Why every alternative to network access control eventually surfaces the same unsolved problem
NAC is legacy. The 802.1X-everywhere deployments, months-long rollouts, dedicated operations staff — all of it is showing its age. Gartner has said it. Budgets have moved on. But there’s a question getting lost in that shift: does a legacy product mean a legacy function? Does the need to control everything that connects to your network also go away?
It doesn’t. And the past decade of alternatives makes that clear.
The Solutions That Stepped In When NAC Stepped Back
As NAC’s operational complexity became unsustainable, organizations leaned on tools they already had. Each covered part of the problem. Each left a different part uncovered.
- NGFWs brought application awareness and user identification to the network perimeter — but firewalls are designed to control traffic at the boundary, not to discover and classify devices already inside the network. The two problems require different architectures.
- VPN + endpoint security worked well for managed devices with known user identities. It didn’t apply to devices that connect directly to the internal network — IoT, printers, OT systems — where agents can’t be installed.
- Network vendor bundles (Cisco, Aruba, Fortinet) integrated access control into switching and wireless infrastructure. In single-vendor environments this worked reasonably well. In mixed environments — which describes most enterprises — consistent policy across the full device population was difficult to maintain, and IoT exceptions remained a manual, ongoing problem.
Each addressed a different problem, but all three share the same blind spot: none of them provided full visibility (telemetry from endpoints and network) and consistent policy enforcement (for campus, remote, and cloud) across every connected device, regardless of type, OS, management, or compliance status. That gap didn’t close. It carried forward.
ZTNA: Real Progress, Real Gap
ZTNA started primarily as a more secure replacement for remote access VPN, and later became a broader Zero Trust architecture component. It brought a genuine improvement: identity-based, application-scoped access control that removed the “inside the perimeter = trusted” assumption.
But ZTNA was architected around managed devices — ones with agents installed, user identities verified, and MDM enrollment in place.
In a typical enterprise today, 30–50% of connected devices can’t run an agent. IP cameras. Building sensors. Medical equipment. Factory PLCs. HVAC controllers. These devices have no user identity, no MDM enrollment, no agent telemetry — and sit outside ZTNA’s visibility.
A device ZTNA cannot see is a device ZTNA cannot enforce policy against. When that device is compromised and used as a lateral movement pivot, ZTNA has no mechanism to detect or contain it at the network layer. This is a scope boundary, not a design flaw — but it’s one the market has had to confront directly.
Universal ZTNA: The Market Surfaces the Same Problem
The industry’s response to ZTNA’s coverage gap is Universal ZTNA. Gartner projects it will grow more than 40% by 2027, and vendors including Netskope, Fortinet, and Extreme Networks are repositioning their platforms accordingly.
Universal ZTNA aims to extend Zero Trust enforcement beyond managed users and devices to include unmanaged IoT, OT, BYOD, and third-party endpoints that can’t participate in agent-based identity frameworks. To do that, it needs capabilities the original ZTNA model didn’t include: device discovery, behavioral profiling, and access enforcement at the network layer — before application-layer policy applies. Those are the core functions network access control was originally built to provide.
ZTNA began as a VPN replacement focused on user access. As its coverage limits became apparent, the market pushed it to absorb device-visibility and network-enforcement functions — the same ground NAC had always occupied. The category label changed. The problem it needed to solve didn’t.
Why Layer 2 Cannot Be Skipped
Every device — regardless of OS, manufacturer, or management status — generates Layer 2 traffic the moment it connects: ARP requests, MAC broadcasts, DHCP exchanges. Before a device has an IP address, before it reaches any application, before any higher-layer policy engine has a chance to evaluate it, it has already announced itself at Layer 2.
That makes Layer 2 the earliest point at which access can be granted, denied, or segmented — universally, across every device type. Logical Group or VLAN assignment happens here. Blocking happens here. Everything above — routing, ZTNA, firewall policy — operates on what Layer 2 has already allowed through. A Zero Trust architecture with an uncontrolled Layer 2 foundation enforces policy selectively, not universally.
Fewer Managing Points, Lower Total Cost
Traditional NAC didn’t fail because controlling network access was the wrong goal. It failed because the implementation created more managing points than it eliminated: 802.1X on every switch, RADIUS and certificate infrastructure, manual IoT exception workflows, dedicated staff to maintain it all. The security function was sound. The operational overhead made the ROI math not work.
The answer isn’t to stop enforcing network access — it’s to enforce it with fewer managing points.
- Initial deployment: Agentless discovery removes the agent rollout project. ARP-based enforcement and SNMP port control don’t require 802.1X infrastructure as a prerequisite. Device profiling reduces manual classification significantly.
- Ongoing operations: Devices that classify automatically don’t generate exception tickets. Policies that self-enforce don’t require change management windows. EDR detects a threat → the network isolates the device at Layer 2 automatically, without a manual response workflow.
The result is a structural reduction in the operational complexity of network security — not a cheaper version of the same overhead.
Compliance Velocity: Regulation Is Now a Speed Test
Layer 2 enforcement also has a direct regulatory dimension. NIS2 and DORA have shifted from documentation-based compliance to measuring execution capability: how quickly an organization detects a threat, enforces a response, and demonstrates a compliant state. NIS2 non-compliance carries penalties up to 2% of global annual turnover; DORA grants financial supervisors authority to impose measures affecting management continuity directly.
This isn’t limited to EU-headquartered organizations. EU entities are legally required to ensure their suppliers don’t introduce unacceptable cyber risk — making compliance posture a condition of supply chain participation, not just a domestic obligation.
Compliance Velocity — the speed at which an organization can detect, respond, and produce audit evidence on demand — depends on having accurate, real-time network visibility. That visibility starts at Layer 2: known device inventory, automatic isolation of non-compliant endpoints, and a unified audit trail across NAC, ZTNA, and EDR that reflects what actually happened, not what was planned.
Genians: Built at Layer 2 Since 2005
Over twenty years of device behavior data. Fingerprinting patterns and Device Platform Intelligence across 5,000+ customer environments. A NAC powered by Device Platform Intelligence that classifies every connected device in real time — including the ones ZTNA can’t see.
The platform integrates NAC, ZTNA, and EDR from a single enforcement foundation, covering managed and unmanaged devices, IT and OT, on-premises and cloud-connected infrastructure.
- Already invested in ZTNA? Genians covers the 30–50% of the network ZTNA can’t see, without replacing what’s working.
- Starting your Zero Trust journey? Genians provides the device visibility that every other layer of Zero Trust depends on. Enforcing Zero Trust for devices you can’t see isn’t Zero Trust — it’s selective trust with undocumented assumptions. And unlike architectures that require separate NAC and ZTNA products, Genians ZTNA natively includes NAC functionality — one solution, one license, one operational model for both network access control and Zero Trust enforcement.
The category label can be retired. The function cannot. What needed to change was the approach: fewer managing points, lower total cost, Layer 2 enforcement that works across the full device population without rebuilding the network first.
Network security ROI doesn’t improve by adding tools. It improves by controlling the foundational layer.
