COMMENTARY: Microsegmentation has a scaling problem, and AI has been sold as the answer. AI-assisted policy generation, anomaly detection, behavioral analysis, and automated change recommendations: each promises it can solve the challenge of segmentation at scale.But that’s only half right. The capabilities are real, and they will reduce manual effort in narrow tasks. But they can’t address the underlying condition that has made microsegmentation operationally difficult in the first place: not the speed of policy creation, but the absence of any coherent governance for the policy being created.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]The technology does what it’s been designed to do. Visibility into east-west traffic has improved. Enforcement has become more granular than ever. Identity-aware controls are now being applied at workload level in places where, only a few years ago, broad network zones were the only option. That progress has produced a volume of policy now expanding faster than security teams can govern it.There are two ways to respond. We can wait for AI to mature into something that it could never evolve into: a system that can independently govern policy at the speed it produces it. Or, we can build the governance discipline first – across microsegmentation, firewalls, cloud security groups, SASE, and ZTNA – and let AI accelerate good decisions instead of bad ones.What microsegmentation actually generatesA microsegmentation deployment operates as a policy-generation engine. Every new workload boundary creates a policy artifact teams must define, justify, and maintain for as long as the workload exists. In a small estate, it’s straightforward; in a multi-cloud, container-heavy environment, it’s not.Applications get refactored on shorter cycles than the policies that govern them, which means the rule set almost always describes a slightly older version of the environment than the one actually running. Access provisioned for a particular project under deadline tends to become permanent – the cost of revisiting and unwinding it later is higher than the cost of leaving it in place – so the estate accumulates exceptions and inherited assumptions where no individual rule looks problematic in isolation.We’re looking at the policy surface in active expansion. It’s an echo of the attack surface – the sum of devices, identities, and workloads that an adversary could exploit – but applied to a different layer of the environment. The policy surface represents the sum of access decisions an organization has to govern: every rule written, every exception granted, every boundary stood up under deadline pressure that’s never revisited afterwards. Left unmanaged, it stops reflecting deliberate decisions and starts reflecting accumulated history. The more granular the segmentation, the more pronounced the effect.What AI actually changesAI does not reduce the volume of policy in the environment. It accelerates the rate at which policy gets produced, altered, and applied – and speed, without governance underneath it, cuts both ways. When policies evolve faster than human reviewers can understand them, validation lags even further behind enforcement. This lets the consequences of a misconfigured access decision propagate quickly and without obvious signal. Drift that used to take months to accumulate now builds up in days.Most security organizations hesitate about handing segmentation decisions to AI is not because of the model’s capability. Segmentation decisions are contextual; they depend on business intent, application criticality, compliance obligations, and the specific risk tolerance of the organization involved. AI can analyze patterns and identify anomalies, and it can infer likely intent from tickets, labels, and application flows. But it cannot attest that a policy reflects business intent, risk tolerance, or regulatory obligation, which means it can suggest a policy is plausible, but not guarantee it’s correct.I’m not making an argument against AI in microsegmentation. It’s an argument about order. Policy governance represents the precondition that makes AI's contribution trustworthy at the speed it operates.We’re not debating whether enforcement is good enough or whether AI capabilities will continue to improve. Both will. But policy control has remained stubbornly fragmented: the discipline of governing how policy behaves coherently across the entire enforcement estate.Most security teams are stitching that governance together by hand, across an architecture that was never designed for centralized governance. Firewalls operate under one policy model, cloud security groups under another, and microsegmentation platforms maintain their own. Identity systems, compliance tooling, and change management workflows each carry partial views of the same underlying intent, and reconciling them requires a manual exercise that scales badly with the size of the estate. It produces fragmented control over a question that’s fundamentally unified: who gets access what, under which conditions, and with what assurance that the answer reflects deliberate intent rather than inherited history.Here's where the conversation has moved in more mature security organizations. We no longer ask: "How do we segment more?" Teams now ask: "How do we ensure that policy gets governed coherently across every layer enforcing it?"Treat policy as the control planeAnswering that question requires treating policy itself as a control plane independent of any single enforcement technology. Microsegmentation platforms, firewalls, and cloud security groups all enforce policy. None of them, on their own, governs intent across the others, and asking any one of them to do so misunderstands what they are for.Network security policy management (NSPM) offers the governance layer that sits above individual enforcement tools – firewalls, cloud security groups, microsegmentation platforms – to define, validate, and govern policy intent as a single control surface. It’s a straightforward discipline at its core: policy changes should reflect deliberate business and regulatory intent before they are deployed, not after they have caused drift..Microsegmentation will remain foundational to zero-trust for the foreseeable future, and AI will continue to accelerate how segmentation policy gets generated and applied. Neither of these facts changes the underlying problem: segmentation produces policy faster than it can teams can govern, and acceleration without governance does not offer a solution, but a more efficient version of the same problem.We need more than a technical change. We need a recognition that policy itself – not the enforcement layer beneath it, and not the AI accelerating it on top – needs to look at governance as a discipline in its own right. AI will not deliver that on its own. With governance underneath it, AI accelerates the proof that what’s being enforced still reflects what was intended.David Brown, senior vice president, International Business, FireMonSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
AI benefits/risks, Network Security
AI can accelerate microsegmentation, but it cannot govern policy

(Adobe Stock)
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



