control model, and enforcement approach in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM, PAM, or identity governance programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-24.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org