diff --git a/.buildkite/pipelines/pull-request/part-1-entitlements.yml b/.buildkite/pipelines/pull-request/part-1-entitlements.yml
deleted file mode 100644
index abb9edf67484f..0000000000000
--- a/.buildkite/pipelines/pull-request/part-1-entitlements.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-config:
-  allow-labels: "test-entitlements"
-steps:
-  - label: part-1-entitlements
-    command: .ci/scripts/run-gradle.sh -Dignore.tests.seed -Dtests.jvm.argline="-Des.entitlements.enabled=true" checkPart1
-    timeout_in_minutes: 300
-    agents:
-      provider: gcp
-      image: family/elasticsearch-ubuntu-2004
-      machineType: custom-32-98304
-      buildDirectory: /dev/shm/bk
diff --git a/.buildkite/pipelines/pull-request/part-2-entitlements.yml b/.buildkite/pipelines/pull-request/part-2-entitlements.yml
deleted file mode 100644
index ef889f3819c5b..0000000000000
--- a/.buildkite/pipelines/pull-request/part-2-entitlements.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-config:
-  allow-labels: "test-entitlements"
-steps:
-  - label: part-2-entitlements
-    command: .ci/scripts/run-gradle.sh -Dignore.tests.seed -Dtests.jvm.argline="-Des.entitlements.enabled=true" checkPart2
-    timeout_in_minutes: 300
-    agents:
-      provider: gcp
-      image: family/elasticsearch-ubuntu-2004
-      machineType: custom-32-98304
-      buildDirectory: /dev/shm/bk
diff --git a/.buildkite/pipelines/pull-request/part-3-entitlements.yml b/.buildkite/pipelines/pull-request/part-3-entitlements.yml
deleted file mode 100644
index c31ae5e6a4ce3..0000000000000
--- a/.buildkite/pipelines/pull-request/part-3-entitlements.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-config:
-  allow-labels: "test-entitlements"
-steps:
-  - label: part-3-entitlements
-    command: .ci/scripts/run-gradle.sh -Dignore.tests.seed -Dtests.jvm.argline="-Des.entitlements.enabled=true" checkPart3
-    timeout_in_minutes: 300
-    agents:
-      provider: gcp
-      image: family/elasticsearch-ubuntu-2004
-      machineType: custom-32-98304
-      buildDirectory: /dev/shm/bk
diff --git a/.buildkite/pipelines/pull-request/part-4-entitlements.yml b/.buildkite/pipelines/pull-request/part-4-entitlements.yml
deleted file mode 100644
index 67172f891b4b6..0000000000000
--- a/.buildkite/pipelines/pull-request/part-4-entitlements.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-config:
-  allow-labels: "test-entitlements"
-steps:
-  - label: part-4-entitlements
-    command: .ci/scripts/run-gradle.sh -Dignore.tests.seed -Dtests.jvm.argline="-Des.entitlements.enabled=true" checkPart4
-    timeout_in_minutes: 300
-    agents:
-      provider: gcp
-      image: family/elasticsearch-ubuntu-2004
-      machineType: n1-standard-32
-      buildDirectory: /dev/shm/bk
diff --git a/.buildkite/pipelines/pull-request/part-5-entitlements.yml b/.buildkite/pipelines/pull-request/part-5-entitlements.yml
deleted file mode 100644
index 5a92282361576..0000000000000
--- a/.buildkite/pipelines/pull-request/part-5-entitlements.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-config:
-  allow-labels: "test-entitlements"
-steps:
-  - label: part-5-entitlements
-    command: .ci/scripts/run-gradle.sh -Dignore.tests.seed -Dtests.jvm.argline="-Des.entitlements.enabled=true" checkPart5
-    timeout_in_minutes: 300
-    agents:
-      provider: gcp
-      image: family/elasticsearch-ubuntu-2004
-      machineType: custom-32-98304
-      buildDirectory: /dev/shm/bk
diff --git a/build-tools/src/main/java/org/elasticsearch/gradle/testclusters/RunTask.java b/build-tools/src/main/java/org/elasticsearch/gradle/testclusters/RunTask.java
index 54bffd2a14b3d..1e50da3895187 100644
--- a/build-tools/src/main/java/org/elasticsearch/gradle/testclusters/RunTask.java
+++ b/build-tools/src/main/java/org/elasticsearch/gradle/testclusters/RunTask.java
@@ -42,7 +42,6 @@ public abstract class RunTask extends DefaultTestClustersTask {
 
