TL;DR: Microsegmentation projects often fail because organisations cannot accurately discover devices, redesign networks without downtime, or sustain identity-based policy enforcement, according to Elisity. The governance problem is not just segmentation mechanics, but the operational gap between asset visibility, business continuity, and enforceable access boundaries.
NHIMG editorial — based on content published by Elisity: Why I Joined Elisity as Field CTO, Making Microsegmentation Actually Work
By the numbers:
- 70% of successful breaches involve lateral movement tactics.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams implement microsegmentation without disrupting operations?
A: Security teams should phase microsegmentation around high-value zones first, use existing network infrastructure where possible, and validate each policy change against business workflows before expanding scope.
Q: Why do unmanaged devices make segmentation harder to govern?
A: Unmanaged devices make segmentation harder because policy cannot be trusted when ownership, classification, and expected behaviour are unclear.
Q: What breaks when identity-based segmentation is built on incomplete asset data?
A: When asset data is incomplete, segmentation tends to over-permit to avoid outages or under-permit and break business services.
Practitioner guidance
- Build segmentation from a complete asset inventory Start by reconciling IT, OT, IoT, and IoMT assets into one classification model before you define enforcement zones.
- Tie microsegmentation to identity governance Map device and workload policies to accountable identity sources, including service accounts and privileged access paths, so segmentation decisions can be reviewed and audited.
- Prioritise non-disruptive enforcement paths Use implementation approaches that avoid full network redesigns and production downtime, especially in operational and clinical environments.
What's in the full article
Elisity's full post covers the operational detail this post intentionally leaves for the source:
- How the platform discovers and classifies unmanaged IoT, OT, and IoMT devices in live environments
- The implementation claim that segmentation can be applied in days rather than months using existing infrastructure
- The reported containment and cost outcomes that support the field CTO's argument
- The vendor's view of how identity-based policy is applied across the network without redesigning VLANs
👉 Read Elisity's perspective on making microsegmentation work in production environments →
Microsegmentation and asset visibility: what IAM teams should notice?
Explore further
Microsegmentation fails most often as a governance problem, not a packet-filtering problem. The article describes implementation friction, but the deeper issue is that security teams cannot govern what they cannot accurately map to business context. Identity-based policy only works when asset discovery, ownership, and lifecycle data are reliable. For practitioners, the real question is whether segmentation can be audited as a control, not merely demonstrated as a tool.
A question worth separating out:
Q: Who should be accountable for microsegmentation outcomes?
A: Accountability should sit jointly with network security, the operational owners of the systems being segmented, and the risk function that validates business impact. If the control is tied to identity sources and operational dependencies, then accountability must also cover the data used to define policy. That is what makes segmentation auditable and sustainable.
👉 Read our full editorial: Microsegmentation fails when asset visibility and identity policies lag