Microsoft, IBM and SAP run the most active enterprise software audit programs in 2026 — Oracle, long the reference point for audit aggression, has scaled formal audits back and now sits fourth, its enforcement energy redirected into Java subscription outreach and ULA-expiry pressure. Salesforce and Workday operate no formal customer audit program at all, ServiceNow reviews are rare and renewal-led, and the fastest-rising program in the index belongs to Broadcom (VMware).
Published 13 March 2026 · Last reviewed 19 May 2026
All figures on this page are modeled estimates — indicative, not audited measurements. Method in section 02.
The audit center of gravity has moved. For two decades the question “who audits hardest” had one answer. In 2026 it has three: Microsoft, IBM and SAP each run programs that are more active — by review volume, by likelihood of contact, and by share of inquiries reaching this directory — than Oracle’s formal audit machine, which our model places roughly 40% below its 2022 peak. Oracle remains fourth and far from dormant, but its motion has changed shape: fewer formal LMS/GLAS audits, more Java SE employee-metric outreach, more pressure applied at ULA certification and support-renewal moments.
Audit exposure is now broad, not deep. An estimated 62% of large enterprises received at least one formal audit or formal license review in the trailing 24 months, and audited organizations faced a median of two distinct vendor reviews in that window. The long tail is doing more of the work: vendors outside the six largest programs account for an estimated 38% of all review activity in 2026, up from roughly 29% in 2023 — driven by Quest, OpenText, Cloud Software Group (Citrix and TIBCO), SAS, Esri and the engineering-software vendors.
Ownership events predict audits better than anything else. The single sharpest 2026 signal is acquisition by a consolidator: Broadcom’s VMware program posted the largest year-over-year index gain (+14 points), and the pattern repeats at smaller scale across OpenText, Quest and Cloud Software Group portfolios. Where a product’s owner changes, review likelihood rises within 18 months in our model — consistently enough that we treat M&A on the vendor side as an early-warning signal, not a coincidence.
SaaS-native vendors still do not audit — they meter. Salesforce and Workday run no formal customer audit program; overage is surfaced by the platform and resolved commercially at renewal. ServiceNow conducts occasional license reviews, almost always inside a renewal conversation. The compliance risk with these vendors is real but takes a different shape: it arrives as a renewal-quote line item, not a letter from an auditor, which is why this report scores enforcement mechanisms rather than audits alone.
Defense continues to pay for itself. Across defended engagements in our model, the median settlement closes at 36% of the first compliance claim, with the spread (28–45%) explained mostly by how early professional help arrived and whether an effective license position existed before the audit began. Figures are indicative; mechanics are covered in section 10.
The LAD Audit Activity Index is a composite score from 0 to 100, one per vendor, modeling how much license-enforcement activity a large enterprise should expect from that vendor in 2026. It blends four inputs: (1) the inquiry flow reaching this directory — which vendors buyers are seeking audit defense and negotiation help against, used as proportions, never absolute counts; (2) the public record — vendor disclosures, licensing-program and metric changes, enforcement litigation, and authorized-auditor program structures; (3) practitioner reporting across the ITAM and licensing community, including published audit-frequency surveys; and (4) engagement-mix signals from the audit-defense market itself, smoothed across firms and quarters.
Estimates are calibrated to a consistent reference profile: organizations of 2,000+ employees with multi-vendor estates, across manufacturing, financial services, healthcare and pharmaceuticals, the public sector, retail, energy and utilities, technology and telecommunications, in North America, Europe, the Middle East and Asia-Pacific. “Formal audit likelihood” is the modeled probability that such an organization, holding the vendor’s products at typical enterprise scale, receives a formal audit or formal license review from that vendor within a 24-month window.
What this is not. This is not a controlled survey, and the percentages are not audited measurements — they are modeled estimates, rounded to whole points, published because buyers otherwise plan against anecdote. Where our inputs disagree, the index takes the conservative reading. Cells too thin to model are suppressed rather than guessed. Every figure on this page should be read as indicative; where a decision turns on one number, commission a position of your own — the compliance assessment page covers how. The index is refreshed as the inputs move, and the visible review date above reflects the last pass.
License Audit Defenders, Software Vendor Audit Activity Report 2026, licenseauditdefenders.com/benchmarks/, 2026. Figures and tables may be reproduced with attribution and a link to this page (CC BY 4.0). Label reproduced figures as modeled estimates, as we do.
