By NHI Mgmt Group Editorial TeamPublished 2026-04-28Domain: Cyber SecuritySource: Elisity

TL;DR: Omdia’s 2025 survey of 352 security decision-makers found that 99% of organisations are implementing or planning microsegmentation, but only 9% say more than 80% of critical systems are protected, while nearly half experienced lateral movement in the last 12 months. The real constraint is architectural: policies tied to network location do not scale to identity-driven, heterogeneous environments.


At a glance

What this is: This analysis shows that microsegmentation adoption is near universal, but completion is rare because legacy policy models cannot keep pace with modern enterprise identity and endpoint complexity.

Why it matters: For IAM, PAM, and NHI teams, the lesson is that segmentation only reduces lateral movement when it can follow identity, not just IP location or network zone.

By the numbers:

👉 Read Elisity’s analysis of the microsegmentation say-do gap and identity-based policy


Context

Microsegmentation is meant to limit east-west movement by narrowing which devices, workloads, or users can talk to one another. In practice, many programmes still express policy through network constructs such as IP addresses, VLANs, and subnets, which makes the control brittle when assets move or identities change.

The article’s identity angle is direct: once policy depends on device identity, user identity, and continuous verification, microsegmentation becomes part of identity governance rather than a pure network exercise. That matters for teams running IAM, NHI, and Zero Trust programmes because lateral movement is often an identity failure after initial access, not just a network problem.

Omdia’s findings are typical of the market’s current state, not an outlier. High intent with low completion is the norm whenever segmentation is asked to cover heterogeneous estates that include IT, OT, IoT, and cloud-connected workloads.


Key questions

Q: What breaks when microsegmentation is not based on identity?

A: Network-based microsegmentation breaks when assets move, readdress, or span heterogeneous environments because the policy is tied to location rather than durable identity. Teams then widen rules to avoid outages, which erodes least privilege and leaves lateral movement paths open. The failure is usually operational, not conceptual: the control works in pilots but loses precision at scale.

Q: Why do segmentation projects stall in large enterprises?

A: They stall because the control burden grows faster than the team can author, test, troubleshoot, and change policy. Large environments contain IT, OT, IoT, and cloud-connected assets with different constraints, so one rule model does not fit all. If discovery is incomplete or the architecture depends on agents everywhere, the rollout stops at the hardest assets.

Q: How do teams know whether microsegmentation is actually working?

A: Teams should look for completed coverage of critical systems, stable enforcement across device moves, and a falling number of exception rules created to preserve business continuity. If policy changes routinely take many hours, if visibility is incomplete, or if critical systems remain unprotected, the programme is not delivering real segmentation.

Q: Who should own microsegmentation when identity is part of the policy model?

A: Ownership should be shared across network, IAM, and security architecture teams because the policy now depends on identity sources as much as on enforcement points. Network teams can implement the control, but IAM and identity governance teams are needed to keep the identity data trustworthy and the access model consistent.


Technical breakdown

Why network-based segmentation breaks under identity change

Legacy segmentation controls were built around location, not identity. Firewalls, VLANs, and ACLs assume the asset stays in a predictable place and keeps a stable network address, but modern enterprises constantly move devices, rehydrate workloads, and reassign addresses. That means the policy either breaks or gets widened to avoid outages. Once the policy widens, it stops being least privilege and becomes a tolerated exception. This is why segmentation projects often slow down after the pilot: the control model is fighting the operating model.

Practical implication: teams should treat network location as an implementation detail, not the policy primitive.

How identity-based microsegmentation changes enforcement

Identity-based microsegmentation writes policy against the identity of the device and, where relevant, the user or workload. That identity can be assembled from endpoint telemetry, directory data, CMDB records, and network behaviour, then evaluated continuously. The key technical shift is that the rule survives movement. A scanner, PLC, or engineering workstation can change network position without changing what it is authorised to reach. This is a closer fit to Zero Trust Architecture because access is continuously re-evaluated instead of assumed from placement.

Practical implication: teams should map segmentation rules to identity sources that remain stable across network changes.

Why agentless coverage matters for OT, IoT, and medical devices

Agent-based microsegmentation works when you can install software everywhere. In many enterprises, that assumption fails across OT, IoT, and IoMT fleets, where devices may not support agents or cannot tolerate them. Agentless enforcement avoids that constraint by applying policy at existing infrastructure points such as switches and access points. That does not remove the need for discovery and classification, but it does remove the deployment blocker that leaves a large asset population outside the segmentation boundary.

Practical implication: teams should verify whether their segmentation design can cover devices that cannot host agents before committing to rollout.


Threat narrative

Attacker objective: The attacker’s objective is to spread beyond the first compromised asset and reach higher-value systems with minimal resistance.

  1. Entry occurs through a compromised endpoint or workload that already has valid network presence inside the enterprise.
  2. Escalation happens when the attacker uses legitimate east-west paths that segmentation does not distinguish from normal business traffic.
  3. Impact is achieved by moving laterally to additional systems because the policy model cannot reliably bind access to durable identity.

NHI Mgmt Group analysis

Microsegmentation has become an identity governance problem, not just a network design problem. The article’s core evidence is that policy tied to network location stalls when devices move and identities remain the only stable control point. For IAM and PAM teams, that means segmentation should be evaluated as part of access governance, not as an isolated infrastructure project. The practitioner conclusion is that identity must become the policy primitive if lateral movement is to be reduced in real environments.

There is a clear say-do gap in the market, and it mirrors the NHI challenge seen elsewhere in security operations. Organisations can plan controls widely, yet still fail to finish them where heterogeneous assets and operational exceptions dominate. That pattern is familiar in NHI programmes too, where visibility exists but durable enforcement does not. The practitioner conclusion is that completion metrics matter more than architecture aspirations.