     private Boolean debug = false;
     private Boolean cliDebug = false;
-    private Boolean entitlementsEnabled = false;
     private Boolean apmServerEnabled = false;
 
     private Boolean preserveData = false;
@@ -70,14 +69,6 @@ public void setCliDebug(boolean enabled) {
         this.cliDebug = enabled;
     }
 
-    @Option(
-        option = "entitlements",
-        description = "Use the Entitlements agent system in place of SecurityManager to enforce sandbox policies."
-    )
-    public void setEntitlementsEnabled(boolean enabled) {
-        this.entitlementsEnabled = enabled;
-    }
-
     @Input
     public Boolean getDebug() {
         return debug;
@@ -88,11 +79,6 @@ public Boolean getCliDebug() {
         return cliDebug;
     }
 
-    @Input
-    public Boolean getEntitlementsEnabled() {
-        return entitlementsEnabled;
-    }
-
     @Input
     public Boolean getApmServerEnabled() {
         return apmServerEnabled;
@@ -240,9 +226,6 @@ else if (node.getSettingKeys().contains("telemetry.metrics.enabled") == false) {
         if (cliDebug) {
             enableCliDebug();
         }
-        if (entitlementsEnabled) {
-            enableEntitlements();
-        }
     }
 
     @TaskAction
diff --git a/build-tools/src/main/java/org/elasticsearch/gradle/testclusters/TestClustersAware.java b/build-tools/src/main/java/org/elasticsearch/gradle/testclusters/TestClustersAware.java
index 2e313fa73c4ee..4a45e8e4a03c4 100644
--- a/build-tools/src/main/java/org/elasticsearch/gradle/testclusters/TestClustersAware.java
+++ b/build-tools/src/main/java/org/elasticsearch/gradle/testclusters/TestClustersAware.java
@@ -88,12 +88,4 @@ default void enableCliDebug() {
             }
         }
     }
-
-    default void enableEntitlements() {
-        for (ElasticsearchCluster cluster : getClusters()) {
-            for (ElasticsearchNode node : cluster.getNodes()) {
-                node.cliJvmArgs("-Des.entitlements.enabled=true");
-            }
-        }
-    }
 }
diff --git a/distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/SystemJvmOptions.java b/distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/SystemJvmOptions.java
index 9e6cec939f0eb..4379e99223474 100644
--- a/distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/SystemJvmOptions.java
+++ b/distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/SystemJvmOptions.java
@@ -11,8 +11,6 @@
 
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
-import org.elasticsearch.core.Booleans;
-import org.elasticsearch.jdk.RuntimeVersionFeature;
 
 import java.io.IOException;
 import java.nio.file.Files;
@@ -27,9 +25,6 @@ final class SystemJvmOptions {
     static List<String> systemJvmOptions(Settings nodeSettings, final Map<String, String> sysprops) {
         String distroType = sysprops.get("es.distribution.type");
         boolean isHotspot = sysprops.getOrDefault("sun.management.compiler", "").contains("HotSpot");
-        boolean entitlementsExplicitlyEnabled = Booleans.parseBoolean(sysprops.getOrDefault("es.entitlements.enabled", "true"));
-        // java 24+ only supports entitlements, but it may be enabled on earlier versions explicitly
-        boolean useEntitlements = RuntimeVersionFeature.isSecurityManagerAvailable() == false || entitlementsExplicitlyEnabled;
         return Stream.of(
             Stream.of(
                 /*
@@ -71,13 +66,12 @@ static List<String> systemJvmOptions(Settings nodeSettings, final Map<String, St
                 // Pass through distribution type
                 "-Des.distribution.type=" + distroType
             ),
-            maybeEnableNativeAccess(useEntitlements),
+            maybeEnableNativeAccess(),
             maybeOverrideDockerCgroup(distroType),
             maybeSetActiveProcessorCount(nodeSettings),
             maybeSetReplayFile(distroType, isHotspot),
             maybeWorkaroundG1Bug(),
-            maybeAllowSecurityManager(useEntitlements),
-            maybeAttachEntitlementAgent(useEntitlements)
+            attachEntitlementAgent()
         ).flatMap(s -> s).toList();
     }
 
