Because lifecycle controls fail when the automation only reaches modern cloud systems. If RACF, ACF2, Top Secret, or similar legacy targets are outside the workflow path, organisations end up with persistent manual access and incomplete revocation, which undermines the whole joiner-mover-leaver model.
Why This Matters for Security Teams
Mainframe and legacy connectors are not edge cases in lifecycle management, they are the point where many joiner-mover-leaver programmes fail. If access workflows only automate modern SaaS and cloud systems, the organisation still depends on manual tickets, spreadsheet reviews, or ad hoc approvals for RACF, ACF2, Top Secret, and similar targets. That creates persistent access, incomplete revocation, and weak evidence for audit. The NHI Lifecycle Management Guide shows why lifecycle coverage must extend across all identity-bearing systems, not just the newest ones.
This matters even more because legacy platforms often hold the highest-value data and the most privileged accounts. When connectors are missing, deprovisioning becomes a human process, and human process is where delay and inconsistency enter. The OWASP Non-Human Identity Top 10 frames this as a governance and exposure problem, not merely an integration gap. In practice, many security teams encounter orphaned access only after an audit finding, a failed offboarding review, or an incident tied to an account that nobody thought was still active.
How It Works in Practice
Effective lifecycle management treats legacy systems as first-class targets in the same workflow used for cloud and SaaS. That usually means building or buying connectors that can provision, modify, suspend, and revoke accounts in mainframe estates, while preserving system-specific controls such as group membership, dataset permissions, or command-level rights. The control plane should not rely on manual operator action except for well-defined exceptions. NHI research on Ultimate Guide to NHIs and lifecycle processes highlights that lifecycle quality depends on automation coverage, not policy intent alone.
In practice, teams usually need four capabilities:
- Authoritative source sync from HR, IAM, or IGA into the connector workflow.
- Deterministic mapping between business role changes and legacy entitlement changes.
- Near-real-time revocation for termination and emergency disablement cases.
- Evidence collection so each change can be traced for audit and recertification.
For standards alignment, the NIST Cybersecurity Framework 2.0 supports this by emphasising identity governance and access control as operational capabilities, not one-time tasks. Where connectors exist, they should enforce the same lifecycle state transitions as modern systems, including disable, expire, and re-enable with approval. Where connectors do not exist, best practice is evolving toward compensating controls, but there is no universal standard for this yet, and manual fallback remains a known weak point. These controls tend to break down when legacy owners are decentralized because entitlement semantics differ across each platform and revocation timing becomes inconsistent.
Common Variations and Edge Cases
Tighter lifecycle control often increases implementation and change-management overhead, requiring organisations to balance coverage against the complexity of older platforms. That tradeoff is especially visible in mainframe estates where account models were designed decades before modern IAM patterns, and where service accounts, batch jobs, and shared operational IDs may not map cleanly to person-centric workflows.
Legacy connectors also vary in maturity. Some environments support direct API-based automation, while others require command automation, file-based updates, or vendor middleware. Best practice is to prioritise the highest-risk systems first, especially those that host privileged access or sensitive datasets, and then expand coverage iteratively. The Top 10 NHI Issues and Guide to the Secret Sprawl Challenge both point to the same operational lesson: if lifecycle tooling cannot reach the system, the access still exists, just outside governance.
For very old environments, some teams use compensating reviews, break-glass procedures, or scheduled reconciliation jobs. Those approaches can reduce risk, but they do not replace true connector coverage. The main limitation is that manual or batch-based control often lags real employment events, so revocation may happen after exposure has already occurred.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers lifecycle and rotation gaps that legacy connectors often create. |
| NIST CSF 2.0 | PR.AC-4 | Access provisioning and revocation are central to connector-based lifecycle management. |
| NIST AI RMF | Governance and lifecycle accountability apply to identity tooling across all systems. |
Map legacy entitlements into automated access control processes and verify timely removal at offboarding.
