By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: IllumioPublished August 14, 2025

TL;DR: Federal agencies are being pushed to meet EDR requirements on mainframes that cannot support endpoint agents, creating a compensating-control problem rather than a tooling problem, according to Illumio. The practical issue is how to secure mission-critical legacy workloads without forcing unsupported architecture changes that weaken Zero Trust outcomes.


At a glance

What this is: This is an analysis of why federal mainframes remain difficult to secure under modern EDR-driven compliance requirements and how compensating controls are used to close the gap.

Why it matters: It matters to IAM and security teams because legacy workloads often sit outside standard agent-based controls, yet still depend on identity, access, and lateral-movement boundaries that Zero Trust and governance programmes must enforce.

By the numbers:

  • 23-01
  • Illumio supports a wide range of older and uncommon operating systems, including IBM Z, iSeries, Solaris, AIX, Oracle Linux, Windows Server 2003 and 2008, Citrix, F5, and BMC.

👉 Read Illumio's analysis of mainframe security and federal EDR mandates


Context

Mainframe security in federal environments is less about replacing old systems and more about governing the controls they can realistically support. The central problem is that compliance requirements increasingly assume endpoint agents, while mission-critical platforms still need to stay in place to keep government services running.

That creates an identity and access governance issue as much as a platform issue. When workloads cannot run standard EDR, teams still need a way to enforce segmentation, constrain communication paths, and reduce lateral movement without breaking the operational dependencies that legacy systems carry.


Key questions

Q: What breaks when EDR is required on systems that cannot support it?

A: The control model breaks because compliance assumes a deployable agent, while some legacy systems cannot host one without destabilising operations. In that situation, organisations need an approved compensating control that still demonstrates risk reduction, such as segmentation and traffic governance. Without that, the programme ends up measuring tool presence instead of security outcome.

Q: Why do mainframes complicate Zero Trust programmes?

A: Mainframes complicate Zero Trust because they are often essential, long-lived, and technically incompatible with the same agent-based controls used on modern endpoints. Zero Trust still applies, but it must be enforced through boundaries, policy, and continuous verification appropriate to the workload. The challenge is governance consistency, not identical tooling.

Q: How do security teams know if compensating controls are actually working?

A: They should test whether segmentation, privilege reduction, and monitoring can stop movement before the vulnerable path reaches critical assets. A control is working when an assumed exploit can be contained without broad access, not when the patch finally lands. Tabletop exercises and red-team validation should prove that containment happens inside the exposure window.

Q: Who is accountable when a legacy system cannot meet a mandated control?

A: Accountability sits with the control owner, the security programme, and the approving authority for the exception. The key question is whether the alternative control was formally defined, tested, and mapped to the original objective. Frameworks such as NIST SP 800-53 and Zero Trust guidance expect evidence of equivalent protection, not a blanket waiver.


Technical breakdown

Why EDR fails as a control model for mainframes

EDR is built around host-level telemetry, agent installation, and endpoint response actions. Mainframes often cannot support those assumptions because their operating environments, change controls, and vendor support models are fundamentally different from commodity servers. In practice, this means a control requirement can be valid in principle but technically unfulfillable on the target system. That leaves agencies with a gap between policy intent and operational reality, especially when auditors expect one control pattern across very different workload classes.

Practical implication: classify unsupported platforms early so compensating controls can be approved before validation deadlines arrive.

Compensating controls and microsegmentation for legacy workloads

When an endpoint agent is not possible, compensating controls shift the security objective from host inspection to traffic governance. Flow data, workload context, and policy enforcement can reveal what communicates with what, then narrow exposure by limiting permitted pathways. That is the core of microsegmentation: reducing the blast radius by constraining east-west movement instead of relying on endpoint tooling to detect every bad event. For mainframes, this is often the only practical way to preserve Zero Trust intent without forcing a rebuild.

Practical implication: document compensating controls as part of the control evidence package rather than treating them as temporary exceptions.

Zero Trust for systems that cannot be modernised

Zero Trust is frequently discussed as if every workload can be replatformed into a homogeneous control stack. Federal mainframes show why that assumption fails. Zero Trust is about continuous verification and constrained trust boundaries, not about mandating the same tooling everywhere. The governance challenge is to preserve policy intent across heterogeneous environments, including IBM Z, iSeries, and other long-lived systems that remain central to mission delivery.

Practical implication: map each legacy workload to a Zero Trust control objective and prove how it is enforced in that environment.


NHI Mgmt Group analysis

Mainframe security has become a compensating-control problem, not a retirement problem. The article shows that federal agencies are still operating mission-critical systems that cannot support standard endpoint tooling. That makes the control question more important than the age of the platform. If the workload remains in production, the security model has to be designed around its constraints, not around a replacement timeline that may never materialise.

