I think that IBM planned that a customer would have one trusted employee who understood the legitimate requirements within the customer’s organization for access to data of the various application programs that ran in the customer’s data center. That employee would also be expert in the various tools provided by the operating system to provide and limit this access. That employee was also responsible for gross allocation of hardware resources. Assuming this it is easy to see why such OSes, like MVS, were unsuitable for timesharing. A critical element of Keykos was to decentralize these tasks. If two app owners thought it appropriate to communicate, they did not need to inform a third person. If FS had anything new to contribute to this, it has not escaped into the wild as far as I know.
System 38, aka AS/400, aka Series i, aka IBM i, is known to customers as a black box which runs a fairly small set of applications written by a very small set of developers. Such systems have a reputation of being rock solid and not requiring system wizards that attend to the machine, except on those rare occasions where they are indeed required. In such cases IBM supplies such wizards on demand. I have no idea what sorts of magic they wield. I have no idea what has become of the 16 byte pointers mentioned in passing in the memo—were they, are they protected, by hardware or by safe intermediate languages?
I believe that IBM has never sold these systems on any bases of solving novel security problems, but only in support of reliability and availability.
Lynn Wheeler’s Nexus
A management theory view of IBM & FS (Same author & subject: GRANDEUR ET DÉCLIN D'IBM) (Thanks to “École de Paris du management” and the Web Archive)
Sowa’s recent notes