By NHI Mgmt Group Editorial TeamPublished 2026-05-12Domain: Cyber SecuritySource: Zero Networks

TL;DR: Security spending is projected to reach $239 billion in 2026 while globally reported data compromises hit a record high in 2025, a gap the source argues reflects weak architectural enforcement rather than weak tooling, according to Zero Networks. The practical shift is from catching attacks faster to constraining how far they can move once inside.


At a glance

What this is: This is an analysis of cyber resilience that argues containment, not detection volume, is the decisive control for limiting breach spread.

Why it matters: It matters because IAM, PAM, NHI, and network security teams all influence whether compromised access can pivot laterally, making containment a cross-programme identity and resilience issue.

By the numbers:

👉 Read Zero Networks' framework for building a self-defending network


Context

Cyber resilience is the ability to keep critical operations running when an attacker gets past the first line of defence. In this article, the primary issue is not lack of investment but lack of architectural enforcement, especially where implicit trust still allows lateral movement across internal networks.

For identity and access teams, the useful lens is containment. Microsegmentation, identity-aware access controls, and automated containment change the blast radius of a compromise, which is why resilience now intersects directly with IAM, PAM, and non-human identity governance as much as with network design.


Key questions

Q: How should security teams reduce lateral movement without disrupting business operations?

A: Security teams should reduce lateral movement by combining identity-aware segmentation, tightly scoped administrative access, and automated containment rules. The goal is not to block every internal connection, but to ensure a compromised account cannot move freely across the environment. Start with the systems and protocols that carry the most operational risk, then test whether containment preserves legitimate work.

Q: Why do detection tools alone fail to deliver cyber resilience?

A: Detection tools fail when they identify malicious activity after the attacker has already used valid access to move laterally. Resilience requires controls that limit spread in real time, not just visibility into what happened. If the environment still trusts internal traffic by default, alerts may improve awareness without reducing the blast radius.

Q: What do organisations get wrong about internal trust and Zero Trust?

A: Many organisations treat Zero Trust as a perimeter replacement rather than an internal enforcement model. That leaves east-west traffic, administrative protocols, and temporary access exceptions largely untouched. The result is a network that can authenticate access without truly constraining what that access can reach once granted.

Q: How do you know if containment controls are actually working?

A: Containment controls are working when a compromised asset cannot pivot into adjacent systems and the incident remains bounded to a small part of the environment. Measure whether policies block lateral movement automatically, whether exceptions are rare, and whether uptime remains stable during attack simulation. Alert volume alone is not a useful proof point.


Technical breakdown

Why detection-heavy security still leaves the blast radius intact

Detection and response can tell teams that an incident is underway, but they do not automatically stop an attacker from moving across the environment. A resilience programme that depends on logs, alerts, and human escalation still assumes there is time to react after access has been abused. That assumption breaks down when attackers reuse valid credentials, exploit open administrative protocols, or move faster than analysts can contain them. The result is a large blast radius even when visibility is strong.

Practical implication: measure whether control logic blocks lateral movement before relying on alerting to explain it.

How identity-aware segmentation changes internal trust

Identity-aware segmentation binds access decisions to the user, service, workload, or device rather than to a broad network segment. That matters because internal trust is often the real failure point after initial access. If a compromised account can still reach shared admin protocols, file shares, or remote management paths, the network remains permeable even if perimeter controls are solid. The architectural goal is not perfect prevention, but deterministic containment that limits where valid access can go.

Practical implication: align segmentation policy with identity and privilege boundaries, not just IP ranges.

Why automated containment matters more than manual response in resilience

Automated containment means the network can enforce policy as soon as suspicious movement appears, without waiting for a manual decision. In practice, this is what turns resilience from a recovery plan into an architectural control. The article’s framing is that businesses do not need to rely on faster restoration if the breach cannot spread in the first place. Deterministic automation is especially relevant where operational uptime matters and where temporary access exceptions tend to linger.

Practical implication: prefer policy enforcement that activates during the attack path, not after incident review.


Threat narrative

Attacker objective: The attacker aims to turn one foothold into broad internal reach, making containment expensive or impossible.

  1. Entry occurs when attackers gain valid access and find that internal trust still permits movement through common administrative paths.
  2. Escalation follows as they reuse privileged ports and weak East-West controls to expand from one host to others.
  3. Impact occurs when the blast radius turns a single compromise into a business-disrupting incident, rather than a contained event.

NHI Mgmt Group analysis

Blast-radius control is now a resilience discipline, not a network tuning exercise. The article correctly shifts the conversation away from how many tools a team owns and toward how much damage a valid compromise can cause. That is a governance problem because internal trust, privilege scope, and containment design determine whether a breach stays local or becomes enterprise-wide. For identity programmes, this means blast-radius reduction belongs in the same conversation as least privilege and lifecycle control.

Identity-aware containment is the missing bridge between IAM and cyber resilience. Traditional IAM often proves who should get access, but it does not always constrain where that access can travel once granted. That gap becomes visible when administrative protocols, service accounts, and temporary exceptions can still traverse the network after compromise. NHI Mgmt Group’s view is that containment policy should reflect identity context, not just static network topology. Practitioners should treat identity-aware segmentation as a control family, not a niche design choice.

