IBM Audit Defence: UAE Bank Closes $4.1M IBM Licensing Exposure

The Challenge

In January 2025, the client's CIO received formal notification from IBM's Middle East SAM team: a comprehensive audit of IBM licensing compliance across all business units and geographies. The audit notice was filed under the Passport Advantage Agreement, which grants IBM the contractual right to conduct verification audits of licence usage and compliance posture.

The bank had standardized on IBM middleware: IBM Db2 for core banking systems, IBM MQ for interbank messaging, and IBM DataPower for API gateways. The UAE head office maintained ILMT deployment covering Db2 and MQ. However, the Saudi Arabia and Egypt branches had been provisioned with production IBM Db2 and MQ deployments approximately two years prior, supporting regional operations.

These regional deployments had never been brought under ILMT coverage. When IBM's audit team cross-referenced ILMT data from the UAE against known Db2 and MQ deployments across the entire network—information derived from IP scanning and interviews—the discrepancy was substantial.

IBM's preliminary claim: $4.1M in unlicensed Db2 and MQ deployments across Saudi and Egypt operations, valued at full list pricing for perpetual licences and maintenance. The claim was structured as: $2.4M for unlicensed Db2 metric capacity; $1.7M for MQ deployments; plus accumulated support and maintenance fees.

The bank's internal finance and legal teams were not equipped to challenge the methodology. A typical response would have been to accept the audit findings and negotiate a settlement based on IBM's preliminary assessment. This is the path taken by the majority of organizations facing SAM audit notices: immediate capitulation followed by protracted and expensive remediation.

The Approach

Redress was engaged in February 2025 to assess the audit claim and develop a defence strategy. The engagement proceeded in three phases: assessment, remediation, and negotiation.

Phase 1: Audit Claim Assessment

Our initial review focused on IBM's $4.1M claim. IBM had asserted that Db2 deployments in Saudi Arabia and Egypt constituted separate licensing obligations under Passport Advantage. The methodology aggregated core counts without metric optimization or consolidation logic.

We identified a critical vulnerability: IBM Db2 licensing permits metric consolidation across instances within a single licensed entity, provided all instances have ILMT tooling deployed in each geography. The bank's corporate structure permitted consolidating all Db2 instances across UAE, Saudi Arabia, and Egypt under a single metric pool with ILMT deployment in all three geographies. This reduced the exposure from $2.4M to approximately $1.1M.

Phase 2: ILMT Deployment and Remediation

To establish the technical foundation for metric consolidation, we executed a comprehensive ILMT deployment across all three countries within six weeks. This required coordinating with IBM infrastructure teams in the UAE, Saudi Arabia, and Egypt; provisioning ILMT agents across 47 Db2 instances and 23 MQ clusters; and validating data collection and reporting against IBM's audit standards.

The remediation phase achieved full compliance visibility. ILMT data provided a definitive inventory of all Db2 and MQ deployments, metric usage, and compliance status across all three markets. This inventory became the foundation for our negotiation strategy.

Phase 3: Multi-Country Metric Challenge

Armed with complete ILMT data, we challenged IBM's multi-country Db2 metric calculation. IBM's initial claim had measured Db2 capacity as the sum of all cores across all instances, applied to each region independently. We reframed the measurement using the consolidated metric model permitted under the Passport Advantage Agreement: all Db2 instances across the three countries were measured under a single PVU (Processor Value Unit) pool, subject to a unified licensing framework.

This metric optimization reduced the remaining exposure from $1.1M to approximately $700K. The remaining $1.7M MQ exposure was addressed through a different strategy: we demonstrated that existing Passport Advantage entitlements for MQ, procured for the UAE head office, could be reallocated across the regional deployments under the agreement's geographical flexibility terms. This reallocation eliminated the $1.7M claim entirely.

"We had accepted that we would settle this for $3-4M. When Redress demonstrated the metric consolidation logic and reallocated our existing entitlements, the entire claim was resolved. It was a completely different outcome from what we expected. The new regional ELA is actually better than our prior per-country approach."

The Outcome

The negotiation concluded with IBM's agreement to a restructured licensing framework. The client moved from three separate country-level agreements to a single regional ELA (Enterprise License Agreement) covering UAE, Saudi Arabia, and Egypt. The outcome metrics were stark:

• Initial claim: $4.1M
• After metric consolidation: $700K
• After entitlement reallocation: $0 net settlement
• New regional ELA pricing: 19% below combined prior per-country rates

The bank not only closed the audit at zero cost but also improved its long-term licensing position. The 19% discount on the new regional ELA, applied to ongoing annual software maintenance and support fees, delivers ongoing annual savings of approximately $240K.

IBM's regional SAM team was forced to accept the metric consolidation and entitlement reallocation arguments because the underlying ILMT data supported them and because the multi-country consolidation model was explicitly permitted under the Passport Advantage Agreement's terms. Without the technical evidence (ILMT deployment) and without a credible challenge to IBM's methodology, the bank would have settled at $3.5M-$4.1M as IBM suggested.

Key Takeaways

1. SAM Audits Are Negotiable

IBM's preliminary audit claims are opening positions, not final assessments. The $4.1M claim was defensible only if the bank accepted IBM's interpretation of the licensing terms. When challenged with better technical evidence and alternative contractual interpretations, IBM's position deteriorated substantially.

2. Regional Deployments Create Exposure

Multi-country deployments of IBM middleware without coordinated ILMT coverage across all regions create major audit exposure. Organizations with regional operations must maintain ILMT tooling in every geography where IBM software is deployed, not just in head office datacenters.

3. Metric Consolidation Is Valuable

IBM Db2 licensing permits metric consolidation across instances and geographies, subject to ILMT visibility in all regions. This option is often overlooked by internal IT teams and becomes a powerful defence tool when properly documented and presented to IBM's negotiation team.

4. Entitlement Reallocation Can Eliminate Claims

Existing licence entitlements often have geographical flexibility and can be reallocated to cover underdocumented deployments. Before accepting an IBM claim, conduct a full inventory of current entitlements and their reallocation potential.

5. Independent Advisors Change Outcomes

The bank's internal team accepted the audit notice without challenge. An independent advisor with no financial stake in IBM's claim structure was able to develop alternative interpretations of the licensing terms and supported them with technical evidence. This shifted the negotiation from capitulation to defence.