Audit Risks Under Broadcom's VMware Licensing: How to Stay Compliant

Why VMware Audit Risk Has Escalated Under Broadcom

When Broadcom completed its acquisition of VMware in November 2023 and moved swiftly to eliminate perpetual licence sales in early 2024, it fundamentally changed the commercial relationship between VMware and its enterprise customer base. The old model — buy a perpetual licence once, pay annual support — gave customers stability and predictability. The new model is subscription-only, core-based, and actively monitored through telemetry.

This shift matters enormously from a compliance standpoint. Under a perpetual model, a customer who had already paid for licences was largely protected from audit exposure on previously acquired entitlements. Under a subscription model with mandatory telemetry, every host, every core, and every enabled feature is continuously visible to Broadcom. Compliance gaps that were previously invisible are now automatically surfaced.

For organisations that have not carefully mapped their VMware consumption to their contracted entitlements, the exposure is significant. Industry analysts estimate that over 80% of enterprises carry material licence compliance gaps that could lead to six- or seven-figure true-up demands upon audit.

The 2024 Licensing Transformation: Perpetual to Subscription

Effective early 2024, Broadcom ceased sales of perpetual VMware licences entirely. Customers who held existing perpetual licences were permitted to continue using them but could no longer purchase new perpetual entitlements, nor could they renew their legacy support and subscription (SnS) agreements in perpetuity. Once existing support contracts expire, the only path forward is conversion to a subscription product.

Alongside this change, Broadcom restructured VMware's product catalogue. Dozens of individual SKUs were consolidated into a small number of bundled subscription tiers — primarily VMware Cloud Foundation (VCF) and vSphere Foundation (VVF). Customers who previously purchased only what they needed now face minimum bundles that include components they may not use, at pricing that reflects a fundamentally different commercial intent.

The metric also changed. VMware previously licensed vSphere and related products on a per-CPU socket basis. Broadcom now licenses on a per-core basis, with every physical core on every licensed host counting toward entitlement. This is not merely a pricing mechanic — it is a compliance mechanic. Every server upgrade or host addition that increases total core count creates a new licensing obligation that must be met before the environment goes live.

Support Cost Increases: The Commercial Reality

For most enterprises receiving their first Broadcom renewal quote in 2024 or 2025, the number was a shock. Support cost increases of 3–5× are typical for customers converting from legacy VMware SnS agreements to Broadcom subscriptions. Some mid-market customers with older, more granular licence portfolios have reported increases of 5–10×. In the most extreme documented case — AT&T's dispute with Broadcom — the proposed increase was over 1,000%.

The drivers of these increases are structural, not temporary. Broadcom consolidated the VMware product line specifically to eliminate the ability of customers to buy narrow, targeted licences. By forcing migration into bundled tiers, every customer pays for the full feature set whether or not they use it. The shift from per-socket to per-core pricing adds further cost for any customer running modern high-core-count processors. And the elimination of perpetual licences transforms a capital expenditure that lasted indefinitely into a recurring operational expenditure that grows each year.

Critically, a 20% late-renewal penalty applies if a subscription expires and the customer attempts to renew after lapse. This creates commercial urgency that Broadcom's sales teams exploit during negotiation — customers under time pressure often accept unfavourable terms to avoid penalty.

Core-Based Licensing: Where Compliance Gaps Arise

The transition from per-socket to per-core licensing is the single largest source of unintentional compliance gaps in VMware environments today. Under the old model, licensing a two-socket server required two CPU licences regardless of how many cores each processor contained. Under the new model, a two-socket server running dual 64-core processors requires 128 core licences.

Broadcom imposes a minimum of 16 cores per CPU and a minimum 72-core purchase per order. This means even a modest two-socket, eight-core-per-CPU server requires purchasing 72 core licences — a significant floor for smaller deployments. For large enterprise estates with hundreds of hosts and varying processor generations, the compliance arithmetic becomes complex quickly.

Common compliance gaps in core-based environments include:

• Capacity creep: IT teams upgrade hardware or add hosts without triggering a corresponding licence purchase. Under per-socket licensing, this was often caught at the next renewal. Under per-core licensing, every new core is immediately a compliance gap.
• Mixed environments: Organisations running a combination of legacy perpetual licences and new subscriptions often have unclear boundaries around which entitlements cover which hosts. Audits routinely find hosts running under the wrong entitlement basis.
• Feature drift: Enabling VMware features not included in the contracted subscription tier — for example, enabling NSX networking or vSAN storage when licensed only for the base vSphere Foundation tier — creates out-of-contract usage that audits will find.
• Minimum-order mismatches: Purchasing 72 cores to meet the minimum when the environment only uses 64 creates apparent surplus. This surplus is not transferable to other use cases and provides no buffer if usage grows, since any additional purchase must meet the 72-core minimum again.