The twelve most active programs, by index score. The full 50-vendor table is in section 06.
| # | Vendor | Index (0–100) | 24-mo audit likelihood | Primary mechanism | Trend YoY |
|---|---|---|---|---|---|
| 1 | Microsoft | 84 | 31% | Formal audit + SPLA review + true-up enforcement | ↑ +3 |
| 2 | IBM | 79 | 27% | Third-party formal audit (authorized auditors) | ↑ +2 |
| 3 | SAP | 74 | 24% | Annual measurement + enhanced audit | → 0 |
| 4 | Oracle | 69 | 20% | Soft review + Java outreach + ULA certification | ↓ −5 |
| 5 | Broadcom (VMware) | 67 | 19% | Formal audit + subscription compliance review | ↑ +14 |
| 6 | Quest Software | 58 | 14% | Formal audit | ↑ +4 |
| 7 | OpenText (incl. Micro Focus) | 56 | 13% | Formal audit | ↑ +5 |
| 8 | Broadcom (CA & Symantec) | 54 | 12% | Formal audit + portfolio-license conversion | ↑ +3 |
| 9 | Citrix (Cloud Software Group) | 52 | 12% | Formal audit + license-model migration review | ↑ +6 |
| 10 | SAS | 49 | 10% | Renewal-led review | → 0 |
| 11 | Adobe | 48 | 10% | Compliance outreach + ETLA true-up | → +1 |
| 12 | Autodesk | 47 | 9% | Telemetry-led compliance outreach | ↓ −2 |
Modeled estimates · indicative · large-enterprise reference profile · trend = index points vs 2025
Microsoft (index 84, 31% 24-month likelihood) runs the broadest enforcement surface in the industry, and in 2026 it is the most active program in this index for the third consecutive year. The volume comes from breadth rather than ferocity: SPLA reviews of service providers, formal audits of on-premises server estates (SQL Server core licensing and Windows Server virtualization rights remain the two findings that pay for the program), unlicensed-use outreach generated by Microsoft 365 telemetry, and true-up enforcement inside Enterprise Agreements. Our model attributes 24% of all audit-defense inquiry flow to Microsoft — the largest single share — and notes a 2026-specific driver: organizations trimming M365 E5 seats or resisting Copilot attach at renewal report elevated review attention within two quarters. Defense and negotiation specialists for this program are listed at Microsoft audit defense.
IBM (index 79, 27%) operates the most procedurally formal program of the four: audits are executed by authorized third-party auditors under a defined contractual clause, on multi-month timetables, and the findings hinge disproportionately on one artifact — ILMT. An estimated 70%+ of material IBM findings involve sub-capacity eligibility failures, where missing or misconfigured ILMT deployment converts virtualized estates to full-capacity PVU counts, multiplying exposure by factors of four to ten. IBM audits run longest of any major vendor (median 9.5 months in our model, against an all-vendor median of 6) and produce the largest median first claims. The shift of Passport Advantage estates toward subscription has not slowed the program; legacy PVU and Cloud Pak conversion gaps are 2026’s growth findings. See IBM audit defense.
SAP (index 74, 24%) is unique in baking measurement into the contract: the annual system measurement (USMM/LAW) means every customer is, in a limited sense, audited every year. The index therefore scores SAP on its enhanced reviews — the deeper engagements that follow anomalous measurements or precede commercial flashpoints. Two findings dominate 2026: indirect/digital access (third-party systems writing to SAP, priced per document since 2018 but enforced with new energy as the 2027 ECC end-of-mainstream-maintenance date approaches) and user-classification drift, where professional-use patterns sit on limited licenses. RISE migration conversations are the program’s quiet lever — a measurement finding surfaced mid-negotiation reliably moves the deal. See SAP audit defense.
Oracle (index 69, 20%, trend −5) is the story of the year precisely because it is calmer. Formal LMS/GLAS audit volume in our model sits roughly 40% below its 2022 peak, and the classic database audit — processor counts, virtualization boundary disputes, options usage — now arrives less often than its reputation suggests. The energy went elsewhere: Java SE. Since the 2023 employee-metric change, Oracle’s Java outreach — soft letters, “license review” emails, download-log follow-ups — reaches more organizations than its formal audit program ever did; our model estimates roughly one large enterprise in four received Java-related contact in the trailing 24 months, most of it never escalating to formal audit. Add ULA certification pressure and support-lapse follow-ups, and Oracle remains a first-tier enforcement risk — just one that opens with an email rather than an audit clause. See Oracle audit defense.
