IBM IASP Program Guide: Authorized SAM Provider Programme Explained

What Is IBM IASP?

IBM's Authorized SAM Provider (IASP) programme is a proactive compliance framework launched by IBM around 2019, designed to provide large IBM software customers with a structured, ongoing approach to licence compliance management in exchange for IBM's commitment to suspend its formal audit programme while the customer remains an active participant in good standing.

The IASP programme emerged from sustained pressure from IBM customers who found IBM's traditional compliance verification process — unannounced audit requests, adversarial data collection procedures, and high-stakes penalty assessments — commercially damaging and disproportionate. IBM designed IASP as a response: a programme in which customers who voluntarily engage with structured compliance monitoring are treated as partners rather than audit targets. The framing is that IASP replaces the adversarial audit relationship with a collaborative compliance management model.

In practice, IASP is a formalised mechanism through which IBM continues to identify and monetise compliance gaps — but does so through an IBM-authorised partner rather than IBM's own Software Compliance group, with materially better terms for the customer when shortfalls are identified. Understanding this distinction — IASP as a better-terms compliance mechanism rather than a compliance exemption — is fundamental to evaluating whether the programme makes sense for your organisation.

Why IBM Created IASP

IBM's traditional audit programme had created significant customer relationship problems by the mid-2010s. Large enterprise customers with complex IBM estates were receiving audit requests with short response windows, demanding highly detailed technical data that required significant internal resource to produce. The audit process had become a source of commercial friction that was damaging IBM's relationships with some of its largest accounts and, in some cases, accelerating procurement decisions to move workloads away from IBM platforms. IASP represented IBM's recognition that the audit mechanism needed to evolve — but the programme was also designed to increase the frequency and regularity of compliance data collection, which serves IBM's commercial objective of ensuring that licences match deployments on an ongoing basis rather than at the point of a periodic audit. Both objectives are genuine, and both should inform an enterprise customer's assessment of the programme.

How the IASP Programme Works

The IASP framework operates through a structured five-stage cycle that governs the ongoing relationship between the customer, the IBM-authorised SAM provider, and IBM.

Stage 1: Enrolment and Baseline Assessment

IASP enrolment requires the customer to engage one of IBM's four globally authorised SAM providers: KPMG, Deloitte, EY, or Anglepoint. IBM does not permit customers to participate in IASP using their own internal ITAM team or a non-authorised consultant. This restriction is significant: it means IASP participation carries an ongoing cost — the authorised provider's fees — that must be factored into the programme's overall value assessment.

The enrolment process begins with a comprehensive baseline assessment of the customer's IBM software estate. This baseline covers all IBM software deployments across on-premises, virtualised, and cloud environments, reconciled against all IBM licence entitlements in the customer's Passport Advantage or ELA accounts. The baseline must include validation of ILMT deployment and configuration for all sub-capacity eligible products — IBM requires that ILMT be correctly deployed and generating compliant usage reports as a precondition for IASP participation, since sub-capacity licence positions form the core of processor-metric compliance reporting within the programme.

The baseline typically takes several weeks to several months depending on the size and complexity of the IBM estate. During this period, the customer is not yet formally enrolled in IASP and does not have the benefit of IBM's audit waiver. IBM can still initiate a compliance verification during the baseline period, although in practice it rarely does so against customers who have initiated IASP enrolment.

Stage 2: Compliance Reporting

Once the baseline is established and validated, the IASP programme moves into its ongoing compliance reporting cycle. For IBM products licensed under PVU or VPC processor-based metrics — the majority of IBM middleware and Cloud Pak products — IASP requires quarterly compliance reports produced by the authorised SAM provider from ILMT data. These quarterly reports capture the highest peak usage recorded in ILMT during the preceding 90-day period and reconcile it against the customer's entitlement for each product.

For non-processor-metric products — user-based, install-based, and other metric categories — IASP requires annual compliance reporting. The annual report covers all IBM software not captured in the quarterly PVU/VPC cycle and reconciles deployment and usage data against entitlements across the full non-processor product portfolio.

The compliance reports are submitted by the authorised SAM provider to IBM's Software Compliance group, which reviews them and uses them as the basis for any compliance remediation discussions. It is critical to understand that the IASP compliance reports are shared with IBM — the programme is not a confidential arrangement between the customer and the SAM provider. IBM receives full visibility into the customer's compliance position through every reporting cycle.

Stage 3: Gap Identification and Remediation

When IASP compliance reports identify shortfalls — situations where the customer's actual IBM software deployment exceeds its entitled licence position — the IASP framework provides significantly better commercial terms for remediation than a traditional IBM audit would.

