By NHI Mgmt Group Editorial TeamPublished 2026-04-20Domain: Best PracticesSource: Elisity

TL;DR: Most enterprises still struggle to operationalise microsegmentation, with Forrester saying projects were historically prone to failure because of complexity, even as the market is projected to grow from $8.2B in 2025 to $41B by 2034, according to Exactitude Consultancy. The real shift is that identity-based, agentless enforcement now makes the control more practical, but only if teams stop treating zero trust as a perimeter problem.


At a glance

What this is: This article argues that microsegmentation is now more achievable because identity-based, agentless approaches have reduced the deployment burden that caused earlier projects to stall.

Why it matters: It matters because IAM, PAM, NHI, and zero trust programmes need interior containment controls, not just access gates at login or network entry points.

By the numbers:

👉 Read Elisity's analysis of identity-based microsegmentation and zero trust


Context

Microsegmentation is the practice of breaking the network into tightly controlled segments so devices, workloads, and systems cannot communicate freely by default. The core governance gap is that most zero trust programmes still focus on entry control, while lateral movement inside the environment remains a separate problem.

The article argues that earlier microsegmentation efforts failed because they were built around flow mapping, endpoint agents, and brittle IP-based rules. For identity practitioners, the key issue is whether access boundaries are anchored to policy and identity, or to network structure that changes faster than the controls can be maintained.


Key questions

Q: How should security teams implement microsegmentation in hybrid environments?

A: Start by anchoring policy to identity and function rather than IP address or subnet, then extend enforcement to the assets that matter most to lateral movement risk. Prioritise east-west traffic paths, validate coverage for unmanaged devices, and phase rollout so the control can be maintained without constant manual rework. The goal is containment, not perfect topology modelling.

Q: Why do zero trust programmes still need microsegmentation?

A: Because zero trust at the entry point does not stop an attacker from moving inside the network after the first foothold. Microsegmentation governs east-west traffic and limits how far compromise can spread. Without it, ZTNA can verify access while the interior remains open to lateral movement.

Q: What do organisations get wrong about microsegmentation projects?

A: They often assume the hard part is the policy logic, when the real failure mode is operational complexity. If a design depends on exhaustive flow mapping, endpoint agents everywhere, or constant manual rule maintenance, the project will usually stall before it reaches durable enforcement.

Q: What frameworks should guide microsegmentation decisions?

A: Use NIST SP 800-207 and CISA zero trust guidance to evaluate whether segmentation is actually part of the architecture, not just a network optimisation. Then align enforcement with internal containment goals so the control supports least privilege after initial access, not only at the perimeter.


Technical breakdown

Identity-based microsegmentation replaces flow mapping with policy

First-generation microsegmentation depended on exhaustive visibility into every communication path, then manual rule creation around IP addresses, VLANs, and subnets. Identity-based microsegmentation changes the policy anchor from location to device or workload identity, so a camera, server, or workload is governed by what it is allowed to do, not where it sits. That reduces the need to pre-map every relationship before enforcement starts. It also makes policy more durable when assets move, scale, or change network context. The architectural point is simple: identity turns segmentation from a static topology exercise into a governance problem that can be managed incrementally.

Practical implication: define segmentation policy around identity and function, not network location.

Why agentless enforcement matters for IoT, OT, and legacy assets

Agent-based segmentation often fails in environments that cannot support software installation, including medical devices, OT systems, and legacy endpoints. Agentless models push enforcement to the network edge using existing infrastructure, which means security can extend to unmanaged devices without waiting for endpoint software support. This is especially important where operational uptime, safety, or vendor restrictions block traditional agents. The technical advantage is coverage: the policy plane can reach classes of assets that would otherwise be excluded from the programme. Without that, segmentation becomes a partial control that leaves the most difficult devices outside the boundary.

Practical implication: validate whether your design can cover devices that cannot run agents.

Zero trust fails when east-west traffic is left ungoverned

Zero trust is often implemented as a north-south access control model, meaning it governs how users reach applications from outside the network. That leaves east-west traffic, the lateral movement between internal systems, outside the control plane. Microsegmentation closes that gap by forcing explicit policy checks for internal communications as well. NIST SP 800-207 and CISA both treat segmentation as part of a mature zero trust architecture because breach containment depends on stopping movement after initial access. In practical terms, ZTNA is not a substitute for segmentation; it is only one layer of the broader architecture.

Practical implication: map where east-west traffic still moves freely and treat that as an architectural gap.


Threat narrative

Attacker objective: The attacker aims to turn one initial foothold into broad internal reach by moving laterally to higher-value systems.

  1. Entry occurs through compromised endpoint access, a vulnerable device, or a stolen credential that gets an attacker inside the environment.
  2. Escalation happens when the attacker moves laterally across internal systems that were never segmented at sufficient granularity.
  3. Impact is the expansion of compromise from one foothold into broader access, which microsegmentation is designed to contain.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Microsegmentation is now an identity governance problem, not a network design exercise. The failed first generation was built on static topology, exhaustive flow mapping, and manual rules that could not keep pace with enterprise complexity. Once policy is anchored to identity and function, the control becomes governable across IT, OT, IoT, and hybrid environments. That shifts the decision from whether segmentation is possible to whether the organisation can operationalise identity as the enforcement layer.