Telemetry and Enforcement Mechanisms

One of the most significant changes under Broadcom's VMware is the shift toward active, automated licence monitoring. Telemetry and "phone home" features are enabled by default on vSphere+ and other cloud-connected VMware components. These features transmit consumption data — including host counts, core utilisation, enabled features, and product versions — directly to Broadcom.

Broadcom's compliance reporting programme requires customers to submit compliance reports every 180 days. These reports are generated automatically by VMware software and are transmitted as part of the standard subscription management workflow. Customers who do not comply with reporting requirements, or whose reports reveal consumption in excess of contracted entitlements, face immediate exposure.

For organisations accustomed to the traditional audit model — where compliance was checked once every few years by a software audit team with weeks of lead time — the shift to continuous telemetry-based monitoring requires a fundamentally different compliance posture. You cannot rely on periodic reviews to catch gaps; gaps are visible in near real time.

Perpetual Licence Holders: Cease-and-Desist Risk

Organisations that hold perpetual VMware licences with expired support contracts face a specific and acute risk that emerged in 2025. Broadcom began issuing cease-and-desist letters to perpetual licence holders who continued using updates, patches, and security fixes released after the expiry of their support agreement.

The letters, signed by Broadcom executives, demanded that recipients immediately stop using any maintenance releases, minor releases, major releases, patches, bug fixes, or security patches issued since the end of their support contract. The exception was zero-day security patches, but even this carve-out was qualified. The letters also warned of possible audits and back-billing for continued use of post-expiry updates.

For many organisations, this created an impossible situation. Running VMware without any security patches is untenable from a risk management perspective. The cease-and-desist was, in practice, a commercial ultimatum: purchase a subscription or stop using the product in any updated form. This enforcement action accelerated migrations to subscription — exactly the commercial outcome Broadcom intended.

Common Audit Triggers Under Broadcom

Broadcom's audit programme is more commercially sophisticated than the legacy VMware audit process. Audits are no longer exclusively reactive (triggered by a complaint or an anomaly) — they are increasingly proactive, driven by telemetry data and commercial objectives. Understanding what triggers an audit is essential for managing your risk profile.

The most common audit triggers observed in practice include:

• Renewal negotiation breakdown: When an enterprise refuses Broadcom's renewal quote or attempts aggressive negotiation, Broadcom frequently escalates to a licence review. This is a commercial pressure tactic, not a genuine compliance concern.
• Telemetry discrepancies: If consumption data transmitted by VMware telemetry does not match contractual entitlements, an automated flag can trigger a manual review. This is why maintaining accurate entitlement records against actual deployment is critical.
• Expired support on perpetual licences: As discussed above, holding perpetual licences with expired support is now an active audit trigger, not merely a commercial inconvenience.
• Mixed perpetual and subscription environments: Audit clauses in Broadcom contracts are written broadly. Customers who run both legacy perpetual and new subscription licences have reported that this mixed state alone was cited as a trigger for a licence review.
• Post-audit M&A or restructuring: Acquisitions, divestitures, and data centre consolidations that alter the VMware deployment footprint can trigger mandatory notification requirements. Failure to notify Broadcom of material changes may itself constitute a contractual breach.

How to Stay Compliant Under Broadcom's VMware Model

Maintaining compliance under Broadcom's VMware model requires a more active and systematic approach than most enterprises applied under legacy VMware. Quarterly self-audits are no longer optional — they are the minimum viable compliance posture. The following practices are essential:

Maintain an Accurate Entitlement Register

Every licensed VMware host must have a clearly documented entitlement record: the subscription tier, the number of licensed cores, the subscription term, and the renewal date. This register must be reconciled against vCenter data at least quarterly. Any discrepancy between the entitlement register and actual deployment is a compliance gap that must be resolved before the next telemetry submission cycle.

Embed Licence Checks in Change Management

Any infrastructure change that alters the VMware deployment footprint — adding a host, upgrading processors, enabling a new VMware feature, spinning up a new cluster — must pass a licence check before implementation. This is a cultural and process change, not merely a technical one. IT teams that are accustomed to provisioning infrastructure rapidly must learn to treat licensing as a prerequisite, not an afterthought.

