Identity is the authentication layer that feeds the NAC replacement. For users and employees, Nile pulls identity from Active Directory, including group and role membership, which maps directly to policy enforcement. Corporate devices can authenticate through RADIUS using certificates, which carry additional device metadata. For wired connections, Nile supports 802.1X but also offers a captive portal option, allowing second-factor authentication without requiring full 802.1X deployment on every port.
Microsegmentation and the ‘Segment-of-1’
Prior Nile implementations used identity-based access but only supported macrosegmentation. The new release adds fine-grained microsegmentation enforced at the identity level rather than at the IP address or VLAN level.
Katukam said the shift means policy follows the user or device regardless of physical location, switch port or connection type. “We don’t even allow you to discover on the network. We don’t allow you to communicate on the network unless the policy allows you to do it,” he said.
For IoT devices where certificate-based authentication is not available, Nile uses device fingerprinting as the policy anchor. The system can identify devices down to a specific model. The system continues learning device attributes over time to refine classification.
The “Segment-of-1” capability takes that isolation to its furthest point, containing a compromised or misbehaving device to a blast radius of one endpoint. Kiran said this applies to malware propagation but also to shadow AI, where AI agents running on employee machines have not been authorized by IT.
“Today, a lot of AI being used in corporate environments is not necessarily authorized by IT, and they don’t even have visibility in many cases, but if they do detect this, with the Segment-of-1 capabilities, it’s possible to isolate it without expanding the blast radius,” Kiran said.
