TL;DR: At Gartner SRM 2026, the recurring themes were that AI and automation are strengthening defenders, vulnerability exploitation has overtaken credential abuse as the top initial access vector at 31% of breaches, and identity-first microsegmentation is becoming the practical answer for mixed IT, OT, and unmanaged environments, according to Elisity. The governance lesson is that visibility, identity, and enforcement now have to move together, or segmentation becomes a theory rather than a control.
At a glance
What this is: This field note argues that AI-driven defense, identity-first microsegmentation, and measurable visibility are converging into a more practical security model for mixed IT and OT environments.
Why it matters: It matters because IAM, NHI, and security architecture teams now have to govern identity-led access and segmentation across environments where network-only controls and human-paced review cycles do not fit.
By the numbers:
- vulnerability exploitation has now overtaken credential abuse as the leading way attackers get in, at 31 percent of breaches.
- 13 percent.
- Full remediation of CISA Known Exploited Vulnerabilities dropped to 26 percent this year.
👉 Read Elisity's field notes from Gartner SRM 2026 on identity, automation, and segmentation
Context
Identity-first microsegmentation is the practice of tying enforcement to who or what is accessing a resource, rather than relying only on network location. That matters when the same environment includes unmanaged devices, legacy OT assets, and workloads that security teams cannot instrument in the same way as corporate endpoints.
At Gartner Security & Risk Management Summit 2026, the strongest thread was that identity and automation are no longer separate conversations. The practical problem is not whether defenders should modernise, but how quickly they can make visibility measurable and enforcement identity-aware across mixed environments.
That is a typical enterprise challenge now, not an edge case. The article’s own examples from healthcare, manufacturing, and critical infrastructure show the same governance pressure appearing in very different operational settings.
Key questions
Q: How should security teams implement identity-first microsegmentation in hybrid environments?
A: Start by anchoring policy to identity sources, asset type, and operational criticality, not to IP ranges alone. That approach works better when the same estate includes unmanaged devices, OT systems, and cloud workloads. The goal is to preserve consistent authorization even when network topology changes or the device cannot support a conventional agent.
Q: Why do mixed IT and OT environments break traditional segmentation assumptions?
A: Because IT and OT share neither the same tolerance for failure nor the same control objective. In IT, a mistaken block is inconvenient; in clinical or industrial settings, it can stop care or production. Traditional network segmentation assumes those consequences are interchangeable, which they are not.
Q: What should organisations measure before expanding segmentation programmes?
A: Measure what assets exist, who can reach them remotely, and which externally exposed systems still lack authentication. Those three signals tell you whether your visibility is real enough to support identity-led control. If you cannot measure them, you cannot prove that segmentation is improving security rather than adding complexity.
Q: Who should own the decision when automation changes security policy in critical environments?
A: The decision should stay with the security and operational owners who understand the consequence of a false positive or a delayed response. Automation can accelerate enforcement, but it should not become the authority that decides business impact. Governance still has to define the boundary for acceptable automated action.
Technical breakdown
Identity-first microsegmentation in mixed IT and OT environments
Identity-first microsegmentation shifts policy from subnets and ports to identities such as users, devices, and workloads. That matters in environments where devices may be legacy, unmanaged, or unable to run agents. Network-centric segmentation struggles when topology is flat, proprietary, or constantly changing. Identity becomes the stable control plane because the asset can move, but its authorization context remains inspectable. This is especially relevant in OT and clinical environments, where the cost of a false positive is operational disruption, not just an alert.
Practical implication: build segmentation policies around identity sources and verified device context, not around network assumptions that break in OT and hybrid estates.
Visibility as a measurable control, not a binary state
Visibility only becomes useful when it is measured as a control objective rather than treated as a yes or no outcome. In practice, teams need to know what assets exist, who is remotely accessing them, and which internet-facing systems lack authentication. Without that baseline, segmenting or protecting the environment is guesswork. The architectural lesson is that detection, inventory, and policy enforcement must be linked, because security teams cannot prove improvement if visibility is not defined numerically.
Practical implication: define visibility metrics before expanding controls, then use those metrics to prioritise enforcement gaps and ownership.
Automation changes the defender economics, but not the governance burden
Automation can reduce the marginal cost of response, which is why the summit framed it as a defender advantage. But the governance burden shifts rather than disappears. If AI speeds up attack chains, defenders need faster containment, faster policy updates, and fewer manual handoffs. The key architectural point is that automation only helps when identity-aware policy can keep pace with change in the environment. Otherwise, the organisation automates noise rather than control.
Practical implication: use automation to shorten response and policy cycles, but keep identity governance as the approval boundary for what the automation is allowed to change.
Threat narrative
Attacker objective: The attacker objective is to turn a single vulnerable foothold into broad operational reach across systems that were never meant to share the same access model.
- Attackers increasingly enter by exploiting exposed vulnerabilities rather than relying on stolen credentials, which shifts the initial access problem toward internet-facing assets and unpatched services.
- Once inside, they scan for similar weaknesses and use that foothold to reach other systems where identity or segmentation controls are weak or inconsistently applied.
