Insurer Establishes Continuous License Monitoring

Situation

A multi line insurer ran a large software estate spread across underwriting, claims, and customer platforms, much of it built on open source. The firm had completed a thorough open source license audit a year earlier, which produced a clean inventory and a clear view of its exposure at that moment. The audit was good work, but it captured a single point in time. As the months passed, new dependencies entered the estate, versions changed, and the wider relicensing wave continued. The inventory that had been accurate on the day of the audit slowly drifted out of date, and no one could say with confidence how far.

The trigger

The drift became concrete when a component the firm depended on relicensed several months after the audit. The change sat unnoticed because nothing was watching for it. The audit cycle would not come around again for the better part of a year, and the relicensed component would have remained invisible until then. The insurer's risk function drew the obvious conclusion. A one time audit answers the question of where you stand today, but licenses keep changing, and the gap between audits is exactly where a relicensing event can hide. The firm needed to shorten that gap from a year to days.

Approach

We started from the existing audit rather than rebuilding from scratch, refreshing the dependency inventory and confirming the license state of each component. The clean baseline became the reference against which change would be measured. We then designed a continuous monitoring approach that watched the license state of every dependency on an ongoing basis, drawing on the firm's software composition analysis tooling and its software bill of materials so that the same map satisfying a regulator also served as the early warning system for license change.

The monitoring was wired to flag two events. The first was the arrival of any new component whose license fell outside the firm's allowlist. The second was a change in the license of an existing component, which is the signal a relicensing event produces. Each flag routed to a named owner with enough context to act, separating the small number of items that mattered from the routine churn of an active estate. We kept the legal interpretation of any specific license with the insurer's own counsel, while the monitoring supplied the timely facts that told counsel and the risk function when a question even needed asking.

Outcome

The gap between a license change and its detection fell from a full audit cycle to a matter of days. The insurer no longer relied on an annual snapshot to tell it where its exposure sat. It held a living view, refreshed continuously, that surfaced a relicensing event close to when it occurred and gave the firm room to respond while options were still cheap. The component that had relicensed during the previous gap became the kind of event the firm would now catch promptly rather than discover late.

Just as important, the monitoring changed the cost profile of license risk. Caught early, a relicensing event is a planning decision with several affordable paths open. Caught late, in an audit, it is an emergency with fewer and more expensive options. By compressing the detection window, the insurer turned a category of surprise into a managed signal, and its board gained a credible answer to the question of how it would know if a critical dependency changed terms.

Lessons for buyers

Three lessons carry across. First, an audit is a snapshot, not a safeguard. It tells you where you stand on one day, and a relicensing event the day after will not appear until the next one. Second, monitoring is cheaper than the surprise it prevents. The cost of watching license state continuously is small against the cost of discovering a relicensed dependency in an audit, with options already narrowed. Third, the early warning is only useful if a named owner receives it. A flag that routes nowhere is noise, so the routing and ownership matter as much as the detection.

This work was delivered through our open source governance and policy service, which sets the allowlist and ownership model, and our SBOM and dependency mapping service, which produced the living dependency map. For the wider context, see the governance and SBOM pillar and the open source license risk pillar.