NVIDIA 
Cursor 
GitHub 
Docker 
Maven 
Financial Services 
Public Sector 
Technology 
Healthcare 
Gaming 
Automotive 
Enterprise 
The Governance Gap: What IDC’s 2026 Data Reveals About AI and the Software Supply Chain
In a landscape where executive teams demand immediate AI integration, engineering and security leaders find themselves navigating a complex operational balancing act. To explore how organizations can accelerate delivery pipelines without introducing fatal security risks, JFrog recently hosted a virtual panel discussion titled “Agentic Software Delivery in 2026: How to Bridge the Gap Between AI Ambition and Delivery Confidence.” The session brought together George Mironescu, Associate Research Director at IDC, alongside JFrog’s Yuval Fernbach (VP and CTO of JFrog ML) and Asaf Barkan (Senior Director of Product), for a candid conversation at the intersection of enterprise AI adoption, pipeline governance, and software delivery.
AI Adoption is Outpacing Governance
While corporate AI adoption accelerates at a breakneck pace, the frameworks required to govern it are lagging far behind. That gap is quantified in the newly released IDC 2026 Software Engineering Challenges Report, which surveyed 1,000 enterprise and mid-sized organizations globally across the United States, Europe, Asia, and the Middle East.
AI has unequivocally captured market focus, emerging as the absolute number-one strategic mandate for organizations heading into 2026. This top-down mandate places massive operational pressure on software delivery teams to execute on corporate AI ambitions immediately. However, the report highlights a widening gap between this corporate ambition and actual governance readiness, establishing it as the defining operational challenge of the year.
Shadow AI is the new Shadow IT
Ask most engineering leaders when they plan to implement AI governance, and you’ll hear some version of the same answer: after the next release, after the pilot, once we have more data. The problem is that AI is already inside the supply chain, and it didn’t wait for an invitation.
Shadow AI has already replaced Shadow IT as the primary unmanaged threat inside the enterprise. Developers aren’t waiting for official approval and want to be productive, regardless of the cost. As a result, they’re pulling code suggestions through personal accounts, using unvetted third-party plugins, and embedding AI-generated code blocks directly into production environments. Every day that organizations delay governance, that footprint grows. Simply blocking or blacklisting AI tools doesn’t solve the problem; it pushes developer usage underground. The only viable path forward is acknowledging this reality and building platform-level guardrails that manage AI adoption safely within corporate security and governance practices.
The Misconception Putting Pipelines at Risk
As automated coding tools proliferate, a serious architectural misconception has taken hold: the idea that AI agents can be trusted to self-police compliance and validation. They can’t.
AI agents operate non-deterministically. They don’t understand word-of-mouth policies, unwritten developer best practices, or the contents of a shared wiki. If compliance boundaries exist only in documentation or verbal agreements, automated agents will bypass them entirely. When a coding agent tries to resolve a bug, it may hallucinate package names or silently pull vulnerable open-source dependencies from public repositories like npm or PyPI. By the time those flawed or malicious components are discovered, they’ve already blocked builds and wiped out any velocity gain the agent provided.
The Path Forward
The solution requires a fundamental shift in how governance is applied, but it has nothing to do with slowing down AI adoption or restricting what agents can do. The organizations getting this right aren’t working harder; they’re building smarter guardrails at the software supply chain layer. Most organizations are still at the early stages, and the decisions made now will determine whether the path to autonomous pipelines is controlled or chaotic.
Watch the full webinar recording to find out:
- What platform-level governance actually looks like in practice
- Which failure patterns to watch for before they block your builds
- What the organizations successfully scaling autonomous pipelines have in common
Read the full IDC Report
Want the full data? Download the full IDC Report: Key Software Delivery Challenges and Pain Points in 2026.
Experience
JFrog Today
Discover how the JFrog Platform unites DevOps, DevSecOps and MLOps for secure, rapid software delivery.