Broadcom (VMware), +14 points, is the fastest-rising program ever recorded in this index. The mechanism is structural: the move from perpetual licenses to subscription bundles (VCF/VVF) created an entire customer base whose old entitlements no longer match the new catalog, and compliance review is the natural instrument for accelerating conversion. Our model puts 24-month review likelihood at 19% and climbing; organizations running perpetual vSphere past support expiry, or holding out on subscription migration, report the highest contact rates. On current trajectory the program passes Oracle’s index score in 2027. See Broadcom VMware audit defense.
The same ownership logic moves the rest of the riser list. Quest Software (+4) sustains one of the highest audit rates per dollar of vendor revenue in the index — a focused program around Toad, Foglight and the Microsoft-platform tools. OpenText (+5) inherited Micro Focus’s estate — and its audit posture — in 2023 and has consolidated enforcement across a very long product tail, where entitlement records are old and findings are easy. Cloud Software Group (+6 across Citrix and TIBCO) pairs license-model migration (Citrix universal subscription) with review activity concentrated on lapsed-maintenance perpetual estates. Broadcom’s CA and Symantec portfolios (+3) follow the playbook the company wrote before VMware: portfolio license agreement conversion, backed by audit. None of this is improper — review clauses are contractual rights — but the pattern is consistent enough that we treat vendor-side M&A as an early-warning signal of audit activity, worth roughly a 12–18 month head start for a prepared SAM team.
Salesforce (index 4) operates no formal customer audit program, and our model records no formal Salesforce-initiated audits of standard enterprise customers in the trailing 24 months. This is not generosity; it is architecture. A multi-tenant SaaS platform measures consumption continuously, so there is nothing to audit — overage in API calls, storage, or feature use is visible to the vendor in real time and surfaces as commercial pressure at renewal, where the negotiation (not the audit) is where value moves. The same applies to Workday (index 3): no formal audit program, with worker-count and FSE metrics trued at renewal. ServiceNow (index 12) sits slightly higher because occasional license reviews do occur — typically scoped checks on fulfiller-license counts and custom-table usage — but they are rare, renewal-adjacent, and resolved commercially. Atlassian, Snowflake and Databricks round out the abstainer group: consumption metering and automated true-ups, no audit letters.
The buyer implication is the report’s most practical: with SaaS-native vendors, the enforcement event is the renewal, and the preparation that matters is consumption hygiene and negotiation posture — not audit defense. Money saved on audit insurance against vendors who do not audit is better spent on the renewals where their leverage actually appears.
Scores model enforcement activity of any kind — formal audit, soft review, telemetry outreach, or metered true-up — against the large-enterprise reference profile. A low score is not a clean bill of health; it usually means the vendor’s leverage appears at renewal instead.
| # | Vendor | Segment | Index | 24-mo likelihood | Primary mechanism | YoY |
|---|---|---|---|---|---|---|
| 1 | Microsoft | Platform / cloud | 84 | 31% | Formal audit + SPLA review + true-up | ↑+3 |
| 2 | IBM | Platform / middleware | 79 | 27% | Third-party formal audit | ↑+2 |
| 3 | SAP | ERP | 74 | 24% | Annual measurement + enhanced audit | →0 |
| 4 | Oracle | Database / ERP / Java | 69 | 20% | Soft review + Java outreach + ULA certification | ↓−5 |
| 5 | Broadcom (VMware) | Infrastructure | 67 | 19% | Formal audit + subscription compliance review | ↑+14 |
| 6 | Quest Software | IT management | 58 | 14% | Formal audit | ↑+4 |
| 7 | OpenText (incl. Micro Focus) | Information mgmt | 56 | 13% | Formal audit | ↑+5 |
| 8 | Broadcom (CA & Symantec) | Mainframe / security | 54 | 12% | Formal audit + portfolio-license conversion | ↑+3 |
| 9 | Citrix (Cloud Software Group) | End-user computing | 52 | 12% | Formal audit + license-model migration review | ↑+6 |
