Modernising Governance: A Capability-Centric Approach to Legacy Mainframes

Mainframe and IBM i environments remain the backbone of many enterprises’ financial and operational processes, yet their access controls are often forced into cloud‑style entitlement frameworks that strip away operational context. Approvers are left certifying opaque identifiers—HLQs, transaction IDs, or object authorities—without understanding the actual work those permissions enable. This disconnect fuels defensive approvals, entrenches standing privileges, and obscures true segregation‑of‑duties (SoD) violations, leading to audit fatigue and hidden risk exposure.

A capability‑centric governance model reframes access as a set of concrete business actions expressed in the platform’s native language—CICS transactions, DB2 plans, menu paths, and object authorities. By overlaying a thin policy layer that evaluates who, what, where, and when at runtime, organizations can enforce sequence‑aware SoD rules, grant just‑in‑time elevations that are time‑boxed and automatically revoked, and attach concise usage evidence drawn from SMF or QAUDJRN telemetry to each certification item. This method requires no changes to COBOL or RPG code, preserving operational stability while delivering human‑readable audit trails.

For security leaders and auditors, the shift to capability‑centric governance means certifications become evidence‑driven rather than speculative, reducing standing privilege and aligning access decisions with actual business intent. The model also satisfies board expectations for risk reduction and supports modernization initiatives that integrate legacy workloads with cloud‑native services. Adoption hinges on building a capability dictionary, integrating the policy overlay, and training reviewers to evaluate behavior instead of static permissions—steps that promise a more resilient, transparent, and compliant access management landscape across the enterprise.