Ah, I was thinking that "colourless ports" is the idea where I have 802.1x with ClearPass and dynamically assign VLANs (maybe local user policies but we're not using them now as we have multiple vendors everywhere...). This is because every time I read anything about dynamic segmentation it's about tunneling traffic to a controller, whether it's a SD-Branch GW or something in a DC like we have currently.
So for this discussion I'm thinking that dynamic segmentation means tunneling traffic back to a controller, in our new building case this would mean controllers in the DC (multiple fiber links between those so bandwidth is not an issue).
Our traffic patterns are pretty much 100% to the DC. In the campus area we only have one exit point towards the internet/wan in the DC, and I don't think we have much workstation <-> workstation traffic. Someone somewhere said that Teams etc would do that, but in our current environment I can't really say if it's happening or not. We would need to get better visibility to the access switches if there's inter-VLAN traffic. And as all our workstations are in the same logical VRF they can talk directly to each other, we would need something like transparent firewalls/TAPs there too to know if there is actually lateral traffic.
But as far as I know, the lateral traffic is minimal.