The Tide of AI – Surfing the Tsunami of Binaries

AI is creating an overwhelming surge of digital artifacts and software components. The key to success is learning how to ride, secure, govern, and manage that wave – rather than being overwhelmed by it.

This weekend, I asked my team to watch Chasing Mavericks. Jay Moriarity (not J-Frog, but stay with me) was one of the most driven and determined surfers imaginable. His courage and spirit were extraordinary. But those virtues were shaped and refined by his mentor, Frosty Hesson. Jay became Frosty’s apprentice to learn how to surf the biggest waves on earth, a true story…

Everyone Wants a Special Agent. When Code Disappears, Governance Matters

On Friday, February 20th, the software world paused for a “big wave.” Anthropic announced Claude Code Security, a new capability embedded into its AI agent that scans source code for security vulnerabilities and suggests targeted patches for human review. It allows developers to find and fix issues that traditional methods often miss.

No doubt, this is a big leap forward. It reinforces something we already sense: Code is no longer just being written, it is increasingly being generated and often improved by AI.

The Anthropic announcement followed Elon Musk’s February 9th tweet:

“Code itself will go away in favor of just making the binary directly.”

Our co-founder and CTO, Yoav Landman, later broke this down in his blog, “From Prompt to Production: The New AI Software Supply Chain Security.” He connected the dots: the explosion of binaries and the rise of AI agents will require better governance built around a true system of record (SoR) for all binaries. Software supply chain security and governance are not separate from these changes; they need to be integrated.

If that wasn’t enough, NVIDIA CEO Jensen Huang addressed a major misunderstanding about agentic AI on February 26th that addressed another part of the puzzle. While some fear that AI will erode the importance of systems of record, more specifically the authoritative databases where enterprises store finalized information, Huang argued the opposite:

“AI agents still need ground truth. They need places to read from and write to. Systems of record exist precisely because humans need clarity, accountability, and shared understanding. AI doesn’t eliminate that need – it reinforces it.”

So far, so good, right? The value being delivered by JFrog seems clear and validated by some of the most influential voices in AI.

Wrong.

On the very day of the Anthropic announcement, the cybersecurity market was hit with a massive sell-off. JFrog stock included.

Back to Chasing Mavericks. One of my favorite quotes in the movie explains the difference between fear and panic:

“Fear is healthy. Panic is deadly.”

This is what Frosty tells Jay when they are diving near a great white shark. Panic leads to reaction without understanding. Fear leads to preparation.

Understanding The Wave

The JFrog Platform is becoming the authoritative control plane of the software supply chain. We don’t just store software packages – binaries and artifacts – for our customers. We automatically scale as agents and AI generate more code. The more autonomous AI becomes, the more binaries it will create. The more binaries created, the more security is required at the gate, and the more governance is needed before deployment to production.

What we’ve seen in recent days reinforces one thing: governance is the key to safer, faster AI adoption. Set aside the Anthropic/Pentagon debate. Regardless of positioning, both sides agree on one point: AI must be governed. Just as a medical company cannot override FDA regulations based on its own ethics, an AI agent cannot operate without the right enforcement.

SaaSpocalypse? AI Everywhere? What Are We Really Seeing?

The world has already divided into three groups of companies:

Group 1- The Dinosaurs: Companies that have already become irrelevant. AI adoption will replace them and make our lives better and safer.

Group 2 – The Slow Death: Companies that are still relevant today but will experience a slow decline over the next 5–10 years as AI matures and trust in it increases.

Group 3 – AI Powered: Companies built for this moment – positioned to play a critical role in a mixed world of agents and humans.

Why do I believe JFrog is AI Powered?

From day one, JFrog has focused on what we saw as the primary asset of the software supply chain: the binary. We serve thousands of customers, providing  software supply chain integrity and governance at scale. JFrog enables customers to enforce security policies at the gate while maintaining full traceability of every artifact – from code to production and back. We power distribution and scalability with trust, and over time, we became the system of record and backbone for compliance.

What if AI companies build this as well?

Let’s unpack that fear…

I won’t argue that AI companies can’t build something. I won’t claim our technology is inherently superior. I won’t even say our customers love us (though they do).

