IBM Audit Defense: Pennsylvania Manufacturer Reduces IBM Audit Exposure from $32M to $1.3M

Client Background

The client is a mid-size industrial manufacturer headquartered in Pennsylvania with approximately 4,200 employees across eight production facilities in North America and two distribution sites in Europe. The company operates a mixed-vendor IT estate running IBM WebSphere Application Server, IBM DB2, IBM MQ Series, and IBM Cognos on a VMware vSphere infrastructure. The IBM software portfolio had been accumulated over twelve years through multiple acquisitions and operational expansions.

IBM licensing was managed by a two-person software asset management team that had inherited contracts from predecessor IT organisations without comprehensive documentation. ILMT had been deployed three years prior to the audit but had not been actively maintained or reviewed since the initial implementation.

The Challenge

In Q3 2023, the manufacturer received an IBM audit notification letter from IBM's Software Compliance team. IBM's initial discovery scan, conducted using IBM's authorised scanning tools, identified significant discrepancies between the client's declared licence position and IBM's calculated consumption.

IBM's Initial Exposure Calculation

IBM's preliminary assessment placed total licensing exposure at $32M, composed of three elements. First, IBM calculated full-capacity PVU licensing for 112 of the 280 virtualised servers where ILMT data was absent or stale — these servers housed WebSphere Application Server instances across VMware clusters with host servers carrying between 32 and 64 physical cores each. Under full-capacity rules, IBM assigned all available PVUs to the IBM software regardless of actual VM allocation, inflating the calculated licence requirement by a factor of four to eight times actual usage. Second, IBM demanded retroactive Software Subscription and Support covering 24 months for the entire shortfall quantity, adding approximately $8M to the base licence deficit. Third, IBM flagged 14 Cognos Analytics instances running in non-production environments that had been incorrectly catalogued in IBM's scan as production deployments, adding a further $2.1M to the assessed position.

Root Cause: ILMT Agent Failure

The ILMT deployment gap was not the result of deliberate non-compliance. Approximately 18 months prior to the audit letter, the client's network security team had implemented revised firewall policy rules as part of a broader Zero Trust initiative. The policy change inadvertently blocked the BigFix inventory agent communication ports on 112 servers, preventing ILMT from collecting sub-capacity data for those systems. The ILMT reporting continued to generate quarterly snapshots but showed no utilisation data for the affected servers — a gap that had not been identified by the SAM team because the quarterly snapshot generation process was automated and unmonitored.

Without valid ILMT sub-capacity data for those 112 servers, IBM's contractual right was to apply full-capacity licensing — an entitlement IBM was fully prepared to exercise, resulting in the $32M initial claim.

The Approach

Redress Compliance was engaged three weeks after the audit notification. The engagement was structured in three parallel workstreams: technical evidence gathering, retroactive ILMT remediation, and IBM negotiation strategy.

Workstream 1: Historical PVU Reconstruction

The primary technical objective was to demonstrate to IBM that actual PVU consumption during the 18-month gap period was materially lower than full-capacity calculations. Redress worked with the client's VMware administration team to extract vCenter performance metrics, covering CPU Ready statistics, VM resource allocation history, and DRS migration logs across the affected host clusters. Change management records were cross-referenced to establish the precise date the firewall policy change took effect, providing a clean demarcation between periods with valid ILMT data and the affected 18-month window.

The reconstruction demonstrated that the 112 affected servers were running WebSphere, DB2, and MQ with an average VM size of 4 vCPUs on hosts with a maximum of 32 physical cores — equivalent to a sub-capacity PVU requirement approximately 78% below IBM's full-capacity calculation. This evidence was compiled into a formal technical submission for IBM's Software Compliance team.

Workstream 2: 60-Day ILMT Remediation Sprint

In parallel with the historical reconstruction, Redress co-ordinated a 60-day ILMT remediation sprint to re-establish compliant sub-capacity reporting across all 280 servers. The remediation involved updating the BigFix agent deployment policy to reflect the revised firewall rules, re-deploying agents to the 112 non-reporting servers, and validating ILMT data collection against a test subset before full rollout.

Upon completion, ILMT was generating compliant quarterly snapshots covering 100% of the virtualised IBM software estate. Automated alerting was configured to notify the SAM team if agent coverage fell below 95% in any subsequent quarter. This operational improvement directly supported the negotiation position by demonstrating to IBM that future compliance risk had been eliminated.