| 10 | SAS | Analytics | 49 | 10% | Renewal-led review | →0 |
| 11 | Adobe | Creative / document | 48 | 10% | Compliance outreach + ETLA true-up | →+1 |
| 12 | Autodesk | Design / engineering | 47 | 9% | Telemetry-led compliance outreach | ↓−2 |
| 13 | TIBCO (Cloud Software Group) | Integration / analytics | 45 | 9% | Formal audit | ↑+4 |
| 14 | Veritas (Cohesity) | Data protection | 44 | 8% | Formal audit | →+1 |
| 15 | Informatica | Data management | 42 | 8% | Formal audit | →0 |
| 16 | Siemens Digital Industries | PLM / EDA | 41 | 8% | Formal audit + license-server log review | →+1 |
| 17 | Dassault Systèmes | PLM / CAD | 40 | 7% | Formal audit | →0 |
| 18 | PTC | PLM / CAD / IoT | 39 | 7% | Formal audit | →0 |
| 19 | Synopsys | EDA | 38 | 7% | Compliance review (license-server logs) | →0 |
| 20 | Cadence | EDA | 37 | 6% | Compliance review (license-server logs) | →0 |
| 21 | Esri | GIS | 35 | 6% | Renewal-led review + credit overage | ↑+2 |
| 22 | Teradata | Data warehouse | 34 | 6% | Renewal-led review | →0 |
| 23 | MathWorks | Engineering software | 33 | 5% | Compliance outreach | →+1 |
| 24 | Ansys | Simulation | 32 | 5% | License-server log review | →0 |
| 25 | Red Hat (IBM) | Open source / infra | 31 | 5% | Subscription compliance review | →+1 |
| 26 | BMC Software | IT operations | 30 | 5% | Formal audit | →0 |
| 27 | Software AG | Integration | 29 | 5% | Formal audit | →0 |
| 28 | Dell Technologies | Infrastructure | 28 | 4% | Contract compliance review | →0 |
| 29 | Cisco | Networking / software | 27 | 4% | True-up + smart-account reconciliation | →0 |
| 30 | Splunk (Cisco) | Observability / SIEM | 26 | 4% | Ingest-metering review | ↓−1 |
| 31 | Nutanix | Infrastructure | 24 | 4% | Renewal-led review | →+1 |
| 32 | Ivanti | IT management | 23 | 3% | Formal audit | →0 |
| 33 | AVEVA | Industrial software | 23 | 3% | Renewal-led review | →0 |
| 34 | Hexagon | Industrial / geospatial | 22 | 3% | Compliance review | →0 |
| 35 | Bentley Systems | Infrastructure design | 22 | 3% | Telemetry-led outreach | →0 |
| 36 | Trimble | Construction / geo | 21 | 3% | Renewal-led review | →0 |
| 37 | Altair | Simulation / HPC | 20 | 3% | License-server log review | →0 |
| 38 | Qlik | Analytics | 19 | 3% | Renewal-led review | →0 |
| 39 | Infor | ERP | 18 | 2% | Renewal-led review | →0 |
| 40 | Epicor | ERP | 17 | 2% | Renewal-led review | →0 |
| 41 | Sage | ERP / accounting | 16 | 2% | Compliance outreach | →0 |
| 42 | Unit4 | ERP | 15 | 2% | Renewal-led review | →0 |
| 43 | IFS | ERP / EAM | 15 | 2% | Renewal-led review | →0 |
| 44 | MicroStrategy (Strategy) | Analytics | 14 | 2% | Renewal-led review | →0 |
| 45 | ServiceNow | SaaS platform | 12 | 2% | Rare renewal-led review | →0 |
| 46 | Atlassian | SaaS / dev tools | 8 | <1% | Automated true-up; no audit program | →0 |
| 47 | Snowflake | SaaS / data cloud | 6 | <1% | Consumption metering; no audit program | →0 |
| 48 | Databricks | SaaS / data & AI | 5 | <1% | Consumption metering; no audit program | →0 |
| 49 | Salesforce | SaaS / CRM | 4 | 0% formal | No formal audit program; renewal-time pressure | →0 |
| 50 | Workday | SaaS / HCM & finance | 3 | 0% formal | No formal audit program; renewal true-up | →0 |
Modeled estimates · indicative · “0% formal” = no formal audit program observed; commercial enforcement at renewal still applies
Audit exposure tracks estate shape more than sector glamour: industries heavy in virtualized infrastructure, ERP customization and engineering tools attract the most review activity, while SaaS-first sectors see enforcement migrate to the renewal table. Share of large enterprises with at least one formal audit or formal license review in the trailing 24 months, by industry (modeled):
| Industry | Audited in 24 mo | Most active vendors in the segment | Characteristic finding |
|---|---|---|---|
| Manufacturing & automotive | 71% | SAP, Siemens, Microsoft, Dassault Systèmes | Indirect/digital access; license-server overdraw |
| Financial services & insurance | 68% | IBM, Microsoft, Oracle, Broadcom (VMware) | Sub-capacity (ILMT) failures; SQL core gaps |
| Telecommunications | 66% | Oracle, IBM, Broadcom (VMware) | Virtualization boundaries; ULA certification |
