Modern VLSI designs incorporate a high amount of instrumentation that supports post-silicon validation and debug, volume test and diagnosis, as well as in-field system monitoring and maintenance. Reconfigurable scan architectures, as allowed by the novel IEEE Std 1149.1-2013 (JTAG) and IEEE Std 1687-2014 (IJTAG), emerge as a scalable mechanism for access to such on-chip instruments.While the on-chip instrumentation is crucial for meeting quality, dependability, and time-to-market goals, it is prone to abuse and threatens system safety and security. A secure access management method is mandatory to assure that critical instruments be accessible to authorized entities only.This work presents a novel protection method for fine-grained access management in complex reconfigurable scan networks based on a challenge-response authentication protocol. The target scan network is extended with an authorization instrument and Secure Segment Insertion Bits (S 2 IB) that together control the accessibility of individual instruments. To the best of the authors' knowledge, this is the first fine-grained access management scheme that scales well with the number of protected instruments and offers a high level of security. Compared with recent stateof-the-art techniques, this scheme is more favorable with respect to implementation cost, performance overhead, and provided security level.Index Terms-Debug and diagnosis, reconfigurable scan network, IJTAG, IEEE Std 1687, secure DFT, hardware security, instrument protection 0278-0070 (c)