Under the IASP programme, if a compliance gap is identified, IBM agrees to allow the customer to purchase the required additional licences at the customer's historically discounted rates — not IBM's current list price or audit list price. IBM also agrees to waive back-maintenance charges on licences purchased to close gaps identified through IASP reporting. These are material benefits: in a traditional IBM audit, shortfalls are typically remediated at IBM's published list price or at a negotiated rate from a position of weakness, and back-maintenance — the support fees retroactive to when the unlicensed deployment began — can represent a significant multiple of the licence cost itself.

The customer is given a defined remediation window — typically 30 to 90 days — to address identified shortfalls. If shortfalls are addressed within the window, the engagement continues without escalation to IBM's compliance enforcement procedures. If shortfalls are not addressed, IBM retains the right to escalate the matter through its standard compliance processes, including formal audit procedures.

Stage 4: The IBM Audit Waiver

The audit waiver is IASP's primary marketing proposition. IBM contractually commits that while a customer is an active IASP participant in good standing, IBM will not initiate a formal compliance verification (audit) against that customer. This is a genuine and meaningful commitment — IBM's formal audit programme is disruptive, resource-intensive, and commercially damaging, and the audit waiver removes that threat for the duration of programme participation.

However, the audit waiver is conditional in several important respects. First, the waiver applies only while the customer remains in active IASP participation — in good standing, with current reporting cycles completed and provider fees paid. If the customer leaves IASP for any reason, IBM's audit rights are immediately reinstated. Second, the waiver applies to IBM's compliance verification audit process — it does not prevent IBM from using data shared through IASP reporting to engage the customer commercially about compliance gaps. IBM has full visibility into every shortfall identified through IASP reporting and can and does use that information in commercial discussions about product renewals and additional licence purchases. Third, IBM reserves the right to audit customers for fraud or significant misrepresentation even during IASP participation — the waiver does not extend to situations where IBM believes the compliance data provided through IASP is materially inaccurate.

Stage 5: Programme Renewal and Continuation

IASP participation is typically structured as an annual commitment that renews at the customer's discretion, subject to IBM's continued acceptance of the customer's participation status. Customers who have maintained good standing throughout the previous cycle — completed all reporting on schedule, addressed all identified shortfalls within remediation windows — renew automatically with minimal process overhead. Customers who have had reporting delays, unresolved shortfalls, or other programme compliance issues may face reinstatement reviews before IBM confirms continued participation.

ILMT Requirements Within IASP

ILMT — IBM License Metric Tool — is not optional within the IASP programme for organisations with virtualised IBM software deployments. IBM's sub-capacity licensing terms require ILMT deployment as a precondition for claiming sub-capacity pricing on virtualised environments, and IASP's quarterly PVU/VPC compliance reporting cycle is built entirely around ILMT-generated data. An IASP participant with incorrect or incomplete ILMT configuration is unable to produce valid sub-capacity compliance reports — which means every product on virtualised infrastructure without correct ILMT coverage defaults to full-capacity licence requirements in IBM's view.

The ILMT requirements within IASP go beyond the basic deployment requirements. ILMT must be correctly configured for the specific metric — PVU or VPC — required for each product in the IBM estate. IBM's transition of Cloud Pak products from PVU to VPC means that ILMT configurations that were correct before the Cloud Pak transition may now be producing incorrect reports for products that have moved to VPC metrics. IASP participants should verify that their ILMT configuration reflects current IBM metric requirements for all products included in quarterly reporting, not the requirements that applied when ILMT was originally configured.

Additionally, ILMT's reporting schedule within IASP must comply with IBM's sub-capacity terms: scans must be performed at least weekly, audit snapshots must be produced and signed at least quarterly, and two years of historical usage data must be retained and available for audit. IASP participants who allow ILMT reporting schedules to slip — commonly caused by infrastructure changes, server migrations, or resource gaps in the ITAM team — create compliance reporting deficiencies that undermine the programme's core value proposition.

Who Are the Authorised IASP Providers?

IBM has selected four globally authorised IASP providers: KPMG, Deloitte, EY, and Anglepoint. The selection reflects IBM's requirement for providers with demonstrated IBM licensing expertise, global delivery capability, and a compliance methodology that IBM has validated as meeting its programme standards.

The Big Four Providers: KPMG, Deloitte, and EY

KPMG, Deloitte, and EY bring the scale, global reach, and institutional credibility of the Big Four professional services firms to IASP delivery. For large multinationals with IBM deployments across dozens of countries, the ability to deliver IASP services through a single global provider with consistent methodology and established local relationships in major markets is a practical advantage. All three firms have IBM licensing practices within their technology advisory divisions that provide the technical IBM expertise IASP requires alongside the governance and methodology infrastructure that IBM demands from authorised providers.

The Big Four's institutional incentives in the IASP context are worth noting: while they are engaged by the customer to conduct compliance assessments, their broader relationship with IBM — as consulting partners on IBM technology implementations, cloud migration projects, and enterprise transformation programmes — creates an alignment with IBM that is different from a purely independent advisory relationship. This is not a disqualifying factor, but it is context that customers should hold in mind when evaluating how the IASP provider will handle ambiguous compliance situations where IBM's interest and the customer's interest diverge.

