By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ElisityPublished October 28, 2025

TL;DR: Microsegmentation projects often fail because organisations cannot accurately discover devices, redesign networks without downtime, or sustain identity-based policy enforcement, according to Elisity. The governance problem is not just segmentation mechanics, but the operational gap between asset visibility, business continuity, and enforceable access boundaries.


At a glance

What this is: This is a field CTO perspective on why microsegmentation projects stall, with the core finding that incomplete device visibility and disruptive implementation models prevent segmentation from working in real environments.

Why it matters: It matters to IAM and security teams because segmentation increasingly depends on identity-aware policy, device discovery, and governance controls that must align across NHI, workload, and human access models.

By the numbers:

👉 Read Elisity's perspective on making microsegmentation work in production environments


Context

Microsegmentation is the practice of applying granular network boundaries so systems can communicate only where business need exists. The recurring failure is not the concept itself, but the difficulty of discovering every device, understanding how it should behave, and enforcing policy without interrupting operations.

This article sits at the intersection of network security, Zero Trust, and identity governance because policy is only as strong as the identity and asset data beneath it. For IAM and NHI teams, the lesson is that segmentation programs increasingly depend on device identity, workload identity, and lifecycle controls, not just network design.


Key questions

Q: How should security teams implement microsegmentation without disrupting operations?

A: Security teams should phase microsegmentation around high-value zones first, use existing network infrastructure where possible, and validate each policy change against business workflows before expanding scope. The key is to reduce lateral movement without forcing a redesign that production teams cannot absorb. If segmentation needs downtime to work, the deployment model is wrong.

Q: Why do unmanaged devices make segmentation harder to govern?

A: Unmanaged devices make segmentation harder because policy cannot be trusted when ownership, classification, and expected behaviour are unclear. In practice, those devices act like blind spots in the control model. Teams need one inventory, one ownership model, and one enforcement framework so policy decisions reflect actual business context, not assumptions.

Q: What breaks when identity-based segmentation is built on incomplete asset data?

A: When asset data is incomplete, segmentation tends to over-permit to avoid outages or under-permit and break business services. Either outcome weakens the control. The control only works when discovery, classification, and identity mapping are accurate enough to support safe, repeatable policy enforcement across the full environment.

Q: Who should be accountable for microsegmentation outcomes?

A: Accountability should sit jointly with network security, the operational owners of the systems being segmented, and the risk function that validates business impact. If the control is tied to identity sources and operational dependencies, then accountability must also cover the data used to define policy. That is what makes segmentation auditable and sustainable.


Technical breakdown

Why traditional microsegmentation projects stall

Traditional segmentation often depends on VLAN redesign, long implementation cycles, and disruptive change windows. In operational environments, that creates a mismatch between the security goal and the tolerance for downtime. The result is a common pattern: teams understand the risk, but the project cannot progress because the implementation path is too brittle for production systems. Microsegmentation only works when the control plane can adapt to live environments rather than forcing those environments to be rebuilt.

Practical implication: design segmentation around existing infrastructure and operational constraints, not around a lab-perfect architecture.

Identity-based policy depends on device discovery

Identity-based microsegmentation uses context about devices, roles, and business function instead of relying only on IP addresses. That requires accurate discovery and classification of IT, OT, IoT, and IoMT assets, including unmanaged endpoints that traditional tools miss. Without that visibility, policy becomes partial, and partial policy creates a false sense of control. The technical challenge is not merely enforcement, but maintaining an accurate identity-to-asset map as environments change.

Practical implication: treat asset discovery and device classification as prerequisites for policy enforcement, not separate hygiene tasks.

Why segmentation is now a governance issue

Segmentation is no longer just a network architecture decision. Regulators, insurers, and Zero Trust programmes increasingly expect demonstrable control over lateral movement, which pushes segmentation into governance, assurance, and audit territory. When the segmentation model is identity-aware, the control surface expands into authentication, authorisation, and lifecycle management for devices and workloads. That is where IAM and NHI governance become relevant, because a policy that cannot be audited or tied to accountable identity sources will not satisfy real-world assurance requirements.

Practical implication: align segmentation evidence with identity, access, and audit controls so the programme can stand up to regulatory and insurance review.


Threat narrative

Attacker objective: The attacker objective is to expand a foothold into broad lateral movement capability so a single compromise can affect many systems instead of one.

  1. Entry typically begins with an attacker finding a flat or weakly segmented environment where many systems can talk to each other without strong boundary controls.
  2. Escalation occurs when the attacker moves laterally from one compromised device to adjacent systems, using the lack of segmentation to expand reach across the environment.
  3. Impact is achieved when the attacker reaches higher-value systems, increasing the blast radius of disruption, theft, or ransomware propagation.

NHI Mgmt Group analysis

Microsegmentation fails most often as a governance problem, not a packet-filtering problem. The article describes implementation friction, but the deeper issue is that security teams cannot govern what they cannot accurately map to business context. Identity-based policy only works when asset discovery, ownership, and lifecycle data are reliable. For practitioners, the real question is whether segmentation can be audited as a control, not merely demonstrated as a tool.

Device identity sprawl is the hidden blocker behind many segmentation programmes. When unmanaged IoT, OT, and IoMT systems are included, the programme stops being about one network and becomes about continuous identity reconciliation across many asset classes. That makes this a close cousin to NHI governance: unmanaged devices behave like unmanaged identities, creating blind spots in policy and enforcement. Practitioners should treat unclassified devices as governance debt, not just inventory noise.

