NY Government IBM audit defense. 88 percent exposure reduction.

How a New York government entity rebuilt ILMT evidence and entitlement history to cut a 32 million dollar IBM audit claim by 88 percent.

What was the situation when the audit landed?

A New York state government entity received a formal IBM audit notice covering its full software estate: WebSphere, Db2, and a long tail of middleware accumulated through two decades of integrator led projects. The initial findings letter priced the exposure at 32 million dollars.

The headline number rested on full capacity PVU calculations. ILMT, required for sub capacity licensing under the License Metric Tool rules, had coverage gaps across two virtualized clusters, and the auditors priced every gap at the theoretical maximum.

What the findings letter actually claimed

• Full capacity PVU exposure: two clusters priced at total physical capacity for products deployed on fractions of it.
• Orphan installs: middleware components from integrator projects, installed but never used in production.
• Bundle confusion: entitlements purchased inside larger agreements that the entitlement record never itemized.

Why public sector defenses differ

Government entities cannot simply buy their way out with a forward looking ELA, because procurement law requires competition for new spend. That removes IBM's favorite settlement instrument and makes the factual rebuild the only viable path, which, run well, produces better outcomes.

How was the 32 million claim rebuilt?

The claim was rebuilt by restoring sub capacity evidence, classifying every install, and reconciling twenty years of entitlement paper. Each workstream attacked a different layer of the inflation.

The ILMT recovery that carried the case

Virtualization platform logs, capacity records, and configuration exports reconstructed historical CPU allocations for the gap period. IBM accepted the reconstruction as sub capacity evidence for the majority of the affected quarters, collapsing the largest single component of the claim. The lesson under Passport Advantage terms: broken ILMT is recoverable if the underlying telemetry survived.

The entitlement archaeology

Twenty years of orders, novations, and bundle purchases were reconciled into a single entitlement baseline. Several alleged gaps dissolved against line items the entity already owned but had never mapped, a pattern we see in most long tenure IBM estates.

What did the audit settle at?

The audit settled at 3.8 million dollars, an 88 percent reduction from the 32 million dollar opening claim, resolved through factual rebuttal and a compliant procurement of genuinely needed entitlements. No forward ELA was signed under audit pressure.

Where the common advice on IBM audits is wrong

The standard advice is that a broken ILMT history makes full capacity exposure unavoidable, so settle quickly before penalties grow. We disagree. In roughly 15 of the 20 to 30 IBM defenses Fredrik Filipsson ran in 2024 to 2025, retroactive sub capacity evidence rebuilt from hypervisor logs was accepted for most or all of the gap period, cutting the dominant claim component by 70 to 90 percent. The buyer side move is to treat ILMT gaps as an evidence problem, not a liability admission, and to refuse settlement framing until the factual baseline is rebuilt. Auditors price the gap at maximum because most buyers never check whether the telemetry survived.

An ILMT gap is an evidence problem, not a confession. If the hypervisor logs survived, the sub capacity position is rebuildable, and the claim collapses with it.

What should other buyers take from this?

The 88 percent reduction came from work any large IBM estate can replicate: telemetry preservation, install classification, and entitlement reconciliation, executed before settlement conversations began.

• Preserve virtualization telemetry: hypervisor logs are retroactive ILMT evidence; never let retention policies destroy them.
• Classify before conceding: installed is not deployed, and deployed is not production; each classification carries different money.
• Reconcile the paper trail: long tenure estates usually own more than their entitlement record shows.

What to do next

1. Verify ILMT coverage across every virtualized cluster running PVU products today.
2. Extend log retention on hypervisor and capacity data to audit defense horizons.
3. Build the consolidated entitlement baseline before any notice arrives.
4. Classify all installs: production, non production, decommissioned, never deployed.
5. If audited, refuse settlement framing until the factual rebuild is complete.
6. Resolve genuine gaps through compliant procurement, not pressure priced bundles.

The IBM practice runs audit defense as a managed engagement, the IBM hub carries the ILMT and PVU guides, and audit defense kits cover the response templates.

Frequently asked questions

How much was the IBM audit claim reduced?

From 32 million dollars to 3.8 million, an 88 percent reduction, through rebuilt sub capacity evidence, install classification, and entitlement reconciliation rather than commercial settlement.

Can ILMT gaps be fixed retroactively in an IBM audit?

Often, yes. Hypervisor logs, capacity records, and configuration exports can reconstruct historical CPU allocations, and IBM accepted that reconstruction for most affected quarters in this defense.

Why do IBM audit claims start so high?

Because missing ILMT coverage lets auditors price PVU products at full physical capacity, typically 5 to 10 times the sub capacity reality, and most buyers never test whether the evidence is rebuildable.

How do public sector IBM audits differ?

Procurement law bars the quick forward looking ELA settlement IBM prefers, so resolution must run through factual rebuttal and compliant tendering, which produces cleaner outcomes when the evidence work is done.

What should we do before any IBM audit notice?

Verify ILMT coverage on every virtualized cluster, extend hypervisor log retention, consolidate the entitlement baseline, and classify installs. The defense is built before the notice, not after.