Agreed WireGuard itself doesn’t require microsegmentation, as it’s just a tunnel. The point is the mesh products built on it tend to add identity + ACLs, which makes least-privilege “only these sources → these destinations/ports” feasible. That’s effectively microsegmentation (overlay-level), and it’s one way ZT limits lateral movement per NIST’s ZTA guidance.

That’s a fair framing, with one important distinction.

Overlay ACLs give you network-scoped microsegmentation, not service-scoped Zero Trust (as intended in NIST 800-207). You’re limiting which IPs/ports can talk after a node is attached, not deciding whether a service path exists at all per identity and per session.

The crypto isn’t the issue - WireGuard keys are strong. The issue is scope. A node identity that grants network reachability is different from a capability-scoped identity that creates only explicit service connectivity. NIST also warns that IP-based enforcement tends to reintroduce ambient trust once a device is attached. In that model, lateral movement is reduced, not eliminated.

A simple litmus test: - If authenticating gives you an IP and routes, you’ve built network trust with segmentation. - If authenticating only creates explicit service paths, you’ve built Zero Trust.

Mapping this to Wireguard and overlays, I’d say: - WireGuard + identity + ACLs = good overlay microsegmentation - Identity-first connectivity (no IP reachability, no inbound listeners) = Zero Trust by construction

If you adopt the latter, the former becomes unnecessary for Zero Trust — because identity creates connectivity directly instead of attaching nodes to a network. Bringing it back to the topic, microsegmentation manages risk inside a network. Identity-first connectivity removes the network from the trust model altogether.