An enhanced security of multiple software processes executing on a computer system is provided by isolating those processes from each other and from access to system hardware resources. Embodiments provide such isolation by executing kernel software that manages hardware and controls physical address space on a separate hardware thread (e.g., in an isolation domain) from the process threads executing application programs (e.g., in execution domains). This renders the software executing in the isolation domain safe from privilege escalation attacks and permits implementation of enforceable isolation between execution systems. A multithreaded processor having switch-on-event multithreading is used to provide software isolation and hardware-controlled handling of a subset of system services by a different hardware thread than the one requesting the service.