New York agency IBM audit. Claim cut 86 percent.

A New York state agency faced an IBM audit claim priced at full capacity across its virtualized estate. Rebuilt ILMT evidence and entitlement mapping settled it 86 percent below the opening demand.

What did the IBM audit claim against the agency?

A New York state government agency received an IBM audit claim in the tens of millions of dollars, built on full capacity licensing of its virtualized estate. The final settlement closed 86 percent below the opening claim once sub capacity evidence was rebuilt and entitlements were mapped.

The estate ran WebSphere, Db2, and Tivoli products under Passport Advantage, measured in PVUs per IBM's PVU licensing tables, with a partial transition to VPC metrics underway. The audit firm's opening position priced every physical core in every cluster hosting an IBM workload.

Why was the opening claim so large?

IBM's sub capacity licensing terms require ILMT or an accepted alternative to be deployed and reporting; gaps default the estate to full capacity counting under the ILMT documentation and sub capacity rules. The agency had ILMT installed but misconfigured on roughly a third of hosts, and the audit priced that third at full physical capacity.

What was actually deployed?

Discovery showed stable, modest consumption: most claimed products were either bundle components, decommissioned instances still in the scan, or test environments eligible for different terms. The measured gap was a fraction of the claim.

How was the claim taken apart?

The defense ran three tracks in parallel: evidence reconstruction, entitlement mapping, and negotiation control. Each track removed a layer of the claim, and the sequencing kept IBM at the table rather than at escalation.

Rebuilding the sub capacity record

The team remediated ILMT configuration, then reconstructed historical consumption from VM inventory, hypervisor logs, and change records to evidence sub capacity eligibility for the disputed period. IBM accepted the reconstructed record for the bulk of the estate.

Where the common advice on IBM audits is wrong

The standard advice is to negotiate the settlement number, because fighting IBM's findings drags the process out. We disagree. In roughly 18 of the 20 to 30 IBM defenses Fredrik Filipsson worked between 2024 and 2025, the findings themselves collapsed under evidence reconstruction before any commercial negotiation started, and the estates that negotiated early anchored to inflated numbers. The buyer side move is to withhold settlement talk until the measured position is rebuilt, then negotiate once, from facts. The discount conversation IBM offers first is designed to close before you measure.

The opening claim is a pricing position, not a measurement. Treat it accordingly.

What should other public sector estates take from this?

The settlement preserved the agency's budget and its IBM relationship, and the same defense pattern transfers to any PVU or VPC estate. The lessons are operational, not legal.

1. ILMT health is the whole defense: a misconfigured agent costs full capacity counting on that host.
2. Bundle entitlements need a living map: component claims at standalone rates are routine and reversible.
3. Decommissioning needs evidence: instances that left service without records stayed in the claim.
4. Timing is leverage they use: fiscal year pressure is priced into the demand; remove it by refusing the clock.

What changed at the agency afterward?

Quarterly ILMT health checks, an entitlement registry, and decommissioning evidence as a change management gate. The next audit starts from a measured baseline instead of a reconstruction project.

What to do next

1. Verify ILMT deployment and reporting health on every host running IBM software.
2. Build the entitlement map, including bundle and component relationships.
3. Reconcile deployment records against the last audit or baseline position.
4. Document decommissioning with dated evidence.
5. If a claim arrives, rebuild the measured position before any settlement talk.
6. Engage independent defense before responding to the audit letter.

The IBM audit defense playbook covers the full sequence, and the IBM audit defense service runs it on your side. More cases sit in the case study library.

Frequently asked questions

How much was the IBM audit claim reduced in this case?

The settlement closed 86 percent below IBM's opening claim. The reduction came from ILMT remediation and historical sub capacity reconstruction, bundle entitlement mapping, and removal of decommissioned instances from the claimed estate.

Why did IBM claim full capacity licensing?

IBM's sub capacity terms require ILMT or an accepted alternative to be deployed and reporting correctly. The agency's ILMT was misconfigured on roughly a third of hosts, so the audit priced those hosts at full physical capacity, which inflated the claim dramatically.

Can historical ILMT gaps be repaired after an audit starts?

Often, yes. In this case the team reconstructed historical consumption from VM inventory, hypervisor logs, and change records, and IBM accepted the evidence for the bulk of the estate. Reconstruction is harder than maintenance, but it is rarely impossible.

Should you negotiate an IBM audit settlement early?

No. Early negotiation anchors to IBM's inflated opening number. In most defenses we ran in 2024 to 2025, the findings collapsed under evidence reconstruction before commercial talks began. Rebuild the measured position first, then negotiate once.

What should public sector IBM customers do before any audit?

Verify ILMT health quarterly on every IBM host, maintain a living entitlement map including bundles, and gate decommissioning on dated evidence. Estates with those three disciplines settle audits at a fraction of opening claims, or avoid material findings entirely.