VLANs break down because they group devices by location rather than by trust, and they usually allow broad east-west communication inside the same segment. If one camera is compromised, the attacker can often scan and pivot to every other device in that zone. That makes VLANs useful for organisation, but weak for containment.
Why This Matters for Security Teams
VLANs are often treated as a containment control, but they are primarily a network segmentation tool, not an identity boundary. That distinction matters because IoT devices rarely behave like fixed, predictable endpoints. Cameras, printers, badge readers, and building sensors often share firmware patterns, default services, and vendor dependencies that make lateral movement easy once one device is exposed. NHI Management Group’s research shows why this is dangerous in practice: 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and broad trust zones amplify that same failure mode in device fleets. See Ultimate Guide to NHIs for the governance gap behind these exposures, and pair that with the NIST Cybersecurity Framework 2.0 to anchor segmentation in risk management rather than convenience. In practice, many security teams discover VLAN weakness only after one compromised device is used to enumerate everything else in the same broadcast domain.How It Works in Practice
A VLAN can reduce accidental traffic and create administrative order, but it does not prove device identity, restrict tool use, or stop a trusted endpoint from abusing allowed east-west access. If the device can talk to peers, the attacker can usually talk too once the device is compromised. That is why modern IoT containment needs identity-aware controls layered above the network. Effective practice usually combines:- Device identity enrollment, so each endpoint is authenticated before it is trusted on the network.
- Per-device or per-role policy, so a camera can reach only its recorder, broker, or management service.
- Microsegmentation or software-defined access, so allowed traffic is explicit rather than implicit inside the VLAN.
- Continuous monitoring for unusual east-west patterns, including scans, DNS abuse, and new peer discovery.
- Credential and secret hygiene, because many IoT compromises become far worse when long-lived tokens or shared admin credentials are reused.
Common Variations and Edge Cases
Tighter segmentation often increases deployment and operational overhead, so organisations must balance containment against manageability and vendor compatibility. That tradeoff is especially visible in industrial IoT, building automation, and OT-adjacent environments where devices may not support modern agents, certificates, or frequent re-enrollment. Best practice is evolving, but the common edge cases are clear:- Legacy devices that cannot support 802.1X or per-device certificates may need compensating controls such as strict ACLs, monitored jump hosts, and dedicated management networks.
- Vendor cloud dependencies can bypass local VLAN assumptions if the device maintains outbound control channels or receives remote updates.
- Shared services inside a VLAN, such as NTP, DNS, or telemetry collectors, can become high-value pivot points if they are not isolated.
- Guest, contractor, and third-party maintenance access often introduces the biggest gap, because temporary access is rarely revoked with the same discipline as network placement.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | IoT devices behave like NHIs and need lifecycle and access controls. |
| CSA MAESTRO | IAM-1 | MAESTRO emphasizes identity-first control patterns over network trust. |
| NIST AI RMF | Risk-based governance applies when device behavior and exposure are dynamic. | |
| NIST CSF 2.0 | PR.AC-3 | Access enforcement should limit lateral movement inside network segments. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero Trust requires explicit, context-aware access decisions for devices. |
Inventory device identities and restrict each one to the minimum required access path.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org