| Energy & utilities | 64% | SAP, Microsoft, Esri, AVEVA | User classification; geospatial seat drift |
| Public sector & education | 61% | Microsoft, Oracle (Java), Adobe | Java estate; M365 vs on-prem entitlement mix |
| Healthcare & pharmaceuticals | 59% | Microsoft, IBM, SAS | Server estates; analytics renewals |
| Retail & consumer goods | 55% | SAP, Microsoft, Salesforce (renewal) | Digital access from e-commerce front ends |
| Transport & logistics | 53% | SAP, Oracle, Quest | Interface counts; database options |
| Technology & software | 49% | Microsoft (SPLA), Broadcom (VMware) | Service-provider licensing; embedded use |
| Media & professional services | 46% | Adobe, Microsoft, Autodesk | Named-user sharing; contractor seats |
Modeled estimates · indicative · large-enterprise reference profile
Manufacturing’s position at the head of the table is structural and stable: it combines the deepest SAP estates (digital access exposure from shop-floor and supplier systems), the engineering-tool stack (where license-server logs make findings unusually provable), and long-lived on-premises infrastructure. Financial services follows on the strength of IBM and Microsoft server estates — and is, notably, the sector where defended settlement ratios are most favorable, which practitioners attribute to better record-keeping and earlier engagement of specialists. At the other end, technology and media sit lowest not because vendors spare them but because their estates moved to SaaS and consumption models earliest — their enforcement events have migrated to the renewal, where this index records them under different mechanisms.
Regional differences are narrower than folklore suggests, but real. Share of large enterprises audited or formally reviewed in the trailing 24 months, by region (modeled): North America 64%, DACH 63% (the densest SAP and engineering-software estates in Europe), Western Europe overall 61%, UK & Ireland 60%, Nordics 57%, Asia-Pacific 52%, Middle East 49% (rising fastest, +6 points year over year, as estates formalize and vendors staff regional compliance teams), and Latin America 44%. Enforcement style varies more than volume: third-party formal audits dominate in North America and DACH, while soft reviews and commercial settlement carry more of the load in APAC and the Middle East. Japan remains the outlier practitioners describe consistently — below-average audit volume, above-average settlement discipline when reviews do occur. Local procurement law, works-council dynamics and disclosure norms change how a defense runs; country-level context is on each country page of this directory.
| Trigger | Share | Mechanics |
|---|---|---|
| Renewal or agreement expiry approaching | 24% | Review timed to land findings inside the negotiation window |
| Merger, acquisition or divestiture (buyer side) | 19% | Entity changes void grants, duplicate estates, break assignment clauses |
| ULA / ELA / portfolio agreement expiry | 14% | Certification counts disputed; usage outside the bundle surfaces |
| Support lapse or move to third-party support | 12% | Departing maintenance revenue reliably draws review attention |
| Infrastructure change (virtualization, cloud moves, hardware refresh) | 11% | Core counts and sub-capacity eligibility reset overnight |
| Declining spend or seat reduction | 9% | Down-sell at renewal flags the account for compliance attention |
| Partner, reseller or telemetry intelligence | 6% | Download logs, deal registration data, sizing conversations |
| Cyclical / no identifiable trigger | 5% | Programmatic rotation through the customer base |
Modeled estimates · indicative · primary trigger per event; events can have several
Read as a planning tool, the table says one thing: audits are mostly predictable. Roughly seven in ten review events follow an observable commercial or structural event in the customer’s own house — a renewal date, a deal closing, a support decision, a migration. An organization that treats those four moments as audit-risk moments, and walks into each holding a current effective license position, has pre-empted the majority of its realistic audit exposure.