@@ -126,15 +120,13 @@ private static Stream<String> maybeSetActiveProcessorCount(Settings nodeSettings
         return Stream.empty();
     }
 
-    private static Stream<String> maybeEnableNativeAccess(boolean useEntitlements) {
+    private static Stream<String> maybeEnableNativeAccess() {
         var enableNativeAccessOptions = new ArrayList<String>();
         if (Runtime.version().feature() >= 21) {
             enableNativeAccessOptions.add("--enable-native-access=org.elasticsearch.nativeaccess,org.apache.lucene.core");
-            if (useEntitlements) {
-                enableNativeAccessOptions.add("--enable-native-access=ALL-UNNAMED");
-                if (Runtime.version().feature() >= 24) {
-                    enableNativeAccessOptions.add("--illegal-native-access=deny");
-                }
+            enableNativeAccessOptions.add("--enable-native-access=ALL-UNNAMED");
+            if (Runtime.version().feature() >= 24) {
+                enableNativeAccessOptions.add("--illegal-native-access=deny");
             }
         }
         return enableNativeAccessOptions.stream();
@@ -151,19 +143,7 @@ private static Stream<String> maybeWorkaroundG1Bug() {
         return Stream.of();
     }
 
-    private static Stream<String> maybeAllowSecurityManager(boolean useEntitlements) {
-        if (RuntimeVersionFeature.isSecurityManagerAvailable()) {
-            // Will become conditional on useEntitlements once entitlements can run without SM
-            return Stream.of("-Djava.security.manager=allow");
-        }
-        return Stream.of();
-    }
-
-    private static Stream<String> maybeAttachEntitlementAgent(boolean useEntitlements) {
-        if (useEntitlements == false) {
-            return Stream.empty();
-        }
-
+    private static Stream<String> attachEntitlementAgent() {
         Path dir = Path.of("lib", "entitlement-bridge");
         if (Files.exists(dir) == false) {
             throw new IllegalStateException("Directory for entitlement bridge jar does not exist: " + dir);
@@ -182,7 +162,6 @@ private static Stream<String> maybeAttachEntitlementAgent(boolean useEntitlement
         // into java.base, we must export the bridge from java.base to these modules, as a comma-separated list
         String modulesContainingEntitlementInstrumentation = "java.logging,java.net.http,java.naming,jdk.net";
         return Stream.of(
-            "-Des.entitlements.enabled=true",
             "-XX:+EnableDynamicAgentLoading",
             "-Djdk.attach.allowAttachSelf=true",
             "--patch-module=java.base=" + bridgeJar,
diff --git a/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsTestRule.java b/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsTestRule.java
index 177570ba5c0f3..ea3e2760fbbfe 100644
--- a/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsTestRule.java
+++ b/libs/entitlement/qa/src/javaRestTest/java/org/elasticsearch/entitlement/qa/EntitlementsTestRule.java
@@ -73,7 +73,6 @@ protected void before() throws Throwable {
         cluster = ElasticsearchCluster.local()
             .module("entitled", spec -> buildEntitlements(spec, "org.elasticsearch.entitlement.qa.entitled", ENTITLED_POLICY))
             .module("entitlement-test-plugin", spec -> setupEntitlements(spec, modular, policyBuilder))
-            .systemProperty("es.entitlements.enabled", "true")
             .systemProperty("es.entitlements.testdir", () -> testDir.getRoot().getAbsolutePath())
             .setting("xpack.security.enabled", "false")
             // Logs in libs/entitlement/qa/build/test-results/javaRestTest/TEST-org.elasticsearch.entitlement.qa.EntitlementsXXX.xml
diff --git a/modules/analysis-common/build.gradle b/modules/analysis-common/build.gradle
index a2d00b5276a02..a1aec95b4b6d6 100644
--- a/modules/analysis-common/build.gradle
+++ b/modules/analysis-common/build.gradle
@@ -38,14 +38,11 @@ tasks.named("yamlRestCompatTestTransform").configure { task ->
 }
 
