The future of enterprise security will not be defined by a single breakthrough. It will be shaped by how well organizations strengthen the fundamentals while adapting to two major shifts happening at once: the explosion of non-human identities (NHIs) and the growing reality of quantum-era risk.
For business leaders, that means security can no longer be viewed as a static control framework. It must become a continuously evolving discipline that protects the systems of today, and tomorrow.
Implementing Continuous Modernization and Identity Hygiene
This begins with continuous modernization, which is especially important in mainframe environments where scale, criticality, and complexity require equal consideration across all enterprise security needs.
While much of the current market conversations around identity security focus on agentic AI, copilots, and autonomous systems, the mainframe has long operated in a world dense with NHIs. In many enterprises, especially on the distributed side, these identities outnumber human users by a staggering margin—with some industry analysts pointing to ratios as high as 144:1.
Although this ratio may not be as drastic for the mainframe, started tasks, batch IDs, service accounts, and more play a critical role in the volume of transactions that drive business operations. Through some internal statistics, we’ve observed that the ratio of human to NHIs on the mainframe is 2:1 (but can vary customer to customer). However, the privileges and criticality of these NHIs exercise on the mainframe require continuous identity hygiene.
The stakes are not theoretical. Mainframes continue to sit at the center of the world’s most sensitive and high-volume transactions. Consider the scale of modern digital commerce and financial processing. Payment networks process hundreds of billions of transactions annually, and mainframe environments routinely manage extraordinary volumes of security authorization activity.
In one cited (internal) example, a mainframe customer generated 272 billion security authorization calls in a single month, the majority of which were driven by NHIs. That statistic should be a wake-up call: If organizations are not actively governing NHIs, they are leaving one of the largest attack surfaces in the enterprise under protected. This level of throughput underscores a simple truth: Identity hygiene on the mainframe is not a niche operational concern. It is foundational to resilience, trust, and business continuity.
With that in mind, the conversation around modernization must move beyond surface-level transformation. Modern security isn’t just about adding new tools. It’s about aligning identity, access, encryption, and monitoring practices to the realities of a rapidly changing threat landscape.
Broadcom’s ACF2 and Top Secret V17 represent a crucial step in that direction, helping enterprises modernize security controls while preparing for the next era of risk.
Governing Non-Human Identities
The first imperative is to recognize that NHIs require the same rigor as human identities. For years, identity governance programs have focused primarily on employees, contractors, and privileged administrators. But in highly automated environments, NHIs often have broad access, persistent credentials, and limited oversight. They submit jobs, move data, trigger workflows, and connect critical systems. If those identities are poorly governed, overprivileged, or left with stale credentials, they become ideal targets for attackers.
That’s why identity hygiene must extend across the full spectrum of both human identities and NHIs. Enterprises need stronger credentialing controls for all identities, whether through PassTickets, identity tokens, or other modern methods. This is especially critical for NHIs where the use of dynamic, rotating credentials allows for a stronger, more secure approach for authentication.
NHIs also need proper surrogate checking when jobs are submitted so that auditing, scoping, and accountability remain intact. Lifecycle management matters just as much for machine identities as it does for people. While identity governance and administration platforms can help manage human identity processes, organizations also need dedicated mechanisms to clean up, validate, and continuously govern the sprawling footprint of NHIs that exist across the mainframe estate.
Modernizing Credential Encryption
The second imperative is to modernize credential encryption with the future in mind. Quantum computing may still be emerging, but the security implications are already here. The “harvest now, decrypt later” threat model has changed the timeline for action. Sensitive data stolen today may be stored and decrypted later as quantum capabilities mature. That means enterprises cannot afford to think of encryption modernization as a distant roadmap item. It’s a present-day strategic requirement.
As organizations migrate to ACF2 and Top Secret V17, they have an opportunity to reassess how credentials are protected and to move toward stronger encryption standards such as AES 256. This is more than just a technical upgrade. It’s a strategic alignment with a more resilient security posture. By adopting stronger encryption now and building quantum-aware migration strategies, enterprises can reduce future exposure while reinforcing trust in the systems that run their most critical workloads. Both ACF2 and Top Secret provide detailed AES256 migration approaches—increasing security while retaining enterprise performance benchmarks.
Even as the threat landscape evolves, one of the most important lessons for security leaders is that the basics have not changed. In fact, they matter now more than ever. New risks do not require the replacement of foundational controls; they amplify the need for them.
Multi-Factor Authentication and Zero Trust
Multi-factor authentication (MFA) remains one of the clearest examples of reinforcing the basics. It continues to be among the most effective ways to reduce the likelihood of compromise. Industry data consistently shows that MFA dramatically lowers risk, even when credentials are exposed.
For mainframe environments, this is especially important because the systems involved are inherently high value and often deeply interconnected with core business services. Strengthening authentication is not optional. It is one of the fastest and most practical ways to improve security outcomes.
But authentication alone is not enough. Enterprises also need to enforce a Zero-Trust posture that limits standing privilege and emphasizes just-in-time, time-bound access. Mainframe resources are often business critical, and broad or persistent access creates unnecessary risk. Security teams should be moving toward models where access is granted only when needed, approved through defined workflows, and fully auditable. This approach reduces the blast radius of compromised credentials and helps organizations better align access with actual business needs.
Continuous Monitoring
Continuous monitoring is another imperative that cannot be overlooked. If the average time to contain a data breach stretches into months, then visibility and response speed become decisive advantages.
For example, in 2025, the average time to contain a data breach took 276 days. Real-time monitoring across the mainframe estate is essential for detecting abnormal access patterns, newly created resources, policy violations, and suspicious behavior before they escalate into larger incidents. Monitoring must also become more intelligent. Security teams do not need more noise; they need better signals. Effective policy authoring, alerting, and event correlation help teams focus on the activity that matters most.
Taken together, these priorities point to a broader strategic message for technology leaders: Future-ready security isn’t about choosing between innovation and discipline. It requires both. Organizations must prepare for AI-driven growth in NHIs, anticipate the cryptographic implications of quantum computing, and at the same time double down on proven controls such as MFA, least privilege, just-in-time access, and continuous monitoring.
That’s where modernization efforts can create real value. ACF2 and Top Secret v17 are not simply version upgrades. They’re part of a larger opportunity to rethink how identity and access security are implemented in one of the most critical environments in the enterprise. By strengthening identity hygiene, modernizing encryption, and reinforcing foundational controls, organizations can better align for the security of today and tomorrow.
The future of security will belong to enterprises that treat identity as the new perimeter, automation as both an enabler and a risk multiplier, and resilience as a design principle rather than a reactive measure. In a world shaped by NHI sprawl and quantum-era uncertainty, winning organizations will be the ones that modernize with purpose, govern with precision, and never lose sight of the fundamentals.
0 Comments