Zero Trust architectures depend on segmentation only when the control is tied to trustworthy identity sources. The article correctly links segmentation to regulatory and insurer pressure, but the field-level lesson is that Zero Trust becomes hollow if policy is based on stale assumptions about what exists on the network. Identity-aware segmentation helps reduce lateral movement, yet it also exposes whether an organisation’s access model is still built around static trust zones. The practitioner takeaway is that segmentation programmes should be measured as identity-governance controls, not only as network-security projects.

Operational continuity is now a deciding factor in security architecture adoption. Security models that require downtime will continue to fail in healthcare, manufacturing, and critical infrastructure regardless of technical merit. That shifts the market toward controls that can be applied incrementally, verified continuously, and rolled back safely. For teams, the implication is clear: if the control cannot survive production constraints, it will not scale into the environments where it matters most.

Microsegmentation is becoming a test of cross-domain coordination. Network teams, OT owners, IAM leads, and risk stakeholders all influence whether policy can be applied without breaking operations. That makes segmentation a programme-level capability, not a point product decision. Practitioners should build governance around shared ownership, clear exception handling, and measurable containment outcomes.

What this signals

Device discovery is becoming a control-plane requirement, not a pre-project task. Microsegmentation programmes increasingly fail when they assume inventory can be fixed later. For teams running Zero Trust or operational resilience initiatives, the practical shift is to make discovery, classification, and ownership part of the enforcement model from day one.

The governance implication is broader than network architecture. When segmentation is identity-aware, any gap in device or service-account visibility becomes an access-control problem as much as a network problem. That is why identity teams and infrastructure teams need shared reporting on what is known, what is exempted, and what remains unclassified.

For readers building a segmentation roadmap, the best signal is whether the control can survive change, audit, and production pressure at the same time. If it cannot, then the programme is still a design exercise rather than an operational security capability.


For practitioners

  • Build segmentation from a complete asset inventory Start by reconciling IT, OT, IoT, and IoMT assets into one classification model before you define enforcement zones. If an asset cannot be identified and owned, it should be treated as a policy gap rather than an exception.
  • Tie microsegmentation to identity governance Map device and workload policies to accountable identity sources, including service accounts and privileged access paths, so segmentation decisions can be reviewed and audited. This is where NHI controls and network controls need a shared governance model.
  • Prioritise non-disruptive enforcement paths Use implementation approaches that avoid full network redesigns and production downtime, especially in operational and clinical environments. The control should be deployable in stages with clear rollback and containment evidence.
  • Measure containment, not just coverage Track whether segmentation actually reduces lateral movement and limits blast radius during incidents. A policy set that looks complete on paper but cannot stop east-west movement is a reporting success, not a security success.

Key takeaways

  • Microsegmentation breaks down when organisations cannot reliably discover, classify, and govern the devices they are trying to protect.
  • The evidence points to lateral movement as a major breach amplifier, which makes containment and asset visibility central to resilience.
  • Practitioners need segmentation models that are identity-aware, operationally deployable, and auditable under real production constraints.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Segmentation and access management are central to limiting lateral movement here.
NIST SP 800-53 Rev 5AC-4Information flow enforcement fits identity-aware microsegmentation and containment goals.
CIS Controls v8CIS-5 , Account ManagementIdentity governance matters because segmentation depends on accountable device and service identities.
NIST Zero Trust (SP 800-207)Zero Trust relies on continuous verification and constrained east-west movement.
MITRE ATT&CKTA0008 , Lateral Movement; TA0040 , ImpactThe article focuses on stopping lateral movement before it becomes operational impact.

Map segmentation gaps to lateral movement and impact tactics, then prioritise controls that shrink blast radius.


Key terms

  • Microsegmentation: Microsegmentation is the practice of dividing a network into small, policy-controlled communication zones. It limits which systems can talk to one another, reducing blast radius when an attacker gains access. In mature environments, the policy is tied to identity, workload context, and business function rather than static IP ranges.
  • Identity-Based Microsegmentation: Identity-based microsegmentation uses device or workload identity to decide who can communicate with whom. Instead of treating every address as equally trusted, it binds access rules to known assets, owners, and roles. That makes segmentation more adaptable, but only if discovery and classification remain accurate.
  • Lateral Movement: Lateral movement is the phase of an attack where an intruder moves from one compromised system to others inside the environment. It is dangerous because a single foothold can become broad operational access. Segmentation, least privilege, and strong identity controls are designed to interrupt this phase.
  • Operational Technology: Operational technology is the hardware and software that monitors or controls physical processes in industrial and critical environments. These systems are often difficult to patch or restart, which makes disruptive security projects hard to deploy. Security controls for OT must preserve safety and uptime while still limiting attacker movement.

What's in the full article

Elisity's full post covers the operational detail this post intentionally leaves for the source:

  • How the platform discovers and classifies unmanaged IoT, OT, and IoMT devices in live environments
  • The implementation claim that segmentation can be applied in days rather than months using existing infrastructure
  • The reported containment and cost outcomes that support the field CTO's argument
  • The vendor's view of how identity-based policy is applied across the network without redesigning VLANs

👉 The full Elisity post covers the implementation challenges, identity-based policy model, and operational outcomes in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management in a way that complements segmentation and Zero Trust programmes. It helps practitioners connect identity controls to the operational security work their programmes depend on.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org