 tasks.named("yamlRestTest").configure {
-  if (buildParams.getRuntimeJavaVersion().map{ it.majorVersion.toInteger() }.get() >= 24 ||
-    "-Des.entitlements.enabled=true".equals(System.getProperty("tests.jvm.argline"))) {
-    systemProperty 'tests.rest.blacklist',
-      [
-        // AWAITSFIX: this test relies on security manager, which doesn't exist in JDK 24.
-        // and entitlements don't yet replace the functionality.
-        // see https://github.com/elastic/elasticsearch/issues/119130
-        'analysis-common/40_token_filters/stemmer_override file access',
-      ].join(',')
-  }
+  systemProperty 'tests.rest.blacklist',
+    [
+      // AWAITSFIX: this test relies on security manager, which doesn't exist in JDK 24.
+      // and entitlements don't yet replace the functionality.
+      // see https://github.com/elastic/elasticsearch/issues/119130
+      'analysis-common/40_token_filters/stemmer_override file access',
+    ].join(',')
 }
diff --git a/modules/apm/src/javaRestTest/java/org/elasticsearch/telemetry/apm/ApmAgentSettingsIT.java b/modules/apm/src/javaRestTest/java/org/elasticsearch/telemetry/apm/ApmAgentSettingsIT.java
index ee26178723608..16f6fb1bf8ace 100644
--- a/modules/apm/src/javaRestTest/java/org/elasticsearch/telemetry/apm/ApmAgentSettingsIT.java
+++ b/modules/apm/src/javaRestTest/java/org/elasticsearch/telemetry/apm/ApmAgentSettingsIT.java
@@ -18,10 +18,7 @@
 public class ApmAgentSettingsIT extends ESRestTestCase {
 
     @ClassRule
-    public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
-        .module("apm")
-        .systemProperty("es.entitlements.enabled", "true")
-        .build();
+    public static ElasticsearchCluster cluster = ElasticsearchCluster.local().module("apm").build();
 
     @Override
     protected String getTestRestCluster() {
diff --git a/modules/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java b/modules/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java
index 1b8bf67ff6fec..b72747bd27c56 100644
--- a/modules/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java
+++ b/modules/ingest-attachment/src/main/java/org/elasticsearch/ingest/attachment/TikaImpl.java
@@ -18,11 +18,9 @@
 import org.apache.tika.parser.ParserDecorator;
 import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.bootstrap.FilePermissionUtils;
-import org.elasticsearch.core.Booleans;
 import org.elasticsearch.core.PathUtils;
 import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.jdk.JarHell;
-import org.elasticsearch.jdk.RuntimeVersionFeature;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -39,7 +37,6 @@
 import java.security.Permissions;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
-import java.security.ProtectionDomain;
 import java.security.SecurityPermission;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -124,15 +121,7 @@ static String parse(final byte content[], final Metadata metadata, final int lim
 
     // apply additional containment for parsers, this is intersected with the current permissions
     // its hairy, but worth it so we don't have some XML flaw reading random crap from the FS
-    private static final AccessControlContext RESTRICTED_CONTEXT = isUsingSecurityManager()
-        ? new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, getRestrictedPermissions()) })
-        : null;
-
-    private static boolean isUsingSecurityManager() {
-        boolean entitlementsEnabled = Booleans.parseBoolean(System.getProperty("es.entitlements.enabled"), false)
-            || RuntimeVersionFeature.isSecurityManagerAvailable() == false;
-        return entitlementsEnabled == false;
-    }
+    private static final AccessControlContext RESTRICTED_CONTEXT = null;
 
