What Is Threatening IBM i Security Now
March 16, 2026 Alex Woodie
The nature of cybersecurity threats is always changing, which requires constant vigilance by those who value security. IBM i is just as exposed to threats as any other networked operating system on the planet, but it’s also unique in certain ways, which actually makes security harder. To get the lowdown on how these phenomena interrelate in the first quarter of 2026, we turn to renown IBM i security expert Carol Woodbury from Kisco.
Woodbury recently sat down with Justin Loeber, the Kisco owner and head of business development, to present a webinar titled IBM i Threat Landscape 2026: A Fireside Chat with Carol Woodbury. While there actually was no fire, there was useful information shared for anyone who wants to keep their IBM i servers secure amid the never-ending onslaught of bad actors, sloppy admins, social exploits, and apparently now AI.
Here’s a summary of Woodbury’s and Loeber’s presentation, which you can also watch here.
Software Vulnerabilities
Weak code creates holes through which malware and hackers can attack any piece of software. We saw Microsoft struggle for years with vulnerabilities in its platform and application code before taking steps to mitigate the pain. IBM and its IBM i server have much better reputations for building and running solid business software, but no code is completely immune from weakness. And considering the amount of open source software running on IBM i today, it’s really out of IBM’s hands anyway.
“If you think that IBM i is immune from vulnerabilities that affect things like open source, or even the IBM i operating system itself, all you have to do is go out to this website [https://www.cve.org/], type IBM i in the search, and you’ll come up with all of the ones that have been logged along with the links to the fixes,” Woodbury said. “It’s right there in black and white.”
Loeber also encouraged IBM i admins to sign up with IBM to receive security alerts. There is also Doug Bidwell’s IBM i PTF Guide, which we publish every week on these IT Jungle pages.
In other words, ignorance is no longer an option.
The Old IBM i Authority End-Run
The risk posed by powerful user profiles is not new. It’s something that comes up every year in Fortra’s State of IBM i Security report, which finds the majority of IBM i shops do not abide by best practices to minimize them. And even when IBM i shops think they have locked down their system by limiting user access from a 5250 screen, there are ways around it.
“One of the things that a lot of people don’t understand is that you can run SQL commands from Run SQL Scripts,” Woodbury said. “And IBM has provided us with a lot of examples that we can use just on our own to discover various security settings and a lot of other different kinds of settings.”
During the webinar, Woodbury showed how a user could use Run SQL Scripts to hunt for libraries where the public authority has not been set to *EXCLUDE and where files can be modified. Users without any special authorities can actually gain quite a bit of power on a system that hasn’t been correctly configured.
During penetration test engagements, Woodbury will often look for user profiles that are not set to public *EXCLUDE. It sounds bad, but it’s actually quite common where IBM i servers have powerful user profiles that are not locked down, and which can be co-opted by bad actors.
“Oh, looky here,” she said. “This is a user profile that has all special authorities but is not public *EXCLUDE. I wish this was a rare occurrence, but it is not.”
Hijacking User Profiles
Woodbury demonstrated how her humble user profile without any special authorities was able to use Run SQL Scripts to spot another user profile with powerful authorities. Next, she showed how she could run a few simple commands to essentially hijack that powerful user to gain full access to the system.
“Now I now have command line access and I can run whatever I want to,” she said. “I can look at all of the user profiles in the system. I could have modified or deleted them. I can work with any object on the system . . . I can do whatever I want to because, again, I have all special authorities. So again, I wish this was an isolated case, but we tend to find these types of configurations more than less when we do our security assessments and penetration tests.”
IBM i is clearly vulnerable to these sorts of attacks, Loeber said. “Not only is IBM i vulnerable to attacks, it could be more vulnerable than other systems in your environment because of hidden configurations like this that create a pathway for a regular user with no authorities to kind of hijack the system and get in with unintended authorities.”
Security Through Obscurity
It’s true that it takes some knowledge of IBM i to pull off the hijack scenario that Woodbury demonstrated. Not everyone knows how to do an end run around the command line and use the incredible power of SQL to hunt for unprotected user profiles, and then to execute commands through that user profile. But thanks to the power of AI, that knowledge is just a few strokes of the keyboard away.
AI can help users navigate IBM i like experts. (Source: Kisco)
“All I have to do is go to Google,” Woodbury said. “I’m using the Gemini AI in this case, and all I did was search for what SQL will list all the libraries on IBM i, and up it came. So it’s a very easy to find out more information about IBM i, either through IBM itself or via a simple search.”
Gemini – and pretty much any other publicly accessible large language model – can also be used to give you a list of software vulnerabilities on IBM i (and although Woodbury didn’t say it, you can probably get an AI model to generate some exploit code for you, if you ask nicely). “Even Microsoft Co-pilot can come up with information on IBM i,” Woodbury said. “We really cannot keep our head in the sand.”
Security through obscurity was never something you wanted to bank on. However, so-called legacy systems like IBM i and the System Z mainframe did present as a black box to the outside world. AI has completely destroyed whatever protection security through obscurity offered, Loeber said.
“To be clear, we don’t view IBM as a legacy technology, but man, it’s still running today with a security configuration from ten to 20 years ago,” Loeber said. “Some of those risks that we saw, like user profiles that have public party to them and things like that, you may not know that that stuff’s lurking in your system. And so that is the use case behind security assessment and penetration testing services from Kisco Systems.”
Agentic AI
The world is rushing headlong into agentic AI, which supposedly will cast off the yoke of office drudgery from around our collective necks and allow us to live out our lives in resplendent bliss on the beach with a tropical drink in hand.
