The programme leaves its highest-risk assets outside the containment model. In practice, that means cameras, PLCs, infusion pumps, and other unmanaged devices remain reachable through flat or over-permissive paths, which gives attackers a lateral movement corridor even when servers are well controlled.
Why This Matters for Security Teams
microsegmentation is often treated as a server protection control, but unmanaged devices usually sit outside the policy plane. That creates a blind spot where traffic can still move from a compromised endpoint or adjacent segment into equipment that cannot run an agent, enforce EDR, or participate in normal identity workflows. For security leaders, the issue is less about perfect isolation and more about whether the containment model actually reaches the assets most likely to be overlooked.
The operational risk is straightforward: if cameras, PLCs, infusion pumps, building systems, or lab equipment are reachable on permissive paths, an attacker can pivot even when core workloads are tightly governed. This weakens NIST Cybersecurity Framework 2.0 outcomes around asset management, network protection, and recovery planning because the control boundary is incomplete. It also undermines incident scoping, since responders cannot assume that restricted server zones are actually isolated from unmanaged endpoint.
Practitioners often miss this until an intrusion uses a seemingly low-value device as a bridge into a more sensitive enclave rather than being stopped at the first hop.
How It Works in Practice
Effective microsegmentation depends on accurate asset discovery, trusted traffic policy, and enforcement points that can actually see the traffic. Unmanaged devices complicate each of those steps because they may not support host-based controls, authentication agents, or telemetry that feeds policy decisions. As a result, containment usually has to move down the stack to the network, switch, firewall, wireless controller, or industrial gateway layer.
In practice, teams need to classify unmanaged devices by function and risk, then decide whether to isolate them into dedicated zones, broker their communications through specific jump paths, or restrict them to a small allowlist of protocols and destinations. The CISA Zero Trust Maturity Model is useful here because it reinforces the idea that segmentation should be enforced consistently across identities, devices, applications, and data paths, not only where an agent can run.
A workable design usually includes:
- Passive discovery for unmanaged assets so the inventory is not dependent on endpoint tooling.
- Dedicated network segments for device classes that cannot authenticate like managed hosts.
- Strict east-west filtering between user networks, server zones, and operational technology.
- Explicit monitoring for unexpected device-to-device or device-to-server flows.
- Documented exception handling where clinical, safety, or industrial constraints limit isolation.
This is where identity and access design still matter. Even when a device is unmanaged, the administrative paths to it, the maintenance accounts used on its management interface, and the jump hosts that reach it should still be governed through PAM and strong authentication. For environments with clinical or industrial uptime constraints, best practice is evolving toward policy-based containment that preserves safety, but there is no universal standard for this yet. These controls tend to break down in brownfield OT networks with legacy broadcast dependencies because segmentation can interrupt essential device discovery and control traffic.
Common Variations and Edge Cases
Tighter segmentation often increases operational overhead, requiring organisations to balance containment against uptime, vendor support, and safety constraints. That tradeoff becomes more pronounced when unmanaged devices were deployed before the current security architecture and cannot be retrofitted with agents, certificates, or modern authentication.
In healthcare, building management, manufacturing, and utilities, the usual answer is not full isolation but compensating controls: protocol-specific filtering, jump-server access, dedicated maintenance windows, and tighter monitoring of privileged pathways. In these cases, the control objective is to reduce lateral movement probability rather than eliminate every reachable path. Guidance from CISA sector guidance is especially relevant when uptime or physical safety limits the ability to segment aggressively.
There are also edge cases where unmanaged does not mean ungoverned. Some devices can be placed behind network access controls, proxy services, or device-aware gateways that supply a practical trust boundary even without an endpoint agent. The key is to validate that the enforcement point is actually authoritative for the traffic path. If the device can still be reached through alternate routes, the segmentation design is only partially effective. For regulated environments, current guidance suggests documenting these exceptions explicitly, because auditors and incident responders need to know where the containment model stops and what compensating controls apply.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-5 | Segmentation failure exposes assets through uncontrolled network paths. |
| NIST Zero Trust (SP 800-207) | SC-3 | Zero Trust requires resource isolation even when endpoints are not trusted. |
Treat unmanaged devices as untrusted resources and constrain every access path explicitly.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org