Zero trust and microsegmentation: what IAM teams need to know

At a glance

What this is: Axiad explains how zero trust and microsegmentation work together to reduce unauthorized access and contain lateral movement.

Why it matters: It matters because IAM, NHI, and human identity teams all need access controls that limit blast radius, not just authenticate entry.

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read Axiad's explainer on zero trust and microsegmentation

Context

Zero trust and microsegmentation are often discussed together, but they solve different parts of the same identity problem. Zero trust governs whether an identity should be allowed in at all, while microsegmentation governs how far that identity can move once it is inside. For IAM teams, the challenge is not choosing one model over the other, but making sure authentication, authorisation, and network boundaries reinforce each other.

The practical gap is that many environments still rely on broad trust assumptions after initial authentication. That leaves service accounts, devices, and users with more movement and access than their task actually requires. In NHI-heavy environments, the result is not just larger access scope but a bigger lateral movement path when credentials are abused.

Axiad’s explainer frames these controls as complementary rather than interchangeable. That is the right lens for modern identity programmes, where human access, workload access, and privileged access all need different control boundaries. The strongest programmes treat segmentation as a backstop for identity failure, not a substitute for identity governance.

Key questions

Q: How should security teams use microsegmentation with zero trust?

A: Security teams should use zero trust to control whether an identity can access a resource and microsegmentation to control how far that identity can move after access is granted. The two controls work best when paired with least privilege, short-lived credentials, and explicit zone boundaries, especially for service accounts and privileged users.

Q: Why do NHIs complicate zero trust programmes?

A: NHIs complicate zero trust because many of them authenticate successfully but then operate with persistent, excessive, or poorly reviewed access. Zero trust can validate the session, but it does not fix over-permissioned service accounts, long-lived secrets, or weak lifecycle governance. Without NHI discipline, the trust model is only partially enforced.

Q: What breaks when microsegmentation is implemented without identity governance?

A: Microsegmentation without identity governance often leaves the root problem untouched: identities still have too much legitimate access. An attacker or insider can simply use the permissions already granted to move within allowed zones. That means segmentation may slow lateral movement, but it will not prevent privilege misuse or entitlement drift.

Q: How do IAM teams know whether zero trust and segmentation are actually working?

A: Teams should test whether authenticated identities are constrained to the exact resources they need and whether a compromise can be contained to a small zone. If service accounts can still reach sensitive systems broadly, or if lateral movement succeeds despite segmentation, the controls are not operating as intended.

Technical breakdown

Zero trust in identity-driven access decisions

Zero trust is an access model that verifies identity and context before granting entry to a resource. In practice, that means authentication is only the first gate. Authorisation must still be scoped to the minimum needed for the session, the device, and the workload. For IAM teams, the important point is that zero trust is not a network product. It is a policy model that should be enforced consistently across humans, NHIs, and machine-to-machine access paths.

Practical implication: map every access path to a least-privilege policy and remove any assumption that authenticated means trusted.

Microsegmentation as blast-radius control

Microsegmentation breaks the network into smaller security zones so that compromise in one area does not automatically expose the rest. Unlike traditional network segmentation, the control objective is not resource separation but restriction of movement between trust zones. This matters most when an identity or host is already inside the environment. If a credential is stolen or a workload is compromised, segmentation can limit what the attacker can reach next, reducing the scale of the incident.

Practical implication: place high-value systems and sensitive workloads in tightly controlled zones with explicit east-west access rules.

Why zero trust and microsegmentation fail when identity scope is too broad

These controls only work when identity scope is already disciplined. If a service account has excessive privileges or a human account can access too many segments, the attacker simply uses legitimate access more efficiently. That is why identity governance, credential hygiene, and segmentation have to be designed together. The network can slow lateral movement, but it cannot compensate for poorly governed identity entitlements or long-lived secrets that should not exist in the first place.

Practical implication: review NHI and privileged access first, then use segmentation to contain what remains unavoidable.

Threat narrative

Attacker objective: The attacker aims to turn one valid identity foothold into broader access across the environment and reach sensitive systems or data.

1. Entry occurs when an attacker or compromised identity reaches a valid authentication point and gains initial access to a trusted resource. Zero trust is meant to narrow that entry, but broad entitlement still creates a path in.
2. Escalation happens when the identity can move beyond its intended role because permissions are too wide and segments are not tightly isolated. Microsegmentation is supposed to stop that movement, but weak policy design leaves gaps.
3. Impact follows when lateral movement reaches sensitive systems or data and the attacker can operate across trust boundaries with little resistance. The result is a larger breach footprint and more difficult containment.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Zero trust without identity governance is only partial containment. The model assumes access is continuously evaluated, but that breaks down if identities are over-permissioned or secrets remain long lived. In NHI-heavy environments, the control problem is not just login assurance, it is entitlement scope across the session. Practitioners should treat identity governance as the enforcement layer that makes zero trust credible.