Workstream 3: Cognos Dev/Test Classification

Redress reviewed the 14 Cognos Analytics instances flagged by IBM as production deployments. Detailed analysis of the deployment configurations, user access controls, and change management records confirmed that all 14 instances were used exclusively for development, testing, and report validation — none served business users in a production capacity. IBM's scan had classified these instances as production due to the server naming convention used, which did not include the standard DEV or TEST prefixes IBM's tooling uses for auto-classification.

Redress prepared formal written submissions for each of the 14 instances, including server specifications, user access logs, and deployment authorisation records, successfully reclassifying all 14 under IBM's development licensing terms and eliminating the $2.1M Cognos exposure.

Negotiation Strategy

The negotiation with IBM's Software Compliance team was anchored on two primary positions. First, Redress argued that the 18-month ILMT gap resulted from an infrastructure change event — documented, dateable, and unintentional — rather than a systemic compliance failure. The vCenter evidence package demonstrated actual PVU consumption throughout the gap period and gave IBM's team the technical basis to accept a sub-capacity position for the affected servers retrospectively.

Second, Redress challenged IBM's demand for 24 months of retroactive S&S on the shortfall quantity. Using IBM's own settlement precedents and the documented date of the firewall policy change, Redress successfully argued that the effective non-compliance period was 18 months, not 24, and that the quantum of the shortfall should reflect actual consumption rather than full-capacity assumptions. IBM's retroactive S&S demand was reduced to cover six months of verified shortfall.

The Outcome

The final settlement agreement was executed eight months after the initial audit notification. The total settlement value was $1.3M, compared to IBM's opening position of $32M — a reduction of $30.7M (96%).

Settlement Breakdown

The $1.3M settlement comprised $740K for verified licence shortfall on seven production WebSphere Application Server instances where actual PVU consumption exceeded the client's licensed position even on a sub-capacity basis, $380K for six months of retroactive S&S on those verified shortfall units, and $180K to extend two DB2 licence titles to cover minor version entitlement gaps identified during the internal audit. The 14 Cognos instances were fully cleared under development licensing terms at no cost, and the 105 servers where historical reconstruction demonstrated compliant sub-capacity usage were removed entirely from the settlement scope.

Operational Improvements

Beyond the settlement, the engagement delivered lasting operational change. ILMT now covers 100% of the 280-server IBM software estate with automated quarterly reporting and proactive alerting. The SAM team conducts quarterly ILMT compliance reviews as a standard operational process. Server naming conventions were updated to ensure development and test environments are correctly identified by IBM scanning tools. The client has also rationalised its IBM Cognos deployment, retiring three legacy report servers and consolidating 11 remaining instances onto a single certified production environment.

Cost Efficiency

The total cost of the engagement — including Redress advisory fees, the 60-day ILMT remediation programme, and the final settlement payment — represented less than 9% of IBM's original $32M demand. The client's internal estimate of the cost of compliance if IBM's opening position had been accepted included not only the $32M settlement but also an estimated $4M in internal resource cost, audit disruption, and deferred capital projects — making the effective avoidance value of the engagement closer to $35M.

Key Lessons

Infrastructure changes create hidden ILMT gaps. Firewall policy changes, network segmentation projects, and server migrations are the most common cause of ILMT agent failures. Every infrastructure change should include an ILMT coverage check as a mandatory step in the change management process.

Quarterly ILMT reporting must be actively monitored, not just generated. Many organisations automate ILMT snapshot generation but do not validate whether the underlying agent coverage is complete. A quarterly snapshot with 60% agent coverage provides no protection against full-capacity claims for the unmonitored 40%.

Historical reconstruction is a legitimate and accepted defence. IBM's sub-capacity licensing terms require ILMT data, but IBM's compliance team has accepted vCenter performance evidence and other contemporaneous infrastructure records as supporting documentation for retroactive sub-capacity claims in negotiated settlements. The evidence must be compelling and contemporaneous — not reconstructed after the fact from memory.

Development environment classification requires proactive documentation. IBM's scanning tools rely on naming conventions and configuration signals to classify environments. Organisations with non-standard naming must maintain clear deployment records that distinguish production from non-production IBM software instances.

Engage specialist defence counsel within the first 30 days. The quality of the response in the first 30 days after an IBM audit notification significantly determines the negotiation outcome. Early engagement allows the defence team to shape the evidence package, control the audit scope, and establish the technical narrative before IBM's position hardens.