IBM Audit Defense — New York Investment Bank Reduces $31M Claim to $2.2M

Client Profile

The client is a mid-size investment bank headquartered in Midtown Manhattan with approximately 2,800 employees and operations across New York, London, Hong Kong, and Singapore. The institution provides equity research, fixed income trading, structured finance, and asset management services to institutional clients. Its IBM technology estate is operationally significant: IBM Db2 underpins the firm's trade capture and risk database layer, IBM Spectrum Protect manages enterprise backup across 340 terabytes of financial and compliance data, IBM WebSphere Application Server hosts middleware for its trade settlement workflows, and IBM Rational tools — specifically Rational Application Developer and Rational Team Concert — are used by the firm's 65-person application development team.

The bank had been an IBM Passport Advantage customer for over nine years, managing its entitlements through a mix of per-processor value unit (PVU) licences on virtualised infrastructure and authorised user entitlements for development tooling. The IBM Software License Review (SLR) notice arrived in Q2 2025, approximately 14 months after the bank had completed a major infrastructure refresh programme that had extended its VMware vSphere environment across two new data centre pods.

The Challenge

IBM's audit claim of $31M rested on two primary compliance arguments that IBM's auditors characterised as independent but that, in practice, compounded one another.

ILMT Sub-Capacity Coverage Gaps on Newly Provisioned ESXi Hosts

IBM's License Metric Tool (ILMT) is the mandatory mechanism for any organisation wishing to use sub-capacity PVU licensing on virtualised infrastructure. Sub-capacity licensing allows organisations to count only the virtual processor cores actively assigned to virtual machines running IBM software, rather than the total physical core count of every underlying host. For an estate of the bank's scale, the financial difference between sub-capacity and full-capacity pricing is significant — typically a 65–80% reduction in PVU exposure for a densely virtualised environment.

IBM's auditors identified that 38 of the 62 new ESXi hosts deployed during the infrastructure refresh had not had ILMT agents installed and connected to the bank's existing ILMT server within IBM's mandatory 90-day deployment window. The gap period ran for 19 months, from the initial provisioning date through to the audit notification date. IBM applied full-capacity pricing — based on the maximum physical core count of each unmonitored host multiplied by the applicable PVU value — across the entire exposure window. This calculation alone produced an alleged shortfall of approximately $22M, representing the largest single component of IBM's opening position.

The technical root cause was straightforward but costly in its consequences. The bank's infrastructure team had followed its standard server build procedures during the refresh project, which did not include ILMT agent installation as an automated provisioning step. The ILMT deployment process had historically been handled manually by the software asset management team after physical servers were handed over to operations. Under the accelerated timelines of the refresh project, the ILMT deployment queue had fallen significantly behind, and 38 hosts had been running IBM workloads without sub-capacity monitoring for over a year before the audit notice arrived.

Rational Software Deployment Beyond Authorised User Scope

The second component of IBM's claim arose from IBM's review of the bank's Rational software deployments. The bank held Rational Application Developer licences for 65 authorised users — its core application development team. IBM's auditors, using deployment data extracted during the SLR process, identified that Rational Application Developer had been installed on workstations belonging to 94 individuals across the technology function, including infrastructure engineers, business analysts, and a group of contractors engaged during the refresh project.

IBM calculated the exposure on the basis of the full list price for the 29 additional users identified, applied retroactively across a three-year look-back period. This calculation produced an alleged shortfall of approximately $9M. IBM's position was that installation on a workstation constituted deployment for the purposes of the Passport Advantage licence terms, regardless of whether the software had been actively used.

The bank's internal position was that most of the additional installations had been accidental — the Rational software had been included in a standard developer workstation image that had been distributed more broadly than intended. The bank had no usage evidence to support this position, and IBM was unwilling to accept intent or operational context as a mitigating factor without independent verification of actual usage data.

The Approach

Redress Compliance was engaged four weeks after the audit notice arrived, at the point where the bank's legal and procurement teams had concluded that IBM's $31M figure was unlikely to be accurate but lacked the technical capability to challenge it systematically.

Reconstructing the ILMT Position from Infrastructure Evidence

Rather than accepting IBM's assertion that the absence of ILMT data required default to full-capacity pricing for the entire 19-month gap, the Redress team challenged the underlying methodology. IBM's Licence Metric Compliance Terms permit the use of alternative evidence sources where ILMT data is unavailable, provided those sources are capable of demonstrating sub-capacity deployment with equivalent accuracy. The Redress team extracted VMware vCenter performance and configuration data for the 38 affected hosts, covering the full 19-month gap period.