The identity blast radius is the real object of control. ZTNA can reduce exposure at the point of entry, but it does not solve what happens after an attacker gets inside. Microsegmentation is the mechanism that keeps a single compromise from becoming systemic reach, which means boards and security leaders should evaluate containment capability, not just access admission. Practitioners should treat lateral movement as a governance outcome, not only a detection problem.

Agentless coverage matters because the hardest assets are often the least manageable. IoT, OT, medical, and legacy systems are precisely the devices that undermine agent-first security programmes. A segmentation strategy that excludes those classes is not complete enough to support zero trust claims. The practical implication is that architecture decisions must account for unmanaged and non-standard endpoints from the start.

Microsegmentation maturity is now measured by policy durability, not by control ambition. Many organisations already know they need segmentation, but the differentiator is whether policy can survive device movement, operational churn, and mixed infrastructure without constant manual repair. That makes the control a lifecycle issue as much as a technical one. Security teams should stop measuring intent and start measuring whether segmentation can be maintained at scale.

The market is validating the control, but validation does not equal deployment success. Growth forecasts and standards support indicate that microsegmentation has moved from niche idea to architectural expectation. That does not erase the implementation gap that stalled earlier programmes. Practitioners should re-evaluate abandoned projects only if the new design removes the old failure modes rather than repackaging them.

From our research:

  • 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to the 2024 Non-Human Identity Security Report.
  • 23.5% of security professionals are unsure about the biggest threat to their non-human identities, according to the same report.
  • Ultimate Guide to NHIs , Why NHI Security Matters Now frames the scale and urgency of the identity governance gap behind these findings.

What this signals

Identity-based segmentation will increasingly sit in the same governance conversation as NHI and workload identity. As environments add more unmanaged systems and machine actors, the boundary between access control and containment becomes harder to separate. Teams that already struggle to govern non-human access should expect the same operational friction when they try to contain east-west movement across hybrid estates.

With 35.6% of organisations citing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, the lesson for microsegmentation is that policy consistency is now the hard part, not the headline architecture. The organisations that make progress will be the ones that can express containment rules once and enforce them across multiple enforcement points.

The practical next step is to evaluate whether segmentation policy can be tied to the same identity sources and governance processes that already support IAM, PAM, and workload identity. If it cannot, the control will remain brittle and expensive to operate at scale.


For practitioners

  • Re-baseline your segmentation architecture around identity Replace IP-first segmentation designs with policy models tied to device identity, workload identity, and function. That makes the control easier to maintain when assets move or scale.
  • Identify assets that cannot run agents List IoT, OT, medical, legacy, and unmanaged endpoints that would be excluded by an agent-based approach. Use that inventory to test whether your current design actually covers the full environment.
  • Measure east-west exposure explicitly Map where internal traffic still moves without policy enforcement and classify those paths by business criticality. The goal is to identify where lateral movement remains possible after initial access.

Key takeaways

  • Microsegmentation is the interior control that zero trust still needs when entry controls are not enough.
  • The old failure mode was complexity, but the modern test is whether policy can be enforced by identity across real environments.
  • Enterprises should re-open microsegmentation only if the design reaches unmanaged devices and reduces lateral movement at scale.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Identity-based segmentation aligns with managing access permissions and internal boundaries.
NIST Zero Trust (SP 800-207)The article directly frames microsegmentation as a zero trust architecture pattern.
NIST SP 800-53 Rev 5AC-4Information flow enforcement is the core control concept behind microsegmentation.
CIS Controls v8CIS-12 , Network Infrastructure ManagementSegmentation depends on controlling and maintaining network infrastructure and boundaries.
MITRE ATT&CKTA0008 , Lateral Movement; TA0004 , Privilege EscalationThe article is fundamentally about constraining attacker movement after initial access.

Treat microsegmentation as a required internal control layer in zero trust design, not an optional add-on.


Key terms

  • Identity-based microsegmentation: A segmentation approach that defines internal access by device or workload identity rather than IP address or network location. It reduces dependence on manual flow mapping and makes policy more durable as assets move, scale, or change form factor.
  • East-west traffic: Lateral communication between systems inside a network, including device-to-device and workload-to-workload connections. In practice, this is where attackers move after initial access, so it becomes a containment problem rather than a perimeter problem.
  • Agentless enforcement: A control model that applies security policy at the network edge or infrastructure layer without requiring software on every endpoint. It is especially relevant for IoT, OT, medical, and legacy systems that cannot reliably run agents.
  • Zero trust network access: An access model that verifies identity and posture before allowing a user or device to reach an application. It governs entry conditions, but it does not by itself control internal lateral movement, which is why segmentation still matters.

What's in the full article

Elisity's full post covers the operational detail this analysis intentionally leaves at the architecture level:

  • Customer-facing examples of identity-based microsegmentation in converged IT, OT, and IoT environments.
  • Specific criteria for evaluating whether a segmentation platform can work without endpoint agents.
  • Deployment considerations for teams replacing VLAN and ACL centric designs with identity-anchored policy.
  • Practical questions to ask when assessing whether microsegmentation can be rolled out in weeks rather than years.

👉 Elisity's full post covers the deployment tradeoffs, customer examples, and evaluation questions in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org