     // compute some minimal permissions for parsers. they only get r/w access to the java temp directory,
     // the ability to load some resources from JARs, and read sysprops
diff --git a/server/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java b/server/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java
index 4c7fb96c5b1d5..56d185645e149 100644
--- a/server/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java
+++ b/server/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java
@@ -33,7 +33,6 @@ class Bootstrap {
 
     // arguments from the CLI process
     private final ServerArgs args;
-    private final boolean useEntitlements;
 
     // controller for spawning component subprocesses
     private final Spawner spawner = new Spawner();
@@ -47,11 +46,10 @@ class Bootstrap {
     // loads information about plugins required for entitlements in phase 2, used by plugins service in phase 3
     private final SetOnce<PluginsLoader> pluginsLoader = new SetOnce<>();
 
-    Bootstrap(PrintStream out, PrintStream err, ServerArgs args, boolean useEntitlements) {
+    Bootstrap(PrintStream out, PrintStream err, ServerArgs args) {
         this.out = out;
         this.err = err;
         this.args = args;
-        this.useEntitlements = useEntitlements;
     }
 
     ServerArgs args() {
@@ -62,10 +60,6 @@ Spawner spawner() {
         return spawner;
     }
 
-    public boolean useEntitlements() {
-        return useEntitlements;
-    }
-
     void setSecureSettings(SecureSettings secureSettings) {
         this.secureSettings.set(secureSettings);
     }
diff --git a/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java b/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java
index c1b8ed47e6575..e8aa5798cce1e 100644
--- a/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java
+++ b/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java
@@ -28,7 +28,6 @@
 import org.elasticsearch.common.transport.BoundTransportAddress;
 import org.elasticsearch.common.util.concurrent.RunOnce;
 import org.elasticsearch.core.AbstractRefCounted;
-import org.elasticsearch.core.Booleans;
 import org.elasticsearch.core.CheckedConsumer;
 import org.elasticsearch.core.IOUtils;
 import org.elasticsearch.core.SuppressForbidden;
@@ -40,7 +39,6 @@
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.index.IndexVersion;
 import org.elasticsearch.jdk.JarHell;
-import org.elasticsearch.jdk.RuntimeVersionFeature;
 import org.elasticsearch.monitor.jvm.HotThreads;
 import org.elasticsearch.monitor.jvm.JvmInfo;
 import org.elasticsearch.monitor.os.OsProbe;
@@ -60,7 +58,6 @@
 import java.lang.reflect.InvocationTargetException;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.security.Permission;
 import java.security.Security;
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -74,7 +71,6 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import static org.elasticsearch.bootstrap.BootstrapSettings.SECURITY_FILTER_BAD_DEFAULTS_SETTING;
 import static org.elasticsearch.nativeaccess.WindowsFunctions.ConsoleCtrlHandler.CTRL_CLOSE_EVENT;
 
 /**
@@ -122,25 +118,9 @@ private static Bootstrap initPhase1() {
         final PrintStream out = getStdout();
         final PrintStream err = getStderr();
         final ServerArgs args;
-        final boolean entitlementsEnabled = Booleans.parseBoolean(System.getProperty("es.entitlements.enabled", "true"));
-        // java 24+ only supports entitlements, but it may be enabled on earlier versions explicitly
-        final boolean useEntitlements = RuntimeVersionFeature.isSecurityManagerAvailable() == false || entitlementsEnabled;
         try {
             initSecurityProperties();
 
