The CICS region is being upgraded and and only transactions are validated.  All transactions have rules and are on the ACF2 SAFELIST in the ACF2/CICS parm deck.  Is that OK?

Release : 16.0

Component : CA ACF2 for z/OS

The first thing that ACF2 does is check to see what is validated, and what is on the SAFELIST and the PROTLIST.  If a transaction is only on the SAFELIST, then no validation is done and the rules are never checked.  Only the IBM transactions should be on the SAFELIST, like the signon transactions (CESN, CESL, CESF, etc.) and other important IBM transactions.  All other transactions and high security IBM transactions, (like CEMT, CEDA, etc.) should be on the PROTLIST, as well as all user defined transactions.  Then rules will be checked after signon.  ACF2 has a sample transaction list supplied with the install of ACF2/CICS in library   ACF2.CAX1MAC1(ACFPARM)