Anglepoint

Anglepoint is a specialist Software Asset Management firm focused specifically on IBM licensing. As the only non-Big Four authorised IASP provider, Anglepoint offers a different value proposition: deep IBM-specific technical expertise, a business model that is less intertwined with IBM's consulting revenue, and a client base that consists primarily of organisations managing complex IBM estates rather than technology consulting relationships. For organisations whose primary objective in IASP is robust technical IBM compliance management rather than integration with a broader advisory relationship, Anglepoint is a credible alternative to the Big Four providers.

IASP vs Independent IBM Compliance Management: The Real Comparison

IASP is not the only approach to proactive IBM compliance management. Organisations with strong ITAM capabilities and access to independent IBM licensing expertise can achieve comparable audit risk reduction through a self-managed compliance programme — one that does not involve sharing compliance data directly with IBM through an IBM-authorised provider on IBM's reporting schedule.

The fundamental difference between IASP and independent compliance management is visibility. Under IASP, IBM has quarterly visibility into your compliance position through data submitted by the authorised provider. Under an independent programme, IBM has no visibility into your compliance position between audit events — and if your compliance position is clean and well-documented, the probability of IBM initiating an audit is substantially lower than for organisations known to IBM as non-IASP participants with complex estates.

Independent compliance management is most appropriate for organisations that have invested in rigorous ITAM capabilities, have clean and well-documented IBM compliance positions, have experienced ILMT deployment correctly configured for their environment, and want to retain full confidentiality of their compliance data rather than sharing it with IBM through a structured reporting programme. IASP is most appropriate for organisations that have known compliance complexity or historical gaps, that lack the internal ITAM resource to manage IBM compliance rigorously without external support, or that place high value on the formal IBM audit waiver as a commercial risk reduction mechanism.

Limitations and Risks of IASP

IASP is not a risk-free compliance solution, and several limitations deserve explicit attention before an organisation enrolls.

Information Asymmetry Works Against You

Every quarterly and annual compliance report submitted through IASP gives IBM detailed visibility into your IBM software estate — including your compliance gaps. IBM's commercial account team can and does use this information in discussions about licence renewals, ELA structures, and product expansions. IASP participants who discover compliance gaps through the programme's reporting cycle often find themselves in a commercial negotiation with IBM that IBM is better positioned for than the customer — because IBM already knows the scope of the gap and has prepared accordingly.

The Audit Waiver Has a Cost

The IASP audit waiver protects you only while you remain in the programme and continue meeting all its requirements. If you identify a compliance gap through IASP reporting and cannot remediate it within the defined window, the programme's commercial protections are potentially void. If you leave IASP — for cost reasons, provider dissatisfaction, or strategic reasons — IBM's full audit rights are immediately reinstated, potentially at a point when IBM has detailed knowledge of your compliance position from prior IASP reporting. The exit dynamic from IASP is therefore less favourable than the entry dynamic, a structural characteristic that is not always clearly communicated in IBM's IASP programme materials.

IASP Is Not for Every IBM Customer

IASP is most beneficial for organisations with large, complex IBM estates, meaningful compliance uncertainty, and genuine appetite for the ongoing cost of an authorised provider relationship. For organisations with well-managed IBM estates, strong ILMT coverage, and good ITAM discipline, the programme's ongoing cost — authorised provider fees, internal resource requirements for data collection and reporting — may not be justified by the audit waiver benefit. A thorough independent assessment of your IBM compliance position, conducted by an advisor with no commercial interest in your IASP enrolment, is the appropriate starting point before making a programme commitment.

When IASP Makes Sense: A Decision Framework

IASP is the right choice for IBM customers who meet several criteria simultaneously. The IBM software estate is large and complex, with multiple products, multiple licence metrics, and significant virtualised infrastructure requiring sub-capacity management. The ILMT deployment is functioning correctly and the organisation has the ITAM resource to maintain it within IASP's reporting requirements. The organisation has known or probable compliance gaps that it wants to address proactively on IBM-favourable terms rather than through a potentially adversarial formal audit. The organisation values the formal audit waiver as a material risk reduction against IBM's compliance enforcement programme. And the annual cost of an authorised IASP provider relationship is proportionate to the commercial risk being mitigated.

IASP is the wrong choice when the IBM estate is well-managed, compliance positions are clean, and ILMT is functioning correctly — in which case the organisation is paying for audit protection it does not need while simultaneously providing IBM with regular detailed visibility into its licensing position. In this scenario, independent compliance management with periodic internal assessment by a non-IBM-authorised IBM licensing specialist delivers the compliance discipline without the information sharing that IASP requires.