Microsegmentation is a blast-radius control, not a substitute for privilege design. It limits where compromised access can go, but it does not fix the reason the identity had access in the first place. That distinction matters for service accounts, API keys, and privileged operators, where broad permissions often survive long after the original use case has changed. Practitioners should align segmentation boundaries with actual identity purpose.

Identity blast radius: when access scope, credential lifetime, and network reach are all larger than the task requires, the breach domain expands even if authentication is strong. This is the governing concept behind the article’s logic. Zero trust reduces initial trust, microsegmentation reduces movement, and identity governance reduces the number of places an identity can legitimately touch. Practitioners should manage all three as one control plane.

Service accounts expose the weakness in purely perimeter-based thinking. They often authenticate successfully, then operate with permissions that no human reviewer would consider acceptable for long periods. The result is a governance gap between issuance and containment, where network controls can only slow misuse after the fact. Practitioners should audit service account reach as a first-class risk.

Human identity lessons do not transfer cleanly to non-human access. Passwordless authentication, MFA, and user verification improve the human side of the programme, but they do not resolve NHI sprawl or over-privilege. A mature identity strategy has to separate interactive trust from machine trust while still enforcing consistent policy outcomes. Practitioners should stop treating all identities as if they fail in the same way.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot verify whether segmentation or zero trust policies are even aligned to real identity scope.
• To go deeper, 52 NHI Breaches Analysis shows how identity misuse turns broad access into real-world incident impact.

What this signals

Identity blast radius will become the practical test for zero trust programmes. If an authenticated identity can still reach too many systems, then the programme has shifted the control problem but not solved it. The next step for practitioners is to align policy, segmentation, and lifecycle governance around the smallest reachable trust zone, not the largest allowed one.

With 90% of IT leaders saying NHI management is essential for zero-trust implementation, the market signal is clear: segmentation and identity policy are converging. Teams that separate them will keep finding gaps between access approval and movement containment.

The strongest programmes will treat human and machine access differently while enforcing the same containment principle. That means identity review, secret hygiene, and network zoning have to be measured together, because one weak layer can nullify the rest. Practitioners should prepare for audits that ask not just who can log in, but where that identity can go after login.

For practitioners

• Map identity scope to network zones Document which human and non-human identities can reach which segments, then remove broad east-west access that has no current business justification. Treat every segment crossing as an authorisation decision, not just a routing path.
• Reduce standing privilege before tuning segmentation Review service accounts, API keys, and privileged accounts for excess access, then shrink entitlements before relying on microsegmentation to contain misuse. Segmentation works best when the identity itself is already narrow.
• Tie zero trust policy to identity lifecycle events Link provisioning, role changes, offboarding, and secret rotation to the same access policy logic so stale identity rights do not outlive the purpose they were granted for.
• Test containment from the attacker’s view Simulate credential abuse and lateral movement across segments to confirm that one compromised identity cannot reach sensitive systems through legitimate but excessive access paths.

Key takeaways

• Zero trust and microsegmentation solve different parts of the same problem, but neither compensates for over-permissioned identities.
• The scale of the identity gap is already material, with excessive privilege and low service account visibility leaving broad room for lateral movement.
• Practitioners should align identity lifecycle, least privilege, and segmentation so containment starts at the identity layer, not after compromise.

Key terms

• Zero Trust: A security model that assumes no identity is trusted by default, even after it authenticates. Access is granted only after verification and should stay as narrow as possible for the session, resource, and context involved.
• Microsegmentation: A network control approach that divides environments into small security zones with explicit rules between them. Its purpose is to limit lateral movement and reduce blast radius when an identity, workload, or device is compromised.
• Identity Blast Radius: The amount of systems, data, and trust zones an identity can legitimately touch if it is abused. For NHIs, blast radius is usually driven by privilege scope, secret lifetime, and whether access boundaries are tied to lifecycle events.

Deepen your knowledge

Zero trust, microsegmentation, and non-human identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to align access control with containment, it is a practical place to start.

This post draws on content published by Axiad: Zero Trust and Microsegmentation: An Explainer. Read the original.