- The impact is broader lateral movement and more disruptive compromise, especially where OT or clinical systems inherit IT assumptions that do not fit their operational risk.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Coupang Signing Key Breach — Unrevoked signing key credentials expose 33.7 million records after employee offboarding failure at Coupang.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity-first controls are becoming the only segmentation model that still maps cleanly to mixed environments. Network boundaries do not describe access intent well enough when assets are unmanaged, legacy, or spread across IT and OT. Identity-led enforcement gives practitioners a control point that remains stable even when the underlying topology does not. The implication is that segmentation programmes need to be judged by identity fidelity, not by how elegant the network design looks.
Visibility you cannot measure is governance you cannot defend. The article’s core insight is that visibility must be treated as a metric, not a slogan. If teams cannot quantify what exists, who is accessing it, and what remains unauthenticated, then they cannot prove that controls are improving. Practitioners should read this as a warning that inventory-first and identity-first programmes are inseparable.
Automation is now a defensive economics problem, not just a tooling discussion. The summit framing is that defenders can finally use automation to out-scale manual response, but only where policy and identity signals are already reliable. That is a governance point, not a product point. Teams that treat automation as an add-on to fragmented identity controls will only accelerate inconsistency.
Vendor consolidation is shifting buying decisions from feature comparison to complexity reduction. Security leaders are no longer asking only whether a platform can do one control well. They are asking how many overlapping tools they can remove without losing coverage across human identity, workload identity, and operational environments. The implication is that architecture rationalisation now sits inside identity governance, not outside it.
Identity governance increasingly has to bridge human, machine, and operational access without assuming they behave the same way. The article’s examples from healthcare, manufacturing, and critical infrastructure show that the same access model cannot be copied across contexts. That creates a programme design problem for IAM teams, PAM teams, and NHI owners alike. The lesson is to align governance to operational consequence, not to organisational convenience.
From our research:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, which helps explain why identity-led automation is still uneven in practice.
- For a broader lifecycle view, NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding need to be governed as one control chain.
What this signals
With 35.6% of organisations citing consistent access across hybrid and multi-cloud environments as their top NHI challenge, the programme lesson is clear: identity policy has to survive topology changes, not just audit cycles. That is why identity-first segmentation and lifecycle governance keep converging.
Identity fidelity: the measure of whether access policy still reflects the real actor and asset once the network, device state, or environment changes. Teams that cannot preserve identity fidelity will keep compensating with overlapping tools and manual exceptions.
Practitioners should expect more pressure to rationalise platforms around a small number of strategic controls, then use deeper specialist tooling where consequence is highest. That buying pattern only works if the identity model underneath it is coherent.
For practitioners
- Define identity-based segmentation boundaries Map policies to verified users, devices, and workloads, then test where network-only rules fail in legacy and OT segments. Prioritise assets that cannot run modern agents but still expose critical services.
- Make visibility a measurable control objective Track what assets exist, who is remoting into them, and which internet-facing systems lack authentication. Use those three measures to decide where segmentation, authentication, or inventory work comes first.
- Separate IT and OT enforcement logic Keep policy, management, and enforcement distinct where a false positive could interrupt care or production. Use the same strategic platform if needed, but do not assume the same control settings belong in both environments.
- Treat automation as a control multiplier Use automation to shorten containment and policy change cycles, then verify that identity signals are strong enough to support those decisions. Do not automate around weak asset knowledge or unclear ownership.
Key takeaways
- Identity-first microsegmentation is emerging as a practical way to govern access in environments where network-centric controls do not fit the asset mix.
- The article’s evidence points to a governance problem, not just a tooling problem, because visibility, enforcement, and automation all have to be measurable to matter.
- Security teams should expect architecture simplification to continue, but only programmes with strong identity fidelity will reduce complexity without weakening control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Identity-led segmentation and access control are central to this article. |
| NIST Zero Trust (SP 800-207) | The article argues for identity-based enforcement consistent with zero trust. | |
| NIST SP 800-53 Rev 5 | AC-4 | Information flow enforcement maps well to microsegmentation controls. |
| CIS Controls v8 | CIS-6 , Access Control Management | The article centers on access control in mixed operational environments. |
Map segmentation policy to identity and least privilege, then validate that enforcement survives hybrid environment changes.
Key terms
- Identity-first microsegmentation: A segmentation approach that uses the identity of a user, device, or workload as the basis for access policy. It is useful when network location is too unstable or too coarse to express real trust boundaries, especially in hybrid, OT, and unmanaged-device environments.
- Visibility metric: A measurable indicator of how much of an environment is known, monitored, or exposed. In practice, it turns visibility from a vague promise into a governance input, allowing teams to track assets, remote access paths, and unauthenticated exposure over time.
- Identity fidelity: The degree to which a control decision still matches the real actor and asset after environmental changes. High identity fidelity means policy continues to reflect actual access context even when devices move, systems age, or the network architecture becomes more complex.
What's in the full article
Elisity's full field note covers the operational detail this post intentionally leaves for the source:
- The specific conference themes and hallway observations that shaped the four threads in the article
- The exact analyst and keynote framing behind the defender economics argument
- More detail on the identity-first microsegmentation examples from healthcare, manufacturing, and critical infrastructure
- The vendor-comparison context behind the consolidation and complexity-reduction discussion
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity security programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org