-            /*
-             * We want the JVM to think there is a security manager installed so that if internal policy decisions that would be based on
-             * the presence of a security manager or lack thereof act as if there is a security manager present (e.g., DNS cache policy).
-             * This forces such policies to take effect immediately.
-             */
-            if (useEntitlements == false && RuntimeVersionFeature.isSecurityManagerAvailable()) {
-                org.elasticsearch.bootstrap.Security.setSecurityManager(new SecurityManager() {
-                    @Override
-                    public void checkPermission(Permission perm) {
-                        // grant all permissions so that we can later set the security manager to the one that we want
-                    }
-                });
-            }
             LogConfigurator.registerErrorListener();
 
             BootstrapInfo.init();
@@ -166,7 +146,7 @@ public void checkPermission(Permission perm) {
             return null; // unreachable, to satisfy compiler
         }
 
-        return new Bootstrap(out, err, args, useEntitlements);
+        return new Bootstrap(out, err, args);
     }
 
     /**
@@ -231,53 +211,42 @@ private static void initPhase2(Bootstrap bootstrap) throws IOException {
         var modulesBundles = PluginsLoader.loadModulesBundles(nodeEnv.modulesDir());
         var pluginsBundles = PluginsLoader.loadPluginsBundles(nodeEnv.pluginsDir());
 
-        final PluginsLoader pluginsLoader;
-
-        if (bootstrap.useEntitlements()) {
-            LogManager.getLogger(Elasticsearch.class).info("Bootstrapping Entitlements");
-
-            var pluginData = Stream.concat(
-                modulesBundles.stream()
-                    .map(bundle -> new PolicyParserUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), false)),
-                pluginsBundles.stream()
-                    .map(bundle -> new PolicyParserUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), true))
-            ).toList();
-            var pluginPolicies = PolicyParserUtils.createPluginPolicies(pluginData);
-
-            pluginsLoader = PluginsLoader.createPluginsLoader(modulesBundles, pluginsBundles, findPluginsWithNativeAccess(pluginPolicies));
-
-            var pluginsResolver = PluginsResolver.create(pluginsLoader);
-            Map<String, Path> sourcePaths = Stream.concat(modulesBundles.stream(), pluginsBundles.stream())
-                .collect(Collectors.toUnmodifiableMap(bundle -> bundle.pluginDescriptor().getName(), PluginBundle::getDir));
-            EntitlementBootstrap.bootstrap(
-                pluginPolicies,
-                pluginsResolver::resolveClassToPluginName,
-                nodeEnv.settings()::getValues,
-                nodeEnv.dataDirs(),
-                nodeEnv.repoDirs(),
-                nodeEnv.configDir(),
-                nodeEnv.libDir(),
-                nodeEnv.modulesDir(),
-                nodeEnv.pluginsDir(),
-                sourcePaths,
-                nodeEnv.logsDir(),
-                nodeEnv.tmpDir(),
-                args.pidFile(),
-                Set.of(EntitlementSelfTester.class)
-            );
-            EntitlementSelfTester.entitlementSelfTest();
-        } else {
-            assert RuntimeVersionFeature.isSecurityManagerAvailable();
-            // no need to explicitly enable native access for legacy code
-            pluginsLoader = PluginsLoader.createPluginsLoader(modulesBundles, pluginsBundles, Map.of());
-            // install SM after natives, shutdown hooks, etc.
-            LogManager.getLogger(Elasticsearch.class).info("Bootstrapping java SecurityManager");
-            org.elasticsearch.bootstrap.Security.configure(
-                nodeEnv,
-                SECURITY_FILTER_BAD_DEFAULTS_SETTING.get(args.nodeSettings()),
-                args.pidFile()
-            );
-        }
+        LogManager.getLogger(Elasticsearch.class).info("Bootstrapping Entitlements");
+
+        var pluginData = Stream.concat(
+            modulesBundles.stream()
+                .map(bundle -> new PolicyParserUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), false)),
+            pluginsBundles.stream()
+                .map(bundle -> new PolicyParserUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), true))
+        ).toList();
+        var pluginPolicies = PolicyParserUtils.createPluginPolicies(pluginData);
+
+        final PluginsLoader pluginsLoader = PluginsLoader.createPluginsLoader(
+            modulesBundles,
+            pluginsBundles,
+            findPluginsWithNativeAccess(pluginPolicies)
+        );
+
+        var pluginsResolver = PluginsResolver.create(pluginsLoader);
+        Map<String, Path> sourcePaths = Stream.concat(modulesBundles.stream(), pluginsBundles.stream())
+            .collect(Collectors.toUnmodifiableMap(bundle -> bundle.pluginDescriptor().getName(), PluginBundle::getDir));
+        EntitlementBootstrap.bootstrap(
+            pluginPolicies,
+            pluginsResolver::resolveClassToPluginName,
+            nodeEnv.settings()::getValues,
+            nodeEnv.dataDirs(),
+            nodeEnv.repoDirs(),
+            nodeEnv.configDir(),
+            nodeEnv.libDir(),
+            nodeEnv.modulesDir(),
+            nodeEnv.pluginsDir(),
+            sourcePaths,
+            nodeEnv.logsDir(),
+            nodeEnv.tmpDir(),
+            args.pidFile(),
+            Set.of(EntitlementSelfTester.class)
+        );
+        EntitlementSelfTester.entitlementSelfTest();
 
