TL;DR: At Gartner SRM 2026, the recurring themes were that AI and automation are strengthening defenders, vulnerability exploitation has overtaken credential abuse as the top initial access vector at 31% of breaches, and identity-first microsegmentation is becoming the practical answer for mixed IT, OT, and unmanaged environments, according to Elisity. The governance lesson is that visibility, identity, and enforcement now have to move together, or segmentation becomes a theory rather than a control.
NHIMG editorial — based on content published by Elisity: Field Notes from Gartner SRM 2026: Four Threads I'm Still Thinking About
By the numbers:
- credential abuse, the previous leader, dropped to 13 percent.
- Full remediation of CISA Known Exploited Vulnerabilities dropped to 26 percent this year.
Questions worth separating out
Q: How should security teams implement identity-first microsegmentation in hybrid environments?
A: Start by anchoring policy to identity sources, asset type, and operational criticality, not to IP ranges alone.
Q: Why do mixed IT and OT environments break traditional segmentation assumptions?
A: Because IT and OT share neither the same tolerance for failure nor the same control objective.
Q: What should organisations measure before expanding segmentation programmes?
A: Measure what assets exist, who can reach them remotely, and which externally exposed systems still lack authentication.
Practitioner guidance
- Define identity-based segmentation boundaries Map policies to verified users, devices, and workloads, then test where network-only rules fail in legacy and OT segments.
- Make visibility a measurable control objective Track what assets exist, who is remoting into them, and which internet-facing systems lack authentication.
- Separate IT and OT enforcement logic Keep policy, management, and enforcement distinct where a false positive could interrupt care or production.
What's in the full article
Elisity's full field note covers the operational detail this post intentionally leaves for the source:
- The specific conference themes and hallway observations that shaped the four threads in the article
- The exact analyst and keynote framing behind the defender economics argument
- More detail on the identity-first microsegmentation examples from healthcare, manufacturing, and critical infrastructure
- The vendor-comparison context behind the consolidation and complexity-reduction discussion
👉 Read Elisity's field notes from Gartner SRM 2026 on identity, automation, and segmentation →
Identity-first microsegmentation: what security teams are missing?
Explore further
Identity-first controls are becoming the only segmentation model that still maps cleanly to mixed environments. Network boundaries do not describe access intent well enough when assets are unmanaged, legacy, or spread across IT and OT. Identity-led enforcement gives practitioners a control point that remains stable even when the underlying topology does not. The implication is that segmentation programmes need to be judged by identity fidelity, not by how elegant the network design looks.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, which helps explain why identity-led automation is still uneven in practice.
A question worth separating out:
Q: Who should own the decision when automation changes security policy in critical environments?
A: The decision should stay with the security and operational owners who understand the consequence of a false positive or a delayed response. Automation can accelerate enforcement, but it should not become the authority that decides business impact. Governance still has to define the boundary for acceptable automated action.
👉 Read our full editorial: Identity-first microsegmentation and AI automation are converging