TL;DR: 80% of enterprise servers are reachable from anywhere inside the network, while attackers can begin moving laterally in as little as 27 seconds, according to Zero Networks’ analysis of 54 trillion activities across 300+ enterprise environments. Detection alone cannot keep pace with machine-speed breakout, so containment must shift to identity and network enforcement.
At a glance
What this is: This is a vendor analysis of common lateral movement techniques and the control patterns that stop them, with a central finding that most enterprise servers remain broadly reachable inside the network.
Why it matters: It matters because lateral movement turns one compromised account, token, or session into broader identity and infrastructure compromise, forcing IAM, PAM, and security architecture teams to treat internal reachability as a governance problem, not just a detection problem.
By the numbers:
- Zero Networks’ analysis of 54 trillion activities across 300+ enterprise environments revealed that 80% of enterprise servers are reachable from anywhere inside the network.
- 27 seconds.
- 70% of enterprise threat activity flows through just, rough just four privileged management protocols: SMB, WinRM, RDP, and RPC.
👉 Read Zero Networks’ analysis of common lateral movement techniques and containment
Context
Lateral movement is the stage after initial access where an attacker uses valid credentials, remote services, or native tools to move deeper into a network. In identity terms, the issue is not only compromise at the edge but excessive internal reachability, where one account or session can touch far more systems than it should.
For IAM and PAM teams, that means the relevant control boundary is no longer just authentication at login. Once internal access is broadly permitted, attackers can reuse legitimate pathways to escalate privileges, reach sensitive systems, and hide inside normal administration traffic. That makes lateral movement a core identity governance problem, not merely an endpoint detection problem.
The article’s starting position is typical of modern enterprise environments: extensive internal connectivity, mixed trust in privileged protocols, and heavy dependence on detection rather than hard containment.
Key questions
Q: How should security teams stop lateral movement after an initial foothold?
A: Security teams should reduce the number of internal paths a compromised identity can use, not just watch for suspicious traffic. That means segmenting sensitive systems, restricting remote administration protocols, and binding east-west access to verified identity and purpose. The goal is to make one foothold unable to become a broad internal breach.
Q: Why do valid credentials create such high lateral movement risk?
A: Valid credentials are dangerous because they let attackers look like normal users or administrators while moving through the environment. Once an account, ticket, or session is trusted internally, the attacker can reuse that trust to reach more systems. The risk grows sharply when internal reachability is broad and over-permissioned.
Q: What do security teams get wrong about detecting lateral movement?
A: Teams often assume faster detection is enough, but lateral movement can begin in seconds and outpace investigation. If internal access is already too open, alerts arrive after the attacker has pivoted. Prevention matters because detection-only programs still leave the attacker free to reuse legitimate paths.
Q: Who is accountable when lateral movement reaches sensitive systems?
A: Accountability sits across identity governance, network architecture, and security operations. IAM and PAM teams own the privileges and session controls, network teams own reachable pathways, and SOC teams own detection and response. If one layer is permissive, the others inherit the failure.
Technical breakdown
Why lateral movement succeeds inside trusted networks
Lateral movement works because internal networks often treat authenticated traffic as trustworthy by default. Attackers do not need to invent new access paths if remote services, shared credentials, and over-permissioned accounts already provide them. Techniques such as session hijacking, pass-the-hash, pass-the-ticket, and Kerberoasting all exploit trust that is embedded in identity material, not just network location. Built-in tools like PowerShell, PsExec, WMI, RDP, and WinRM make malicious activity blend with normal administration. The real technical issue is that the attack is often indistinguishable from legitimate operator behaviour until the blast radius is already expanding.
Practical implication: treat internal trust as an attack surface and reduce reachable pathways between systems.
AI-driven lateral movement and machine identity exposure
The article draws an important distinction between AI-accelerated movement and agent-induced movement. In the first case, AI helps attackers execute familiar tactics faster. In the second, AI agents themselves become a pivot surface when they hold legitimate connections to data sources, tools, or internal services. That matters because machine identities and service credentials are already overrepresented in enterprise environments, and AI agents can widen that exposure if they inherit broad permissions. This is a governance problem as much as a technical one: every new non-human actor expands the set of internal routes an attacker can abuse after compromise.
Practical implication: inventory AI-connected and machine identities together, because their internal privileges create shared pivot paths.
Why detection-only controls lose the race
Detection tools matter, but they are not a containment strategy by themselves. Lateral movement can start in seconds, while identification and containment often take days, which means a purely alert-driven model assumes the attacker will move slowly enough to be observed. Many lateral techniques also rely on valid accounts or native tooling, so the activity can look operational rather than malicious. That is why the defensive focus has to shift from spotting movement after it happens to constraining whether movement is possible in the first place. The architectural control is less about better noise filtering and more about reducing internal connectivity and privilege.
Practical implication: pair detection with preventative segmentation and identity-based access enforcement.
Threat narrative
Attacker objective: The attacker aims to turn one internal foothold into broad access, privilege expansion, and reach to high-value enterprise systems.
- Entry occurs when an attacker gains a foothold through phishing, compromised credentials, or another initial access path.
- Escalation follows as the attacker reuses valid accounts, stolen tickets, or native tools to move between internal systems and gather more privilege.
- Impact occurs when the attacker reaches sensitive systems such as domain controllers, administrative services, or data repositories and expands the breach beyond the initial host.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Lateral movement is an identity governance failure before it is a detection problem. Once attackers can reuse valid credentials, tickets, or sessions inside the environment, the real issue is that internal pathways were already too permissive. The article’s data on broad server reachability points to a structural trust problem, not an alerting problem. Practitioners should read this as a challenge to internal access design, not just SOC tuning.
