TL;DR: EMA’s survey of 145 IT and security leaders found 95% rate microsegmentation as extremely or very important for cyber defence, while automated discovery, policy creation, and MFA integration are emerging as the features needed to overcome deployment friction and improve containment, according to Zero Networks. The market is moving from niche control to operational requirement, and that changes how teams should think about lateral movement risk.
At a glance
What this is: EMA’s report says microsegmentation is moving into mainstream enterprise defence, with 95% of respondents rating it highly important and automation seen as the main way to make it workable at scale.
Why it matters: For IAM and PAM teams, microsegmentation now intersects with workload access, lateral movement prevention, and privileged path reduction, so it affects how identity controls are enforced after initial access.
By the numbers:
- 95% of respondents rate microsegmentation as extremely important or very important for cyber defense.
- Based on survey data from 145 IT professionals, information security practitioners, and technology business leaders, this report provides research-backed insights.
👉 Read Zero Networks' report on the maturing microsegmentation market
Context
Microsegmentation is a containment control that limits east-west movement between systems, applications, and workloads. In practice, its value depends less on policy theory and more on whether teams can discover assets, tag them correctly, and enforce access boundaries without creating operational drag. That is why this topic matters to identity teams as much as network teams: lateral movement is often enabled by over-broad access paths and weak segregation of privileges.
The report frames the market around a familiar governance gap. Organisations want stronger breach containment, but many still struggle with manual policy construction, incomplete visibility, and slow deployment cycles. That intersects with IAM and PAM because segmentation controls often determine how far a stolen credential or compromised workload can move once it has initial access. For identity programmes, the question is no longer whether segmentation belongs in the control stack, but how it is operationalised alongside access governance.
Key questions
Q: What breaks when microsegmentation is not built around real trust boundaries?
A: When segmentation zones are drawn from static network layouts instead of application relationships and workload identity, the controls become too coarse to stop lateral movement. Teams end up with broad exceptions, fragile rules, and weak containment. The result is a control that looks complete on paper but fails when an attacker pivots inside the environment.
Q: Why does microsegmentation matter when organisations already use MFA and least privilege?
A: MFA and least privilege reduce the chance and scope of initial access, but they do not stop movement after compromise. Microsegmentation limits where a stolen credential, compromised workload, or abused service account can go next. Used together, the controls reduce both the foothold and the blast radius.
Q: How do security teams know whether microsegmentation is actually working?
A: They test for containment, not just deployment. A useful indicator is whether a compromised endpoint, workload, or admin path can still reach adjacent systems, management interfaces, or sensitive services. If those paths remain open, segmentation exists in policy but not in practice.
Q: Who should own microsegmentation decisions when IAM and network controls overlap?
A: Ownership should be shared between network security, IAM, platform and application teams because segmentation policy depends on workload identity, device posture and application criticality. The governance question is not which team owns every rule, but who is accountable for keeping the trust model aligned to current risk.
Technical breakdown
Automated asset discovery and tagging change segmentation accuracy
Microsegmentation fails when teams do not know what they are segmenting. Automated discovery and tagging create the asset inventory and policy labels needed to define trust boundaries at workload, application, or endpoint level. Without that baseline, segmentation rules become brittle, overly broad, or impossible to maintain as environments change. Automation matters because modern estates are dynamic, with ephemeral infrastructure and frequent application changes. The practical result is that segmentation policy must be driven by current identity and asset context, not static network diagrams.
Practical implication: build segmentation on continuously refreshed asset identity and tagging data, not manual spreadsheets.
Policy automation reduces the friction that makes segmentation stall
Traditional microsegmentation often breaks down in the policy design phase. Teams may understand the target state, but they cannot sustain the manual effort needed to create, test, and maintain rules across many systems. Automated policy creation and management reduce this bottleneck by translating observed traffic and application relationships into enforceable controls. That does not remove governance, but it changes the operator model from hand-built exceptions to review and refinement. For large environments, the difference is whether segmentation becomes a pilot or an operating control.
Practical implication: require automated policy generation with human review, especially for large and frequently changing environments.
Mfa integration and segmentation together shrink lateral movement paths
Microsegmentation controls where traffic can go, while MFA controls who can authenticate into the systems that traffic reaches. Used together, they reduce the usefulness of stolen credentials and compromised admin paths. This is why segmentation is often strongest when paired with identity enforcement at access points, not treated as a standalone network feature. The report’s emphasis on breach containment reflects a broader reality: attackers exploit both access and movement, so defenders need controls that limit both the first foothold and the subsequent spread.
Practical implication: align segmentation with MFA and privileged access controls so stolen credentials do not translate into broad reach.
Threat narrative
Attacker objective: The attacker seeks to turn one compromised system into access across the internal estate before defenders can contain the blast radius.
- Entry begins when an attacker gains a foothold on a single endpoint, workload, or account with access to an internal environment.
- Escalation occurs when the attacker uses broad east-west connectivity or weak segmentation rules to move from the initial point of compromise into adjacent systems.
- Impact follows when lateral movement reaches higher-value assets, allowing deeper compromise, service disruption, or broader breach containment failure.
NHI Mgmt Group analysis
Microsegmentation is becoming a control-plane issue, not just a network design choice. The report’s findings show that buyers now expect segmentation to reduce attack surface and contain breach spread, which means the control must operate alongside identity and access governance. When attack paths are shaped by credentials, privilege, and workload reach, segmentation becomes part of the identity enforcement stack. Practitioners should treat it as a policy governance capability rather than a point product.