Monitor Feature Enablement Against Subscription Tier

Broadcom's subscription tiers carry different feature entitlements. VMware Cloud Foundation (VCF) includes vSAN, NSX, and Aria. vSphere Foundation (VVF) does not include vSAN or NSX. Enabling features not covered by your subscription tier is an immediate compliance breach. Regular automated scanning of enabled features against contracted subscription tiers should be part of your compliance toolset.

Manage the 180-Day Reporting Cycle

Broadcom's mandatory compliance reporting every 180 days means that twice annually your VMware environment's consumption data will be formally reviewed against your entitlements. Do not wait for Broadcom to initiate this process. Run an internal compliance review four to six weeks before each reporting deadline so that any gaps can be addressed commercially before they become audit findings.

Evaluating Alternatives: Nutanix and Azure VMware Solution

For a significant number of enterprises, the correct response to Broadcom's licensing changes is not compliance management — it is migration. Gartner estimates that 35% of VMware workloads will migrate to alternative platforms by 2028, and commercial pressure from Broadcom is accelerating that timeline for many organisations.

Two alternatives merit particular attention from enterprise CIOs evaluating exit from VMware.

Nutanix

Nutanix has emerged as the leading enterprise-grade alternative to VMware vSphere and VMware Cloud Foundation. Nutanix AHV provides a hypervisor with comparable capabilities to vSphere for the majority of enterprise workloads, while Nutanix Cloud Infrastructure covers the HCI layer that organisations previously addressed with vSAN. Nutanix has launched a specific Broadcom-to-Nutanix migration programme including commercial incentives to offset transition costs. For organisations whose VMware renewal quotes represent 3–5× cost increases, Nutanix's total cost of ownership over a three-year horizon is materially lower in most configurations, even after accounting for migration costs.

The key consideration is workload compatibility. Workloads that depend heavily on VMware-specific APIs, features such as NSX-T, or integrations with other VMware products in the Aria suite require careful assessment before migration. Nutanix has made significant progress on compatibility, but it is not a zero-effort lift-and-shift for complex environments.

Azure VMware Solution

Azure VMware Solution (AVS) allows organisations to run VMware workloads natively on Azure dedicated bare-metal hardware using VMware technologies (vSphere, vSAN, NSX-T) managed and operated by Microsoft. For enterprises with significant Azure consumption or a cloud-first strategy, AVS offers a path to exit the Broadcom commercial relationship while preserving VMware operational familiarity.

AVS pricing is based on Azure dedicated nodes rather than VMware core-based licensing, and Microsoft manages the VMware licensing layer — removing audit risk from the enterprise entirely. The trade-off is cost and flexibility: Azure VMware Solution nodes are expensive relative to on-premises infrastructure, and the model only makes commercial sense when factoring in Azure's consumption ecosystem and the avoidance of Broadcom subscription costs and audit exposure.

Both Nutanix and Azure VMware Solution should be evaluated as part of any VMware renewal negotiation. Even if migration is not the ultimate decision, demonstrating a credible alternative pathway materially strengthens an enterprise's negotiating position with Broadcom.

CIO Action Priorities

Broadcom's VMware audit environment demands a more disciplined compliance posture than most enterprise IT organisations have previously maintained. The following priorities should be on every CIO's agenda before the next renewal cycle:

• Run an immediate entitlement audit. Map every VMware host to its entitlement. Identify any core count gaps, feature drift, or hosts running under expired support before Broadcom's telemetry does it for you.
• Model your total cost under subscription renewal. Obtain a formal Broadcom renewal quote and model the 3-year total cost against your current perpetual baseline. The increase will almost certainly be material — quantifying it gives you a foundation for negotiation or migration decisions.
• Evaluate Nutanix and Azure VMware Solution. Request commercial proposals from both. Use the proposals as leverage in Broadcom negotiations and as a genuine decision-making input. A credible alternative changes the negotiation dynamic fundamentally.
• Resolve any cease-and-desist exposure. If your organisation holds perpetual VMware licences with expired or expiring support, obtain legal advice and develop a clear position before Broadcom initiates contact.
• Establish a licence change management process. Ensure that no infrastructure change altering VMware deployment footprint proceeds without a licensing check. This is the single most effective preventive control against future compliance gaps.