Internal reachability is the hidden blast-radius multiplier. If 80% of servers can be reached from anywhere inside the network, then segmentation, purpose-bound access, and management-plane separation become governance controls, not architecture embellishments. This is where NHI exposure, privileged protocols, and machine identities intersect. The implication is that internal connectivity must be managed as tightly as external perimeter exposure.
Privilege without movement constraint creates operationally reusable compromise. Service accounts, remote admin paths, and shared authentication mechanisms let attackers turn one compromised identity into many reachable assets. That pattern aligns directly with OWASP-NHI and NIST CSF thinking on access limitation and monitoring, but the core lesson is simpler: if a compromised identity can traverse the estate freely, the estate is already over-trusted.
Detection-heavy programs assume the attacker moves slower than the organisation can react. This article shows that assumption is no longer safe, especially when lateral movement starts in seconds and legitimate tools camouflage abuse. The implication for practitioners is that containment must be pre-decided in the access model, because post-event response arrives too late to matter.
AI-driven lateral movement makes machine identity governance inseparable from network security. When AI agents and automated systems hold live connections into internal services, they create additional pivot points that can be abused at machine speed. That is not a new category of risk so much as a sharper version of the same reachability problem. Practitioners should govern non-human identities as part of lateral movement prevention, not after the fact.
From our research:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
- Read 52 NHI Breaches Analysis for root-cause patterns that show how identity exposure becomes breach propagation.
What this signals
Internal containment is becoming the deciding control in identity security programmes. Once attackers can move laterally using valid credentials or native tools, the difference between a contained event and an enterprise-wide incident is the size of the reachable attack surface. Teams should expect board-level pressure to demonstrate not just detection coverage but measurable reduction in internal traversal paths.
AI-connected infrastructure widens the same reachability problem under a new label. As AI agents and machine identities proliferate, their legitimate connections create additional east-west pivot routes that attackers can abuse. That is why the next phase of identity governance will increasingly blend NHI, PAM, and network segmentation into a single containment story.
Standing access is the wrong default for environments where movement happens in seconds. The practical signal for mature programmes is no longer whether controls exist, but whether they can stop a compromised identity from becoming a multi-system incident before human review catches up. Internal access design has become a resilience metric, not an implementation detail.
For practitioners
- Map internal reachability by identity type Identify which service accounts, privileged users, and machine identities can reach sensitive systems from broad network zones, then reduce those paths to explicit business need. Use the resulting map to find where a single foothold can pivot into administrative or data-access planes.
- Restrict remote administration protocols to explicit allowlists Limit SMB, WinRM, RDP, SSH, and RPC to the smallest possible set of sources, destinations, and purposes. Treat these protocols as privileged paths that require continuous review, not general-purpose internal traffic.
- Apply identity-based microsegmentation to non-human access paths Tie internal policy to verified identity and purpose instead of IP ranges alone, especially for service accounts and automation workloads. Where possible, separate management traffic from application traffic so one compromise cannot traverse both planes.
- Force step-up controls on privileged east-west movement Require strong authentication before administrative actions or remote session reuse inside the network, especially where stolen credentials and session hijacking are plausible. This is most effective when paired with just-in-time approval for high-risk paths.
Key takeaways
- Lateral movement is where many breaches expand from a single foothold into enterprise-wide compromise.
- The evidence in this article shows that broad internal reachability and rapid movement leave detection teams reacting too late.
- Identity-based segmentation and tighter control of privileged internal protocols are the controls that change the outcome.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The article centers on exposed credentials, over-permissioning, and movement paths. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | The article maps directly to credential abuse and internal pivoting tactics. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access restriction are central to blocking lateral movement. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege directly addresses the over-permissioned paths described in the article. |
| NIST AI RMF | MANAGE | AI-driven lateral movement makes governance of AI-connected access a management issue. |
Map internal exposure to credential-access and lateral-movement techniques, then reduce reachable paths.
Key terms
- Lateral Movement: Lateral movement is the phase of an intrusion where an attacker uses existing access to move from one system to another. In identity terms, it depends on internal trust, reused credentials, and over-broad connectivity that lets one foothold become many reachable assets.
- Pass-the-Hash: Pass-the-hash is a technique where an attacker uses a password hash to authenticate without knowing the plaintext password. It matters in environments that trust derived credential material, because a stolen hash can behave like a reusable access token for internal movement.
- Identity-Based Segmentation: Identity-based segmentation limits east-west access according to verified identity and purpose rather than broad network location alone. It is especially relevant when service accounts, admins, and automation systems need different internal pathways and one compromise should not grant estate-wide reach.
- Living Off the Land: Living off the land is an attack pattern where adversaries use built-in tools such as PowerShell, WMI, or PsExec instead of adding obvious malware. The tactic blends into normal administration, which makes access control and segmentation more important than signature-only detection.
What's in the full article
Zero Networks’ full article covers the operational detail this post intentionally leaves for the source:
- Technique-by-technique examples for session hijacking, pass-the-hash, pass-the-ticket, and Kerberoasting.
- Specific control patterns for microsegmentation, identity-based access, and just-in-time MFA at the network layer.
- Exposure figures for RDP, SMB, WinRM, and RPC across enterprise environments.
- Practical guidance on turning lateral movement pathways into dead ends with automated policy enforcement.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org