Mainframe security faces reckoning as IAM blind spots collide with new compliance mandates

For decades, mainframe environments have operated as independent islands of infrastructure—reliable, hardened, and often ignored by modern identity programs. While enterprise IT has embraced platforms like Okta and Azure AD to enforce MFA, conditional access, and SSO, mainframes have continued using legacy access controls like RACF, ACF2, or Top Secret. These two worlds rarely intersect.

The result is a quiet but dangerous gap. Security leaders may assume that all critical systems fall under corporate IAM policies. But mainframe administrators often maintain separate controls and don’t view integration as a priority. This disconnect has now become a liability.

As regulatory requirements evolve, so do the expectations. We’ve always known mainframes were different—but the era of IAM exceptions is over.

New MFA mandates bring mainframes into scope

Regulatory frameworks increasingly emphasize what is protected over where it’s stored. This subtle shift has huge implications. Whether data resides on a Windows server or a mainframe, frameworks like PCI DSS 4.0, New York State’s cybersecurity mandates, and DORA require consistent access controls and MFA.

Yet many mainframe environments still rely on username and password authentication—or bolt on an entirely separate MFA system. These workarounds create friction for users, compliance headaches for security teams, and potential loopholes attackers can exploit.

“Just because it’s buried in a data center doesn’t mean it’s out of scope,” said Barbara Ballard, Principal Product Manager – Host Connectivity at Rocket Software, during a recent webcast. “Regulations don’t care what kind of box it runs on. They care that it contains sensitive data.”

Time to rethink who owns mainframe security

In many enterprises, the people who manage mainframes don’t sit in the same meetings as the IAM team. That’s starting to change—but slowly. Experts say the root problem isn’t technical complexity. It’s organizational inertia.

Vendors like Rocket Software are offering bridges between the two worlds, enabling mainframe access to be governed by the same IAM platforms used across the enterprise. Their approach uses industry standards like SAML and OIDC to route authentication through enterprise systems before passing users into mainframe applications. But the broader challenge remains: security leaders need to stop treating the mainframe as “someone else’s problem.”

As Zero Trust models mature and attackers seek out forgotten assets, this is a blind spot few organizations can afford. Security teams need to treat the mainframe like any other high-value system—integrated, observable, and subject to the same controls as everything else.