The engineering-software block — Siemens Digital Industries, Dassault Systèmes, PTC, Synopsys, Cadence, MathWorks, Ansys, Altair — occupies a distinctive corner of the index: 24-month likelihoods of only 5–8%, but outcomes that behave differently from every other segment. The reason is evidentiary. These products run against license servers, and license-server logs are the closest thing enterprise licensing has to a flight recorder: peak concurrent usage, named-user sharing, geography of checkouts and overdraw events are all recorded, timestamped, and difficult to argue with. Where a Microsoft or Oracle finding is often a negotiation about interpretation, an EDA finding is usually a negotiation about price.
The model reflects this in the settlement data: defended engineering and EDA matters settle at a median of 57% of first claim — nearly 20 points worse than the all-vendor median — because the facts are rarely reducible. What moves instead is structure: findings converted into forward token or subscription commitments, remix rights, and multi-year true-down protection. Two segment-specific patterns are worth flagging for 2026. First, remote and offshore checkout findings are growing fastest, as hybrid engineering teams pull licenses across borders that their agreements never contemplated — territory clauses in EDA agreements are enforced literally. Second, Esri’s credit-and-user-type model and Autodesk’s telemetry-led outreach show the segment’s direction of travel: continuous measurement, fewer formal audits, more data-armed renewal conversations — the SaaS enforcement pattern arriving in engineering software a decade late.
For buyers in this segment the implication inverts the usual advice: because findings are provable, the value of after-the-fact defense is capped, and the leverage lives almost entirely in before-the-fact hygiene — license-server monitoring that matches what the vendor would see, territory-clause review before teams relocate, and peak-usage management. The firms covering these vendors are indexed on each vendor page — e.g. Siemens, Synopsys, Dassault Systèmes — listed, not ranked.
The number that opens an audit and the number that closes it are different numbers. Modeled medians for the large-enterprise profile, defended engagements:
| Program | Median first claim | Defended settlement (share of first claim) | Median duration |
|---|---|---|---|
| IBM | $4.2M | 33% | 9.5 months |
| Oracle (formal audits) | $3.6M | 35% | 8 months |
| SAP | $2.9M | 36% | 7 months |
| Broadcom (VMware) | $2.4M | 41% | 6.5 months |
| Microsoft | $1.8M | 38% | 5 months |
| Engineering / EDA segment | $0.9M | 57% | 5 months |
| Long-tail programs (typical range) | $0.3–1.5M | 40% | 4–6 months |
Modeled estimates · indicative · all-vendor defended median = 36% of first claim, IQR 28–45% · all-vendor median duration = 6 months
The two variables that explain most of the settlement spread are timing and preparation. Defenses engaged after data has already been handed over settle roughly 12 points worse in our model than defenses engaged at the notification letter — scope control during data collection, not argument after it, is where audit defense earns its fee. And organizations holding a current, audit-grade effective license position settle roughly 15 points better than those reconstructing entitlements under audit deadline. Late engagement compresses options; early engagement compounds. Figures assume good-faith commercial resolution — litigated matters follow their own economics.
Two further patterns deserve a buyer’s attention. First, settlement currency is shifting from cash to commitment: an estimated 55% of 2026 settlements by value are structured as forward purchases — cloud commitments, subscription migrations, term extensions — rather than back-dated penalty fees, which suits both sides’ accounting and explains why audits cluster before renewals. Second, repeat exposure is real: organizations audited once by a vendor show materially elevated likelihood of a second review within four years where the first audit closed without a SAM remediation program. The audit is not an event; it is a relationship signal. Firms defending each major program are indexed by vendor — e.g. Microsoft, IBM, SAP, Oracle, Broadcom VMware — listed, not ranked, with balanced pros and cons.
The practical use of this report is not to fear the vendors at the head of the table; it is to map the index against your own next twelve months. The triggers in section 08 are mostly events you can see coming on your own calendar, which makes audit preparation schedulable. The pattern reported by SAM teams and defense firms alike: twelve months before a major renewal, refresh the effective license position for that vendor — commissioned privately, to audit grade, per the compliance assessment brief. Nine months out, remediate what the position found, while remediation is still a procurement choice rather than a settlement term. Before any M&A close, run license-assignment review on both estates — transfer clauses are the most commonly violated terms in enterprise agreements, and 19% of review events follow deals. Before any support lapse or third-party support move, assume review attention follows within the year and document the estate as of the decision date.