In the real world, agentic AI is one more security risk to add to a list of security risks that is already quite long.
“The idea with agents is that they’re supposed to be our brains and they’re supposed to figure out what work we do and then do that work for us, which is great,” Woodbury said. “But then it’s supposed to even do a little bit more as it talks to other parts of the organization, and quite frankly, can go rogue.”
Kisco recommends not allowing AI agents on IBM i to interact with each other. (Source: Kisco)
Anyone who claims that you can set AI agents loose on an organization without any human oversight may need to have their heads examined. Woodbury was more diplomatic: “They claim that nobody has to be in the middle of this reviewing it. I would claim that there will always need to be a person looking at the flows to make sure that they still are in compliance and are doing actually what they’re supposed to do and have not gone rogue,” she said.
AI agents are like other users on the IBM i system that have user profiles, and they should be configured as such, with as little authority as possible. Woodbury also encouraged IBM i shops to minimize connections among AI agents.
MCP Security
Loeber related how he attended an IBM demo on AI that featured Model Context Protocol (MCP), which is the protocol developed by Anthropic in late 2024 that allows agents to talk to each other and access data sources. MCP has quickly become a standard, and even IBM now is working on an MCP server for IBM i.
“It was very interesting, but there was very little messaging around security for it,” Loeber said of the IBM demo.
The reality is that, while MCP is powerful, it is still quite new. There were no security features built into MCP with the first release, and while there have been some steps to improve MCP security in 2025, such as the addition of OAuth 2.1 authentication and better authorization models, it’s still quite green on the security front.
This means that any IBM i shops that want to adopt MCP for agentic AI should treat MCP and not secure and therefore build security everywhere around it.
“When it comes to IBM i, the really important thing to remember or to take into consideration is behind every agent, there’s a query,” Loeber said. “Governance around agentic AI is has a lot to do with governance around data access, just like you would for any other system.”
IBM is positioning its new Mapepire database client as the go-to client for AI and MCP connections. Under the covers, Mapepire essentially ODBC, Loeber said, so all the security precautions that an IBM i shop would take around locking down their ODBC connections also apply to IBM i Mapepire connections for AI.
“Just to reiterate these ODBC security concerns, all these connections directly to the database bypass all your application security in terms of menu security and things like that,” he said. “These connections allow users coming in through these types of connections, including your agents, to have access to any unsecured file object and can even execute CL commands.”
Lack Of Visibility
Kisco is working with a customer on an agentic AI project, and one of the challenges is to gain visibility into everything the agents are doing, as well as to lock the agents down.
“We’ve been able to use the SQL server exit points and other exit points to track activity around those agent user profiles. And then there’s a lot of information in the security audit journal. And we’ve been looking at some outbound SK [journal entries], which is or basically a socket or IP traffic to identify when agent programs connect to an external API,” Loeber said.
While IBM i offers comprehensive logging through the audit journal, it needs to be consumed within the context of activity from other systems to get a true picture of the company’s overall security exposure. In many cases, that involves moving IBM i journal data to a third-party security information and event management (SIEM) tool to combine and analyze data from multiple servers, systems, and networks in a single place.
“A lot of times are our view is siloed,” Woodbury said. “You have the rest of the organization, and then you have IBM i, and only the IBM i people look at IBM i. But this still doesn’t tell you the complete picture. It’s only when you put the two together that you have the full picture and actually know what is going on in your organization.”
Social Engineering
Allowing people to call the help desk for things like password resets is a necessary part of running an IT department. However, the help desk is a weak point in the security scheme, because it is vulnerable to social engineering attacks.
“This quite frankly is often the entry point into an organization for a breach,” Woodbury said. “Help desks are conditioned to be helpful, but sometimes they’re too helpful. There’s a lot of ways that bad actors are using that information to gain access into organizations.”
The number one protection for social engineering is counter programming among employees. Companies must train their employees to understand that if they are receiving phone calls, texts, or emails with any sense of urgency, then it is likely a scam, Woodbury said. “That just has to be drilled into people’s minds that that is a problem,” she said. “And then there’s deep fakes.”
This is not an effective security policy. (Source: Kisco)
AI has gotten so good that it’s quite easy to generate convincing, but fake, videos of executives within companies. These deep fakes can also contain AI-generated malware, which customers may unknowingly load onto their laptops, Woodbury said. When you combine poor security configurations, inactive user profiles, unprotected files, and a lack of monitoring, it can all add up as leverage for the bad guys to get what they want.
Insider Threats
Images of foreign hackers taking over servers may haunt your security administrator’s dreams, but a bigger threat may lurk within the four walls of your headquarters. It’s time to face the growing threat of insiders, Woodbury said.
“No one wants to admit, but there is a rise in employees doing bad things,” she said. “I’ve tried to broach this topic with people before and they’re like ‘Oh, but we trust our employees and absolutely trust your employees, otherwise they wouldn’t be your employees.’ But the fact of the matter is, there are things going on in people’s lives that cause them to do things that they wouldn’t normally do or wouldn’t have done when they were first hired. And it’s not going to happen to everybody, but you have to admit that it can happen.”
We may not expect our data to be hacked or lost, but we still take basic precautions to protect against unauthorized data access and data loss. The same should go for insiders, especially those with elevated access to IBM i systems. This is especially important as the threats of AI and social engineering converge, Woodbury said.
“If somebody is vulnerable to a social engineering attack, we’re now seeing agentic AI go through the entire organization using that one person’s credentials,” she said. “So again, making sure that users only have enough authority that they require to do their job, implementing MFA so that that can interrupt that attack.”
RELATED STORIES
Kisco Bolsters IBM i Security Business With DXR Buy