I’ll just stick to the facts.

Universality Matters

The future is multi-agent. No organization will rely on a single AI provider. Some will use OpenAI, others, Anthropic, Google, GitHub Copilot, open-source agents, or all of them. So the question shifts…

• Who becomes the control plane in that world?
• Who sets the policies?
• Who governs across vendors?

This environment demands a single source of truth – one system of record. That is exactly the role JFrog Artifactory plays. It supports all binary types, packages, models, and more. It provides a governed environment for artifacts across their full lifecycle, metadata, dependencies, and distribution.

The Power of the Community

Agents generate code, but open-source software is not going away. Millions of OSS packages power innovation, speed, and cost efficiency.

A healthy software supply chain requires curating binaries at the door. You must ensure your “water isn’t poisoned.” But you also need speed, flexibility and scale.

JFrog Curation acts as the firewall, providing passport control for artifacts entering your software development environment, while enforcing company policy and ensuring compliance with regulatory requirements. Security is further enhanced by  JFrog Xray and JFrog Advanced Security that continuously scan what’s inside the “vault,” whether its legacy packages, AI-generated artifacts, or OSS packages cached from npm, PyPI, Docker, or Hugging Face repositories (just to name a few).

Hackers, Race, and Pace

Attackers also use AI agents for their nefarious purposes – and the agents will become faster and more sophisticated over time.

Everyone knows that it’s binaries that reach production; while there may be some scripts, there is certainly no source code. And what part of the software supply chain do attackers target? Production.

JFrog Runtime Security, together with JFrog Advanced Security, protect that environment while maintaining full traceability back to the package and its creator – enabling faster, automated, prioritized, and safer remediation.

DevGovOps – Governance at Scale

When we introduced JFrog AppTrust six months ago, the vision was clear:

DevOps brought speed,
DevSecOps brought trust,
Governance is the next bottleneck!

It must be automated. It must rely on signed artifacts, verified evidence, regulatory compliance, and enforceable policy gates. We call this “DevGovOps.”

As AI increases the need for autonomous governance, JFrog AppTrust is fast-becoming the enforcement authority.

AI Inside – The Shadow AI Risk

We once worried about “shadow IT.”
Now we face “shadow AI.”

What agents are developers using? What artifacts were generated outside approved workflows? What’s entering our environment? What is shared outside? What services are being called?

This risk cannot be mitigated by AI oversight alone. True governance must track and secure the binaries themselves: how and what built them. The JFrog Platform with AI Catalog is the single system of record for enterprise AI supply chains. It provides centralized governance and proactive security for all AI workloads, from internal and third-party models to MCP servers. It also tracks AI usage (like LLM service calls, for example) and delivers trusted AI applications with speed and control.

The Cloud Shift: Fit-for-Purpose Deployment Environments

Amidst AI-driven change, what are companies to do with their cloud strategies? Hybrid, multi-cloud, on-prem… customers are still determining the most cost-effective and strategic deployment model.

JFrog provides enterprise-scale availability, federation, and the flexibility to run anywhere – aligned with customer policy, budget, and operational needs.

The Best Teachers? Your Customers, Partners, and Community

There is more. Every day brings new partnership opportunities, integrations, and roadmap discussions shaped by AI.

JFrog listens. We observe. We partner.

That’s how we became the database of DevOps, and later the system of record for all binaries.

As Frosty told Jay:

“The more observant you are, over time, you begin to build up a real understanding.”

We became the plumbers of the software supply chain – enabling what we call Liquid Software.

As the tsunami of binaries surges, I’ll leave you with one final quote from Chasing Mavericks:

“Surfing normal waves is about how you perform when everything goes right. Big wave surfing is about how you perform when everything goes wrong.”

Real life isn’t a movie. Our enterprise customers face real challenges. AI is changing nearly everything we know.

Trust cannot be automated. It requires a strong foundation of governance, control, visibility, and security built on a single source of truth.

We built JFrog for this moment.

As we all surf this wave together, we’re proud and honored to be the software supply chain trust layer, the system of record for all binaries, whether human-made or agent-generated.

May the Frog Be with You!