The vCenter data allowed the team to reconstruct the maximum virtual CPU allocation to IBM-licensed virtual machines on each host at every point during the gap period. Cross-referencing this data with the bank's capacity planning records and VM configuration change logs produced a month-by-month sub-capacity PVU exposure calculation that replaced IBM's full-capacity assumption with a defensible alternative figure. The reconstructed sub-capacity position reduced the ILMT-related exposure from $22M to $3.8M — a reduction of 83% on this component alone.

The Redress team also identified a secondary error in IBM's PVU calculation methodology. IBM's auditors had applied PVU values based on the published IBM PVU table for the processor model originally specified in the host purchase order, without verifying whether the actual processors installed matched the purchase order specifications. A procurement discrepancy during the refresh project had resulted in four hosts being delivered with a lower-core-count processor variant than originally ordered. IBM's calculation had overstated the PVU value for these four hosts, adding a further $1.1M in error to the original claim.

Establishing Usage Evidence for Rational Software

For the Rational software component, the Redress team extracted Windows event log data and application usage telemetry from the bank's endpoint management platform covering the 65 core development users and the 29 additional individuals identified by IBM. The usage data demonstrated that of the 29 additional users, only 11 had launched Rational Application Developer more than twice during the three-year look-back period, and only four had used it in any substantive capacity — defined as sessions exceeding 30 minutes.

IBM's Passport Advantage terms contain a provision allowing for licence reconciliation where deployment data is contradicted by verifiable usage evidence, provided the evidence is produced by an auditable enterprise system rather than manually compiled records. The Redress team presented the endpoint management data as qualifying evidence and negotiated IBM's concurrence that only the four substantive users required additional licence coverage. The remaining 25 installations were accepted as incidental and removed from the claim. The Rational component of IBM's claim was reduced from $9M to $810K.

The Outcome

Following eight weeks of technical analysis and four weeks of IBM negotiation, the bank reached a final settlement of $2.2M — comprising $1.39M for the reconstructed ILMT sub-capacity shortfall and $810K for the substantiated Rational licence gap. IBM's original claim of $31M was reduced by 93%, saving the bank $28.8M.

The $1.39M ILMT settlement reflected the reconstructed sub-capacity position of $3.8M, further reduced through commercial negotiation to account for the bank's clean IBM compliance history prior to the refresh project, the good-faith documentation presented through the vCenter data reconstruction, and IBM's acknowledgement of the $1.1M PVU calculation error. IBM agreed to a 12-month payment schedule on the ILMT settlement amount as part of the commercial agreement.

Beyond the financial outcome, the engagement produced two structural improvements. First, Redress worked with the bank's infrastructure team to implement automated ILMT agent deployment as a mandatory step in the ESXi host provisioning workflow, triggered at build time through the bank's existing configuration management tooling. Second, Redress conducted a complete entitlement reconciliation across the bank's Passport Advantage portfolio, identifying four additional IBM products where entitlement and deployment records were misaligned — two cases of over-deployment and two cases of significant under-utilisation — allowing the bank to rationalise spend at its next Passport Advantage renewal and avoid future audit exposure.

The bank subsequently engaged Redress Compliance under a retained advisory arrangement to provide ongoing IBM licence governance and renewal negotiation support.

Key Lessons

ILMT deployment must be automated at provisioning, not deferred. The bank's manual ILMT deployment process had worked adequately under steady-state conditions but collapsed under the volume and pace of a major infrastructure refresh. Automating ILMT agent deployment as a build-time provisioning step is the only reliable protection against sub-capacity coverage gaps during infrastructure change programmes.

IBM's opening number is a methodology, not a measurement. IBM's $31M claim was constructed using a series of conservative assumptions — full-capacity pricing, list-price user costs, and maximum retroactive periods — none of which reflected the bank's actual licensing exposure. Challenging each assumption with qualified evidence is the correct response to an IBM Software License Review notice, and it almost always produces a materially lower outcome than the opening figure.

Workstation deployment data and usage telemetry are different things. IBM's licence terms are triggered by deployment. But where deployment is contested or incidental, enterprise usage telemetry from endpoint management platforms can provide the basis for a legitimate challenge — provided it comes from a system IBM recognises as auditable.

An audit is also a reconciliation opportunity. The entitlement and deployment gaps identified during the engagement allowed the bank to rationalise its IBM portfolio at renewal, eliminating spend on products it was over-entitled on and correcting under-deployment risks before they became future audit exposure. Organisations that treat IBM audits solely as a threat to be minimised miss the portfolio optimisation value that a thorough engagement produces.