         bootstrap.setPluginsLoader(pluginsLoader);
     }
@@ -351,9 +320,6 @@ protected void validateNodeBeforeAcceptingRequests(
                 List<BootstrapCheck> checks
             ) throws NodeValidationException {
                 var additionalChecks = new ArrayList<>(checks);
-                if (bootstrap.useEntitlements() == false) {
-                    additionalChecks.add(new BootstrapChecks.AllPermissionCheck());
-                }
                 BootstrapChecks.check(context, boundTransportAddress, additionalChecks);
             }
         };
diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/ssl/SslEntitlementRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/ssl/SslEntitlementRestIT.java
index f661bb04dc3da..c34e7d24e1fe7 100644
--- a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/ssl/SslEntitlementRestIT.java
+++ b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/ssl/SslEntitlementRestIT.java
@@ -32,7 +32,6 @@ public class SslEntitlementRestIT extends ESRestTestCase {
     public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
         .apply(SecurityOnTrialLicenseRestTestCase.commonTrialSecurityClusterConfig)
         .settings(settingsProvider)
-        .systemProperty("es.entitlements.enabled", "true")
         .build();
 
     @Override
diff --git a/x-pack/qa/security-example-spi-extension/src/main/java/org/elasticsearch/example/ExampleSecurityExtension.java b/x-pack/qa/security-example-spi-extension/src/main/java/org/elasticsearch/example/ExampleSecurityExtension.java
index 5d8684bf32f89..b35d5669b1c3d 100644
--- a/x-pack/qa/security-example-spi-extension/src/main/java/org/elasticsearch/example/ExampleSecurityExtension.java
+++ b/x-pack/qa/security-example-spi-extension/src/main/java/org/elasticsearch/example/ExampleSecurityExtension.java
@@ -11,14 +11,11 @@
 import org.elasticsearch.example.realm.CustomRealm;
 import org.elasticsearch.example.realm.CustomRoleMappingRealm;
 import org.elasticsearch.example.role.CustomInMemoryRolesProvider;
-import org.elasticsearch.jdk.RuntimeVersionFeature;
 import org.elasticsearch.xpack.core.security.SecurityExtension;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler;
 import org.elasticsearch.xpack.core.security.authc.Realm;
 import org.elasticsearch.xpack.core.security.authz.store.RoleRetrievalResult;
 
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
@@ -35,17 +32,6 @@
  */
 public class ExampleSecurityExtension implements SecurityExtension {
 
-    static {
-        final boolean useEntitlements = Boolean.parseBoolean(System.getProperty("es.entitlements.enabled"));
-        if (useEntitlements == false && RuntimeVersionFeature.isSecurityManagerAvailable()) {
-            // check that the extension's policy works.
-            AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
-                System.getSecurityManager().checkPropertyAccess("myproperty");
-                return null;
-            });
-        }
-    }
-
     @Override
     public String extensionName() {
         return "example";