Subscribe to the Non-Human & AI Identity Journal
Home FAQ Cyber Security What breaks when microsegmentation does not cover unmanaged…
Cyber Security

What breaks when microsegmentation does not cover unmanaged devices?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Cyber Security

The programme leaves its highest-risk assets outside the containment model. In practice, that means cameras, PLCs, infusion pumps, and other unmanaged devices remain reachable through flat or over-permissive paths, which gives attackers a lateral movement corridor even when servers are well controlled.

Why This Matters for Security Teams

microsegmentation is often treated as a server protection control, but unmanaged devices usually sit outside the policy plane. That creates a blind spot where traffic can still move from a compromised endpoint or adjacent segment into equipment that cannot run an agent, enforce EDR, or participate in normal identity workflows. For security leaders, the issue is less about perfect isolation and more about whether the containment model actually reaches the assets most likely to be overlooked.

The operational risk is straightforward: if cameras, PLCs, infusion pumps, building systems, or lab equipment are reachable on permissive paths, an attacker can pivot even when core workloads are tightly governed. This weakens NIST Cybersecurity Framework 2.0 outcomes around asset management, network protection, and recovery planning because the control boundary is incomplete. It also undermines incident scoping, since responders cannot assume that restricted server zones are actually isolated from unmanaged endpoint.

Practitioners often miss this until an intrusion uses a seemingly low-value device as a bridge into a more sensitive enclave rather than being stopped at the first hop.

How It Works in Practice

Effective microsegmentation depends on accurate asset discovery, trusted traffic policy, and enforcement points that can actually see the traffic. Unmanaged devices complicate each of those steps because they may not support host-based controls, authentication agents, or telemetry that feeds policy decisions. As a result, containment usually has to move down the stack to the network, switch, firewall, wireless controller, or industrial gateway layer.

In practice, teams need to classify unmanaged devices by function and risk, then decide whether to isolate them into dedicated zones, broker their communications through specific jump paths, or restrict them to a small allowlist of protocols and destinations. The CISA Zero Trust Maturity Model is useful here because it reinforces the idea that segmentation should be enforced consistently across identities, devices, applications, and data paths, not only where an agent can run.

A workable design usually includes:

  • Passive discovery for unmanaged assets so the inventory is not dependent on endpoint tooling.
  • Dedicated network segments for device classes that cannot authenticate like managed hosts.
  • Strict east-west filtering between user networks, server zones, and operational technology.
  • Explicit monitoring for unexpected device-to-device or device-to-server flows.
  • Documented exception handling where clinical, safety, or industrial constraints limit isolation.

This is where identity and access design still matter. Even when a device is unmanaged, the administrative paths to it, the maintenance accounts used on its management interface, and the jump hosts that reach it should still be governed through PAM and strong authentication. For environments with clinical or industrial uptime constraints, best practice is evolving toward policy-based containment that preserves safety, but there is no universal standard for this yet. These controls tend to break down in brownfield OT networks with legacy broadcast dependencies because segmentation can interrupt essential device discovery and control traffic.

Common Variations and Edge Cases

Tighter segmentation often increases operational overhead, requiring organisations to balance containment against uptime, vendor support, and safety constraints. That tradeoff becomes more pronounced when unmanaged devices were deployed before the current security architecture and cannot be retrofitted with agents, certificates, or modern authentication.

In healthcare, building management, manufacturing, and utilities, the usual answer is not full isolation but compensating controls: protocol-specific filtering, jump-server access, dedicated maintenance windows, and tighter monitoring of privileged pathways. In these cases, the control objective is to reduce lateral movement probability rather than eliminate every reachable path. Guidance from CISA sector guidance is especially relevant when uptime or physical safety limits the ability to segment aggressively.

There are also edge cases where unmanaged does not mean ungoverned. Some devices can be placed behind network access controls, proxy services, or device-aware gateways that supply a practical trust boundary even without an endpoint agent. The key is to validate that the enforcement point is actually authoritative for the traffic path. If the device can still be reached through alternate routes, the segmentation design is only partially effective. For regulated environments, current guidance suggests documenting these exceptions explicitly, because auditors and incident responders need to know where the containment model stops and what compensating controls apply.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-5Segmentation failure exposes assets through uncontrolled network paths.
NIST Zero Trust (SP 800-207)SC-3Zero Trust requires resource isolation even when endpoints are not trusted.

Treat unmanaged devices as untrusted resources and constrain every access path explicitly.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org