EDR-centric compliance creates an identity gap when the asset cannot host the agent. Security programs often assume the control plane can be deployed uniformly across all workloads, but legacy mainframes break that assumption. The real governance issue is whether an agency can demonstrate equivalent risk reduction through network policy, segmentation, and access restriction when endpoint telemetry is unavailable.

Microsegmentation is the practical bridge between Zero Trust intent and legacy reality. Flow-based policy gives security teams a way to limit lateral movement and preserve trust boundaries even when host inspection is impossible. That matters because Zero Trust is ultimately a boundary and verification model, not a product category. Practitioners should treat segmentation evidence as first-class compliance proof.

Legacy platform risk is increasingly a policy design issue, not a platform hygiene issue. Mainframes remain in place because they support critical missions, which means governance must absorb heterogeneity instead of trying to eliminate it. The organisations that manage this best will be the ones that define compensating controls clearly, map them to control objectives, and accept that a single tooling standard is not the same thing as a secure standard.

Secure-by-exception thinking will fail federal resilience programmes. If every unsupported workload is treated as a compliance outlier, the exception list becomes the system. A better model is to define the control objective once, then approve multiple enforcement methods depending on the workload class. Practitioners should design for durable exceptions that are still measurable and auditable.

What this signals

Compensating-control governance will matter more as federal environments retain unsupported workloads. Security teams should expect more pressure to prove equivalent protection without relying on a single endpoint-centric toolset. That makes policy evidence, segmentation telemetry, and documented exception handling central to programme maturity, especially where identity and access boundaries still govern mission-critical traffic.

Zero Trust adoption in legacy estates will be judged by containment, not platform uniformity. The practical standard is whether a workload can be protected in place while preserving service continuity. Teams that can demonstrate constrained communication paths and measurable lateral-movement reduction will be better positioned for audit, even when the underlying system predates modern endpoint models.


For practitioners

  • Define compensating controls for unsupported workloads Build a formal exception path for mainframes and other systems that cannot host EDR, including the control objective, the accepted alternative, and the evidence required for audit.
  • Map legacy workloads to Zero Trust objectives Document how each mainframe or older operating system enforces continuous verification, segmentation, and constrained communication even without endpoint telemetry.
  • Use flow data to prove segmentation boundaries Capture permitted communication paths and reduce east-west exposure so reviewers can see how lateral movement is limited across IBM Z, iSeries, and similar environments.
  • Align compliance evidence with platform reality Translate BOD requirements into workload-specific evidence packages that show the intent of the control, not just the presence of a named technology.

Key takeaways

  • The core issue is not that mainframes are obsolete, but that modern compliance assumptions often do not fit how they operate.
  • Federal agencies need compensating controls that prove equivalent protection when EDR cannot be deployed, especially on mission-critical legacy systems.
  • Zero Trust for unsupported workloads depends on segmentation, policy evidence, and auditable control objectives rather than tool uniformity.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Mainframe segmentation and constrained trust align with access control enforcement.
NIST SP 800-53 Rev 5AC-4This article centres on controlling communications and limiting lateral movement.
CIS Controls v8CIS-6 , Access Control ManagementLegacy workload access governance depends on controlling who and what can communicate.
NIST Zero Trust (SP 800-207)The article is fundamentally about enforcing Zero Trust without assuming uniform tooling.
ISO/IEC 27001:2022A.8.20Network security controls are the practical substitute where endpoint tooling is unavailable.

Use AC-4 to define approved flows and prove compensating controls where endpoint agents are impossible.


Key terms

  • Compensating Control: A compensating control is a measure that reduces risk when the ideal fix, such as immediate patching or redesign, is not possible. In OT, compensating controls often include session recording, access restriction, and tighter monitoring. They do not eliminate the underlying issue, but they narrow exposure until safer remediation can happen.
  • Microsegmentation: Microsegmentation is the practice of dividing networks or workloads into tightly controlled communication zones. It limits lateral movement by allowing only explicitly approved flows, which is especially useful when endpoint-based detection or response cannot be installed on a system.
  • Zero Trust: Zero Trust is a security model that assumes no implicit trust and requires continuous verification of access and communication. For legacy workloads, it is enforced through boundaries, policy, and visibility rather than by forcing every system to run the same tooling.

What's in the full article

Illumio's full blog covers the operational detail this post intentionally leaves for the source:

  • How the platform classifies mainframe and legacy workloads using flow data and context rather than endpoint telemetry.
  • Which unsupported operating systems and platform families the article says can still be governed under the same policy approach.
  • Why the article frames segmentation as a compensating control for federal validation and Zero Trust requirements.
  • How the source positions the approach across IBM Z, iSeries, and other legacy environments.

👉 Illumio's full post covers mainframe coverage, compensating controls, and Zero Trust alignment in legacy federal environments.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance and secrets management for practitioners who need to connect access control, lifecycle management, and operational security. It is designed for identity and security teams that must govern complex environments without losing sight of the control objective.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org