Maintaining a Defensible Java Inventory.
When an Oracle audit lands, the organization that can show exactly where Java runs, which builds are Oracle, and who owns each one is already winning. A defensible Java inventory is the foundation of every other control, and it is more achievable than most teams assume.
The artifact that decides the audit
Ask any buyer side advisor what they want first when an LMS letter arrives, and the answer is the inventory. Not Oracle's view of your estate, yours. A current, reconciled record of every Java runtime, separating Oracle builds from free OpenJDK distributions and naming the owner of each, is what lets you answer an audit from your own evidence rather than accepting Oracle's reconstruction. Without it you are negotiating blind. With it you set the terms of the conversation.
The metric explains the urgency. Since January 2023 Oracle has priced Java SE on the Universal Subscription, a per employee charge of 5.25 to 15.00 dollars per employee per month that counts every full time and part time employee, every contractor, and every temporary worker, regardless of who uses Java. LMS audits intensified in 2026 with a three year lookback. The inventory is how you prove what is genuinely Oracle, what is not, and how small your true Oracle Java footprint really is.
What defensible means
An inventory is defensible when it is complete, current, and evidenced. Complete means it covers every device and server, including build pipelines and contractor managed systems, not just the obvious estate. Current means it is reconciled on a regular cadence against live discovery data, not assembled once and left to rot. Evidenced means each entry can be traced to a source, so when Oracle questions a number you can show where it came from. An inventory that meets all three tests carries weight in a negotiation. One that fails any of them invites Oracle to substitute its own assumptions.
What every entry should capture
Vendor and version
The most important field is the one most inventories miss: whether a runtime is an Oracle build or a free OpenJDK distribution, and which version. This distinction is the whole basis of the licensing question, so capture it precisely.
Host and owner
Every runtime needs a home and a responsible owner. Ownership matters because it lets you ask why a runtime exists and whether it still needs to.
License basis
Record why each Oracle runtime is there and under what justification, drawn from the approval workflow for new deployments. This turns the inventory from a list into a record of decisions.
Source of truth
Note where the data came from, whether discovery tooling, configuration management, or manual confirmation, so the entry is traceable under challenge.
An inventory schema
| Field | Example |
|---|---|
| Host | app server, finance cluster |
| Runtime vendor | Free OpenJDK distribution |
| Version | 17 |
| Owner | Finance platform team |
| License basis | Default free runtime, no Oracle exposure |
| Source | Discovery scan, reconciled this quarter |
Indicative only. Keep the schema lean enough to maintain. An inventory that is too elaborate to keep current is worse than a simple one that is always true.
Keeping it current without heroics
The failure mode is always the same: a thorough inventory built once for an audit, then abandoned until the next one. The fix is automation plus a light human cadence. Discovery and endpoint tools should feed runtime data continuously, distinguishing Oracle from free builds where they can. A quarterly reconciliation then resolves the gaps, confirms ownership, and records any new Oracle Java exceptions. This connects to controlling Java downloads across the organization, because the fewer stray installs you allow, the less the inventory has to chase. Maintained this way, the record stays true with modest effort, and it is ready the moment an audit arrives.
Building and keeping the inventory
- Discover everything. Use tooling to find every Java runtime across servers, endpoints, pipelines, and contractor systems.
- Classify by vendor. Separate Oracle builds from free OpenJDK distributions, the distinction that drives the whole licensing question.
- Assign owners. Give every runtime a responsible owner who can explain why it exists.
- Record the basis. Capture the justification for each Oracle runtime from the approval workflow.
- Reconcile quarterly. Resolve gaps against live discovery so the inventory stays defensible, not just complete once.
Build the governance once and the next audit finds a tidy estate instead of a surprise. For the full buyer side playbook, download the Oracle Java Audit Survival Guide.
The fields auditors probe hardest
When an LMS reviewer examines an inventory, attention falls on a few fields. The vendor classification is first, because the whole question is which runtimes are Oracle and which are free. Expect that classification to be tested, so it must be evidenced rather than asserted. Version is next, since older Oracle builds carry support and licensing implications that a reviewer will pursue. Then comes coverage: a reviewer will ask whether the inventory truly spans the estate or only the parts that were easy to scan, and gaps are where assumptions get inserted against you. An inventory that anticipates these probes, with clear classification, accurate versions, and demonstrable coverage including pipelines and contractor systems, leaves little room for the claim to inflate.
The lesson is to build the inventory for scrutiny, not just for your own comfort. Every field should be one you would be content to defend line by line, because in an audit that is exactly what happens.
From inventory to defended residual
The inventory is not an end in itself. Its purpose is to let you draw a hard line around your genuine Oracle Java footprint and migrate everything outside that line to a free distribution. Read the inventory that way and a pattern usually emerges: a large majority of runtimes are already free or could be, and only a small set genuinely depends on Oracle. That small set is your residual, and it is what you negotiate against rather than your full population. Each runtime you can reclassify or migrate shrinks the residual further. The inventory turns a vague sense that you are overexposed into a specific, costed plan for reducing it, which is the difference between hoping for a discount and engineering one.
This is also what makes the inventory worth maintaining between audits. An estate that drifts re inflates the residual, while a governed one keeps it small. The work compounds: every quarter the gap between what Oracle would claim and what you can defend grows in your favor.
Questions about the inventory
How accurate does it really need to be?
Accurate enough to defend each entry. An inventory you cannot stand behind is worse than none, because a single wrong classification undermines confidence in the whole record.
Can we rely on automated discovery alone?
Discovery does the heavy lifting, but a quarterly human reconciliation resolves the gaps it cannot, confirms ownership, and records new exceptions. Automation plus cadence is the durable answer.
What about systems we cannot scan?
Cover them contractually and confirm by other means. A known, documented blind spot is manageable. An unknown one is what an audit exploits.
How a buyer side advisor helps
Most organizations can stand up governance themselves, and the controls described here are deliberately practical. Where an independent buyer side advisor adds value is in calibration and timing: knowing which evidence an LMS reviewer actually weighs, where Oracle's opening number is softest, and how to turn a clean estate into a smaller defended residual. We sit between you and Oracle and we never take vendor money, so the advice points one way only.
We work two ways, both built so the risk sits with us. A Fixed Fee starts from $18,000, agreed up front and backed by our guarantee. Or you can choose Gainshare, a share of verified savings or avoided exposure, with zero retainer and no risk to you. Across the work we do, we have defended more than $120M in Java exposure and over 300 Java audits, with more than 20 years of combined experience on the buyer side of the table, and an average reduction of 68 percent versus Oracle's opening number.
Where to go next
The inventory underpins everything else. Build it alongside download controls and a standing governance function, and ground the approach in our Oracle Java licensing guide for 2026. Know your own estate better than Oracle does and the audit stops being a threat.
Download the guide.
Get the Oracle Java Audit Survival Guide for the complete buyer side playbook, then bring your questions to a Strategy Call.
Download guide