Three standing disciplines separate the organizations that experience the figures at the favorable end of this report’s ranges from those at the other end. A maintained entitlement archive — decades of purchase records, agreements and amendments in one place — because reconstructing entitlements under audit deadline is the single most expensive record-keeping failure in enterprise IT. A soft-letter protocol — Java outreach, “license review” emails and health-check offers get a defined response path (acknowledge, never volunteer data, route to the responsible owner and, where exposure is plausible, to a specialist) because in our model the worst outcomes follow silence and the second-worst follow over-sharing. And licensing sign-off inside change control — virtualization moves, cloud migrations and hardware refreshes change license positions overnight (11% of review events), so the licensing check belongs in the change ticket, not in the post-mortem. Organizations running a standing SAM function with these disciplines show median findings roughly 23% lower in our model than peers without one — before any audit defense is engaged at all. Managed options are indexed under software asset management.
Four developments are most likely to move next year’s index. Broadcom (VMware) continues its climb as subscription-conversion deadlines bite; we expect it to contest second place by late 2027. Oracle Java outreach is broadening down-market and increasingly converting ignored soft reviews into formal demands — silence is becoming the expensive response. SAP’s 2027 ECC maintenance horizon gives every annual measurement between now and then negotiation weight, with digital-access findings as the instrument; expect enhanced-review volume to rise into the deadline. And AI-feature licensing — Copilot seat compliance, AI add-on metering, GPU- and consumption-based terms — is creating the first genuinely new audit surface in a decade; no vendor has yet built an enforcement program on it, and at least one will. The watchlist, like the index, is a forecast: hold it to the same indicative standard, and check the review date above for the model’s last refresh.
By modeled 24-month audit likelihood for large enterprises: Microsoft (31%), IBM (27%) and SAP (24%) run the most active programs, followed by Oracle (20%) and Broadcom’s VMware portfolio (19%) — the fastest-rising program in the index. Quest, OpenText, Broadcom’s CA and Symantec lines, Citrix and SAS lead the second tier. All figures are indicative modeled estimates.
Yes, but the program has changed shape. Our model places Oracle’s formal audit volume roughly 40% below its 2022 peak; the classic database audit is now less common than its reputation suggests. The active motions in 2026 are Java SE employee-metric outreach — reaching an estimated one large enterprise in four over 24 months — ULA certification disputes, and support-lapse follow-ups. These usually open as soft reviews, and ignoring them is what converts them into formal demands.
Neither operates a formal customer audit program. As multi-tenant SaaS platforms they meter consumption continuously, so compliance issues surface as commercial pressure at renewal rather than as an audit letter. ServiceNow is similar but not identical: occasional, rare license reviews occur, almost always inside a renewal conversation. The enforcement risk with these vendors is real — it is simply priced into the renewal instead.
Roughly seven in ten review events in our model follow an observable event on the customer side: an approaching renewal or agreement expiry (24% of events), M&A activity (19%), ULA/ELA expiry (14%), a support lapse or move to third-party support (12%), or an infrastructure change such as virtualization or cloud migration (11%). Audits are therefore largely predictable — the preparation window opens when the trigger event does, not when the letter arrives.
In our model, median first claims for the large-enterprise profile range from about $1.8M (Microsoft) to $4.2M (IBM), and professionally defended matters settle at a median of 36% of the first claim (interquartile range 28–45%). Early engagement and a current effective license position are the two factors most associated with the favorable end of that range. Figures are indicative; this directory publishes no prices and no outcome guarantees.
From a composite model, not a survey: the directory’s own inquiry mix (proportions only), the public record of vendor programs and enforcement, practitioner reporting across the ITAM community, and smoothed engagement-mix signals from the audit-defense market. Every figure is a modeled estimate, labelled indicative, calibrated to a 2,000+ employee multi-vendor enterprise profile. Method and limitations are in section 02; reproduction is welcome with attribution.
Facing one of the programs in this index — or one of its triggers? Tell us the vendor and the situation. We route your brief to firms with live defense and negotiation practice on that program. Free for buyers, no vendor ever sees your brief.
Our weekly dispatch on vendor audit programs, regional developments and one buyer move. Subscribe to The Licensing Radar.