Self-defending architecture exposes the limits of alert-centric maturity models. Many programmes can show detection coverage, yet still fail at the point that matters most: blocking spread. The article’s stage model is useful because it separates visibility from enforcement and shows why a mature log stack can coexist with weak resilience. This is especially relevant where NHI sprawl, privileged service paths, and human admin access coexist in the same environment. Teams should benchmark whether controls are preventive by design, not merely observable after the fact.

Deterministic automation is the right answer where human approval is too slow to contain spread. The article’s emphasis on human-on-the-loop automation aligns with a broader resilience lesson: if containment requires a person to interpret every event, the adversary has already bought time. That does not eliminate governance requirements, but it does change them toward pre-approved policy, bounded exceptions, and auditable enforcement logic. For practitioners, the key question is whether automation can enforce containment without creating operational blind spots.

Managed internal trust is the new control concept this article surfaces. The core failure mode is not simply missing tooling, but a network model that still assumes trusted east-west movement inside the environment. Once that assumption is challenged, microsegmentation, identity-aware access controls, and automated containment become the practical answer to resilience debt. Teams should map where trust still exists by default and remove it before attackers do.

What this signals

The practical signal for security leaders is that resilience work is moving upstream into access architecture. Teams that still rely on after-the-fact detection will keep discovering that they can see incidents clearly while failing to stop spread, which is exactly the wrong trade-off for uptime-critical environments.

Managed internal trust: this is the control gap that now separates resilient networks from merely instrumented ones. The next planning question is whether identity-aware access controls and segmentation policies are enforced by default, or only after an analyst has already intervened.

For identity programmes, the forward path is to connect access scope, administrative protocol exposure, and containment objectives in the same operating model, then benchmark those controls against the NIST Cybersecurity Framework 2.0 rather than treating network resilience as a separate discipline.


For practitioners

  • Benchmark internal blast radius Map east-west paths, open privileged ports, and identity-dependent access routes so you can see where one compromise can still spread. Use the results to prioritise containment work in the segments with the widest reach.
  • Enforce identity-aware segmentation Tie segmentation rules to user, workload, and admin identity rather than only to subnet or host location. This reduces the chance that a valid credential can pivot through shared administrative paths.
  • Close high-risk administrative protocols Review SMB, RDP, WinRM, and RPC exposure and remove standing access where the business can support it. If a protocol must remain open, wrap it in stronger authentication and containment policy.
  • Automate containment for known movement paths Predefine policy responses for suspicious lateral movement so enforcement can happen before manual triage completes. Deterministic controls are more useful than detective-only controls when uptime is at risk.
  • Measure resilience by containment outcomes Track mean time to containment, uptime during attack conditions, and blast-radius reduction instead of relying only on alert counts or response speed. These metrics better show whether the network can absorb an incident.

Key takeaways

  • The article argues that cyber resilience fails when organisations optimise for detection instead of containment.
  • The strongest evidence point is the mismatch between rising security spending and continued compromise growth.
  • Teams need identity-aware segmentation and automated containment if they want a breach to stay local.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Identity-aware access and containment map directly to access control and least privilege.
NIST SP 800-53 Rev 5AC-4Information flow enforcement is central to containment and segmentation design.
CIS Controls v8CIS-5 , Account ManagementStanding access and administrative scope are part of the resilience gap discussed.
MITRE ATT&CKTA0008 , Lateral Movement; TA0011 , Command and ControlThe article focuses on how attackers pivot and expand after initial access.
NIST Zero Trust (SP 800-207)Zero Trust architecture is the conceptual basis for removing default internal trust.

Use Zero Trust principles to eliminate implicit trust and enforce continuous access decisions.


Key terms

  • Blast Radius: The blast radius is the amount of damage an attacker can cause after gaining initial access. In practice, it describes how far compromise can spread across systems, identities, and workflows before containment stops it.
  • Identity-Aware Segmentation: Identity-aware segmentation is a control approach that grants network access based on who or what is asking, not just where traffic originates. It is used to limit lateral movement by tying enforcement to user, workload, or service identity.
  • Deterministic Automation: Deterministic automation is policy execution that produces predictable results without improvisation or model-driven guesswork. In resilience programmes, it matters because containment must happen consistently under pressure, with clear auditability and minimal human delay.

What's in the full article

Zero Networks' full post covers the operational detail this analysis intentionally leaves for the source:

  • The 5-stage resilience maturity model and how to benchmark your current containment posture.
  • The operational explanation of how microsegmentation, identity-aware access controls, and ZTNA work together in the self-defending model.
  • The article's discussion of deterministic, human-on-the-loop automation and how it is used to contain movement without adding manual overhead.
  • The security metrics Zero Networks uses to tie resilience to business outcomes, including uptime during attack conditions and mean time to containment.

👉 Zero Networks' full post covers containment architecture, resilience stages, and the business metrics behind breach limitation.

Deepen your knowledge

NHI Mgmt Group covers identity security, NHI governance, and agentic AI through the NHI Foundation Level course, the industry's only accredited NHI security programme. It helps practitioners connect access control, lifecycle governance, and privileged identity risk to the wider security programme.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org