How do we protect our networks and data vaults from modern multi-vector, artificial intelligence (AI)-enhanced attackers? As Nicholas DiCola, CISSP argues, it takes more than static segmentation and perimeter firewalls; defenders need a living tapestry of controls to outmaneuver evolving tactics.

AI Month: Why Segmentation Alone Isn't Enough to Stop AI-Enhanced Attacks - Nicholas DiCola, CISSPDisclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.

Around 80% of ransomware attacks now use AI, allowing attackers to hack at unprecedented speed and scale. Even voice phishing (vishing) is on track to double last year’s volume by the end of 2025. Worse: today’s hackers are orchestrating multi-vector attacks that are choreographed like a shape-shifting bank heist and then, they’re layering new AI capabilities on top of these attacks to remain undetected.

In a bank heist scenario, one criminal tunnels to the vault underground, another drops in through the skylight, while a third strolls through the lobby flashing a flawless fake ID. Their AI capabilities make them increasingly, imperceptibly dangerous, allowing them to instantly swap disguises if guards get suspicious, adapt to alarms the moment they sound and coordinate automatically with each other without ever speaking out loud.

Campaigns go well beyond “smarter phishing,” combining hyper-targeted social engineering, infrastructure mapping, rapid exploitation and machine-speed automation. Security leaders across industries are reporting increasingly layered and dynamic attacks in today’s AI-enabled threat landscape. Here are three types of multi-vector, AI-enhanced attacks that my customers are now seeing.

  • AI-powered phishing → credential abuse → lateral movement
    In this case, attackers are using AI to generate convincing social engineering attacks like spear-phishing emails, texts, or human-like voice calls to targeted users. Once stolen, the attackers are instantly validating credentials using AI credential stuffing. Attackers gain a foothold, then move laterally, impersonating legitimate users and escalating privileges until they hit the jackpot – the network’s crown jewels. The attack chain comprises social engineering, identity theft and lateral movement.
  • Exploit → asset discovery → encryption and exfiltration (“Ransomware 2.0”)
    In this scenario, attackers are starting with either a phishing attack or a vulnerability exploit discovered via AI reconnaissance. AI then pinpoints high-value targets such as backups, domain controllers and sensitive data, and moves laterally to reach them. Worse, these attacks can even pivot through segmented networks by probing for misconfigurations, weak firewall rules, or vulnerable systems that bridge multiple VLANs (like backup servers, monitoring tools, or legacy applications). The AI then initiates both data encryption and stealthy exfiltration. Here, the attack chain comprises initial access, rapid asset mapping, unencumbered lateral movement and, ultimately, payload/drop.
  • Supply chain breach → rapid network mapping → custom malware
    Recently, attackers have found ways to compromise vendors or MSP, piggybacking into their customers’ networks. Again: AI automates network reconnaissance, quickly mapping vulnerabilities and moving laterally to reach them. AI then deploys polymorphic malware that customizes itself for each target environment, adapting to the victim’s network to evade detection by security tools. The attack chain in this scenario is third-party compromise, automated network mapping and lateral movement, tailored exploit delivery.

There’s a clear, common element running through the attack chain in each of these: lateral movement. And here’s the important thing: by itself, segmentation isn’t enough to stop these advanced attacks.

Identity-Aware Micro Segmentation Layered with MFA Can Prevent These Attacks

Nearly half (45%) of cybersecurity professionals say their organization is not adequately prepared for AI threats and 78% of CISOs say that AI powered threats are already having a significant impact on their organization. Only 50% of cybersecurity professionals have confidence in traditional cybersecurity tools to detect and block these modern attacks. They are right: traditional network segmentation isn’t enough to contain attackers in the age of AI, because today’s adversaries aren’t pushing through one static barrier.

Instead, they are adapting, rerouting and linking together multiple techniques, until they find a way in. They don’t stop at the first barrier or firewall but push through multiple vectors – AI allows them to adapt when a path is blocked. My customers have experienced attacks automatically trying various paths to spread laterally through the network.

Even when segmentation is in place, my customers have seen attackers using AI to map the environment almost instantly, identifying gaps in security where they can silently bypass firewall rules. Once inside, they don’t just move laterally but intelligently. Disguising behaviors to look like normal activity, such attackers can evade EDRs and alerts as they unlock the crown jewels.

Yes: segmentation can slow attackers down. But, on its own, it doesn’t prevent lateral movement. Defenders need more than static segmentation and perimeter firewalls. Networks must be divided into smaller zones to limit lateral movement – but that’s only the first step. To effectively contain and neutralize these campaigns, segmentation must evolve. True resilience requires micro segmentation that’s adaptive, identity-aware and continuously enforced in real time.

Research into Zero Trust Enforcement Using Micro Segmentation shows that identity verification must be combined with contextual signals such as device posture, location and behavior. This means that every connection attempt is evaluated dynamically by policy engines driven by live telemetry, ensuring security isn’t bound to brittle VLANs or static IP ranges but, instead, travels with the identity across hybrid data centers, cloud workloads and legacy systems. Layering identity segmentation on top of granular network policies ties access directly to users, devices and service accounts. This ensures policies follow those identities everywhere – even if credentials are stolen.

Finally, I recommend that defenders should enforce just-in-time MFA at the network layer (tied to Layer 3), to protect every port and workload, not just SaaS apps. Research backs this, noting that multi-factor authentication combined with dynamic, risk-based controls is critical to preventing stealthy pivots. This turns what used to be invisible lateral steps into instantly contained dead ends.

Together, identity-aware micro segmentation and just-in-time MFA offer the potential to transform segmentation, from a static control into a living defense fabric that’s adaptive and context-driven. Crucially, something that’s resilient enough to contain chained, AI-powered attacks that legacy approaches can’t stop.

Nicholas DiCola, CISSP, has 28 years of experience across government and commercial sectors. He has held executive and technical roles, with responsibility for network and cybersecurity. His work spans prevention, detection and response.

Related Insights