Identity-based microsegmentation is best understood as continuous policy evaluation for assets that never stay still. The strongest architectures do not depend on a stable subnet, a fixed IP, or a long-lived trust zone. They bind enforcement to identity signals that can survive movement, replacement, and reclassification. The practitioner conclusion is that Zero Trust programmes should measure whether policy follows identity across change, not just whether a tool is deployed.

Device visibility is the named concept that explains why many programmes fail before enforcement even begins. If 44% of respondents see visibility as a critical gap, then the problem is not only policy authoring but incomplete knowledge of what exists, where it lives, and what it should reach. That is directly relevant to NHI governance as well, where unknown or unmanaged identities create the same blind spot. The practitioner conclusion is that discovery quality is a control, not a prerequisite.

Microsegmentation maturity will increasingly be judged by coverage of unmanaged and hard-to-instrument assets. The category’s future is not about whether enterprises like the idea, but whether they can enforce it across OT, IoT, IoMT, and cloud-connected environments without redesigning the network each time. That changes buying criteria, architecture reviews, and programme accountability. The practitioner conclusion is that broad coverage should be the default test of success.

What this signals

Device visibility will become the gating control for identity-based segmentation programmes. The article shows that policy quality depends on whether the organisation can actually see every endpoint, workload, and unmanaged asset before it tries to constrain them. For readers, that means inventory accuracy and identity correlation will be as important as enforcement technology, especially where NIST SP 800-53 Rev 5 Security and Privacy Controls and MITRE ATT&CK Enterprise Matrix are used to justify lateral movement reduction.

Identity-based microsegmentation should be measured as a control outcome, not a deployment milestone. If critical systems remain outside the policy boundary, the programme has not reduced blast radius in a meaningful way. Readers should track protected coverage, exception growth, and policy-change effort as indicators of whether the architecture is actually converging.

Microsegmentation programmes that ignore identity governance will keep recreating the same access blind spots. Once enforcement depends on who or what a device is, IAM and NHI teams must be in the operating model from the start. That is the practical bridge between network security and identity security, and it is where the next phase of Zero Trust work will be won or lost.


For practitioners

  • Define segmentation policy in identity terms Replace subnet and VLAN centric rules with policies expressed in device identity, workload identity, or user role where those signals are durable enough to survive network movement.
  • Audit coverage gaps across unmanaged assets Map which OT, IoT, and IoMT devices cannot host agents and verify whether your current segmentation design can still enforce policy on those assets.
  • Measure completion, not just deployment Track the percentage of critical systems actually protected, the time required for each policy change, and the number of exceptions created to keep production running.
  • Tie segmentation to continuous verification Align policy evaluation with Zero Trust Architecture so that access decisions are rechecked when identity, posture, or network context changes.
  • Bring identity teams into segmentation design Involve IAM and NHI owners early so that directory data, asset inventories, and service identity information are available when policy is authored.

Key takeaways

  • The article shows that microsegmentation adoption is widespread, but completion remains the real failure point.
  • The scale of the gap is clear: near-universal intent coexists with low coverage and persistent lateral movement.
  • Identity-based policy, complete discovery, and continuous verification are the controls most likely to close the gap.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0008 , Lateral Movement; TA0006 , Credential AccessThe article centres on limiting east-west attacker movement after initial access.
NIST CSF 2.0PR.AC-4Segmentation is an access control problem tied to least privilege and network trust boundaries.
NIST SP 800-53 Rev 5AC-4AC-4 governs information flow enforcement, which is the core function of segmentation policy.
NIST Zero Trust (SP 800-207)The article explicitly frames microsegmentation as a Zero Trust pattern.
CIS Controls v8CIS-5 , Account ManagementIdentity-based segmentation depends on trustworthy identity and access data feeding the policy model.

Map segmentation gaps to lateral movement paths and tighten policy where attackers can reuse valid traffic patterns.


Key terms

  • Identity-based microsegmentation: Identity-based microsegmentation is a policy model that controls communication using device, workload, or user identity rather than network location. It keeps rules durable when assets move, readdress, or change form, which makes it more suitable for heterogeneous estates than subnet-based approaches.
  • Lateral movement: Lateral movement is an attacker’s movement from one compromised asset to others inside the environment after initial access. It is often enabled by broad internal trust, weak policy boundaries, or rules that cannot distinguish legitimate traffic from malicious reuse of valid paths.
  • Device visibility: Device visibility is the organisation’s ability to discover, classify, and continuously track the assets connected to its environment. In segmentation programmes, visibility is not just monitoring. It is the input that determines whether policies are precise, complete, and safe to enforce.
  • Zero Trust Architecture: Zero Trust Architecture is a security model that assumes breach and requires continuous verification rather than implicit trust from network placement. In segmentation work, it shifts enforcement toward identity, context, and policy evaluation at the point of access.

What's in the full report

Elisity's full blog covers the operational detail this post intentionally leaves for the source:

  • The survey’s full breakdown of deployment stall points across manufacturing and healthcare environments.
  • The detailed comparison of legacy segmentation methods, including where VLANs, ACLs, NAC, and overlays break down operationally.
  • The rollout pattern for identity-based microsegmentation across heterogeneous IT, OT, IoT, and IoMT estates.
  • The article’s deployment examples and product-specific implementation context for teams past the strategy stage.

👉 Elisity’s full post includes the survey data, architectural comparison, and rollout context behind the findings.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management. It gives identity and security practitioners a common operating model for access, lifecycle, and privilege decisions across modern environments.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org