Automated policy creation is the named concept this market has been missing: segmentation without manual toil. The operational barrier has never been the theory of least reach, but the cost of expressing and maintaining it across dynamic estates. Automation lowers that burden, but only if teams still own approval, exception handling, and change control. Practitioners should evaluate whether segmentation tools reduce governance work or simply relocate it.
Microsegmentation and privileged access must be designed together if lateral movement is the real threat. A stolen credential is only catastrophic when the environment lets it travel too far. That is why the report’s emphasis on containment lines up with least privilege and path restriction thinking in IAM and PAM. Practitioners should map internal trust zones to the same governance discipline used for high-risk access.
Market maturity usually follows operational pain, and this category is now responding to that pain. The survey suggests organisations want security outcomes they can measure, not segmentation projects they have to hand-craft forever. That shift matters because it changes buying criteria from feature depth to deployability, policy lifecycle, and integration with identity signals. Practitioners should expect segmentation to be judged by containment performance and maintenance cost.
Microsegmentation is now part of resilience planning, not just prevention. The value case is increasingly about what happens after an intrusion, when limiting movement determines whether an incident stays local or becomes enterprise-wide. That makes segmentation relevant to resilience, incident response, and recovery planning as well as prevention. Practitioners should include containment assumptions in control testing, not only perimeter architecture reviews.
What this signals
Containment is becoming a governance requirement, not a network afterthought. The more organisations rely on workload identity, service accounts, and privileged automation, the more they need controls that define where compromise can travel after it starts. Microsegmentation sits in that gap between access and blast radius, which makes it a practical extension of identity governance in hybrid estates.
Teams should expect segmentation programmes to be judged on operability as much as on coverage. If asset discovery, policy updates, and exception handling remain manual, the control will not keep pace with dynamic infrastructure or autonomous workloads. The operational test is whether boundary policy can move as fast as the systems it protects.
Identity programmes that already struggle with over-privileged service accounts should treat segmentation as part of the same remediation path. Least privilege limits what an identity can do; segmentation limits where it can go. That combination is what prevents a single compromise from becoming a full internal propagation event.
For practitioners
- Define segmentation zones around real trust boundaries Base zones on application dependencies, workload identity, and business criticality rather than subnet convenience. Revisit boundaries whenever services are replatformed or privileged paths change.
- Automate discovery before enforcing policy Require current asset discovery and tagging as a prerequisite for policy generation. Without that inventory, segmentation rules drift and exceptions accumulate.
- Pair segmentation with privileged access controls Use MFA, just-in-time elevation, and tight administrative reach to reduce the value of any credential that lands inside the environment. Segmentation should constrain movement after access, not substitute for access governance.
- Measure containment, not just coverage Test whether an initial compromise can reach adjacent systems, sensitive workloads, or management planes. Coverage metrics alone do not show whether segmentation actually limits lateral movement.
Key takeaways
- Microsegmentation is maturing into a mainstream containment control because organisations need a practical way to reduce lateral movement after initial compromise.
- The report points to automation, not policy theory, as the key enabler for deployment, maintenance, and scale.
- For identity and PAM teams, the real value lies in pairing segmentation with privilege controls so stolen access cannot spread freely.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0004 , Privilege Escalation | The report centers on stopping attacker movement after initial access. |
| NIST CSF 2.0 | PR.AC-4 | Segmentation supports access control and path restriction inside trusted environments. |
| NIST SP 800-53 Rev 5 | AC-4 | Information flow enforcement is the control family most aligned to microsegmentation. |
| CIS Controls v8 | CIS-6 , Access Control Management | Microsegmentation complements access control management by constraining internal paths. |
| NIST AI RMF | MANAGE | Autonomous and workload-driven environments need governable containment controls. |
Map segmentation controls to lateral movement paths and test whether privilege escalation still enables internal spread.
Key terms
- Microsegmentation: Microsegmentation is a security approach that divides an environment into small, policy-defined zones to limit who or what can communicate across them. It is used to reduce attack surface and contain compromise, especially inside cloud, data centre, and hybrid infrastructure where east-west movement is the main risk.
- Lateral Movement: Lateral movement is the stage of an intrusion where an attacker expands from one compromised system to others inside the environment. In practice, it is often enabled by overly broad internal trust, weak access boundaries, or insufficient segmentation, which is why containment controls matter after initial access has already occurred.
- Blast Radius: Blast radius describes how far an incident can spread before it is contained. Security teams use the term to measure the practical impact of access, segmentation, and privilege controls, because reducing blast radius is often more valuable than trying to prevent every initial foothold.
What's in the full report
Zero Networks' full report covers the operational detail this post intentionally leaves for the source:
- Survey breakdowns on why 95% of respondents rate microsegmentation as highly important.
- Capability priorities such as automated asset discovery, automated policy creation, and MFA integration.
- Practitioner views on deployment simplicity, scalability, compliance, and breach containment.
- Quoted field experience on how segmentation changes attack surface and lateral movement outcomes.
Deepen your knowledge
NHI Mgmt Group’s NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management. It helps practitioners connect access control decisions to the operational realities of hybrid infrastructure and privileged automation.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org