US media company IBM audit. Claim cut 84 percent.

A US media company faced an IBM claim that priced abandoned project environments as live deployment. Verification, ILMT reconstruction, and entitlement consolidation settled it 84 percent lower.

What did IBM claim against the media company?

A leading US media company settled an IBM audit 84 percent below the opening claim after the measured position was rebuilt. The claim priced project based production infrastructure as permanent steady state deployment and counted abandoned project environments as live.

The estate ran WebSphere, MQ, and Db2 under Passport Advantage, with PVU sub capacity terms requiring ILMT coverage per the ILMT documentation. Coverage was solid in the broadcast core and absent in the project infrastructure layer.

How project infrastructure inflated the claim

Production projects provisioned environments fast and decommissioned them informally. The audit scan found IBM software on systems that had not served traffic in years, and full capacity PVU rates priced every one of them as current deployment.

The acquisition layer underneath

Two acquired studios brought their own middleware estates with entitlements in legacy entity names. On paper, deployments without matching entitlements; in fact, licensed software with a paperwork gap.

How was the claim cut by 84 percent?

Three defense tracks ran in parallel: deployment verification that separated live from abandoned, ILMT remediation with historical reconstruction, and entitlement consolidation across acquired entities. The settlement conversation started only after all three reported.

Proving abandonment without decommission records

Where formal records did not exist, the team evidenced abandonment through traffic logs, access histories, and infrastructure tickets. IBM accepted the reconstructed timeline for the bulk of the disputed systems, which removed them from the claim entirely.

Where the common advice on audit scope is wrong

The standard advice is to accept the auditor's deployment scan as the factual baseline and argue only about entitlements and pricing. We disagree. In roughly 16 of the 20 to 30 IBM defenses Fredrik Filipsson ran in 2024 to 2025, the scan itself was the most inflated input, because discovery tools count installation, not operation. The buyer side move is to verify every scanned system's operational status before conceding it into the baseline. An installed binary on an abandoned project server is not a deployment; it is a cleanup task that arrived with an invoice.

Discovery tools count installations. Invoices should count operations. The gap between those two numbers was 84 percent of this claim.

What should project heavy estates take from this?

Media, gaming, and engineering organizations share the pattern: fast provisioning, informal decommissioning, acquisition sprawl. The controls are the same in every vertical that builds infrastructure per project.

1. Decommissioning as a gate: project closure includes software removal with dated evidence.
2. ILMT scope at provisioning: project environments enter coverage when created, not when remembered.
3. Entitlement consolidation per acquisition: every deal closes with a license registry merge.
4. Operational status in the SAM register: installed versus operating tracked as separate states.

What changed at the media company afterward?

Project closure now gates on software removal evidence, ILMT covers the project layer from provisioning, and the entitlement registry spans all acquired entities. The estate can answer an audit letter from records instead of archaeology.

What to do next

1. Scan for IBM software on systems with no recent operational activity.
2. Build decommissioning evidence for abandoned environments before any audit does.
3. Extend ILMT coverage to project and burst infrastructure.
4. Consolidate entitlements across every acquired entity.
5. Add software removal to project closure gates.
6. If a claim arrives, verify the scan before negotiating the number.

The IBM audit defense playbook covers the full method, and the Italian retailer case shows the same defense in a seasonal estate. The IBM practice runs both sides: peacetime controls and live defense.

Frequently asked questions

How much was the US media company's IBM audit claim reduced?

The settlement closed 84 percent below the opening claim. Deployment verification of abandoned project environments, ILMT reconstruction, and entitlement consolidation across acquired studios removed the inflated layers.

Why did abandoned environments appear in the IBM audit?

Audit discovery tools count installed software, not operating software. Production project environments had been informally decommissioned with IBM binaries still present, and full capacity rules priced each one as live deployment.

Can you remove abandoned systems from an audit claim without decommission records?

Usually. In this case traffic logs, access histories, and infrastructure tickets evidenced abandonment, and IBM accepted the reconstructed timeline for most disputed systems. Formal records are better; reconstruction works.

What is the audit risk pattern for media and project based companies?

Fast project provisioning, informal decommissioning, and middleware inherited through acquisitions. Installed software accumulates on dead infrastructure, and audit scans price all of it until operational verification separates live from abandoned.

Should you accept the auditor's deployment scan as the baseline?

No. Verify every scanned system's operational status first. In most of our 2024 to 2025 IBM defenses the scan was the most inflated input in the claim, and conceding it early surrenders the largest reduction available.