The Governance Gap Between Your Policy and Your Pipeline

Security teams are under more pressure than ever, and most of them believe they’re keeping up. That confidence, it turns out, may be the most consequential finding in the JFrog 2026 Software Supply Chain Security State of the Union.

Across 18.2 billion artifacts analyzed, independent vulnerability research from the JFrog Security Research team, and a survey of 1,508 professionals across eight countries, one pattern surfaces again and again: organizations consistently report stronger security postures than their actual coverage can justify. We call this the illusion of mastery. Understanding it is the first step toward closing the gap.

Download the Report

What is the AI Governance Gap?

The AI governance gap is not carelessness. Nor is it ignorance. It’s something more insidious: it’s what happens when governance confidence outpaces governance enforcement, when security investment accumulates in the wrong layers, and when the people running the tools and the people buying them describe the same organization in fundamentally different terms.

One example from this year’s data: 97% of organizations claim certified AI model governance. JFrog Security Research found 495 malicious models on Hugging Face alone, the same registry nearly 1 in 5 organizations are actively pulling from. A certified list that isn’t scanned for malicious payloads isn’t a security control, it’s a list of names. The confidence is real. So is the exposure. The distance between them is the risk.

This pattern repeats across the entire report. It shows up in compliance proof generation, in secrets detection adoption, and in how organizations govern the IDE extensions and MCP servers their developers use every day. The JFrog 2026 Software Supply Chain Security report maps exactly where the gaps are and, more importantly, explains why they persist.

Why the Gap is Wider Than You Think

The gap between reported confidence and actual coverage isn’t evenly distributed. It clusters in three specific places that the 2026 report examines in depth.

The tools haven’t kept up with the stack. For the first time in this report’s history, npm overtook Maven as the most-used package ecosystem by request volume. PyPI passed YUM. Meanwhile, Hugging Face published 1.4 million new packages in 2025 — the second largest source of new packages of any registry JFrog tracks, behind only Docker Hub’s 2.2 million. The security tooling most enterprises have in place was built for a Java-centric, package-registry world. The supply chain has moved. Many of the defenses haven’t.

Volume is the wrong metric for risk. JFrog’s Security Research team re-rated every high-profile CVE it analyzed in 2025 against real-world exploitability, not theoretical severity. The result: 96% of CVEs rated Critical by the NVD were downgraded by JFrog, up from 88% in 2024. On the other side of the ledger, 171,592 malicious npm packages were detected last year, a 451% increase from 2024, yet malicious package detection sits at just 40% of organizations, which is flat from the year before. Threat volume hit an all-time high. Detection coverage didn’t move. That’s the illusion of mastery in action.

The attack surface moved to where developers work. Forty-five percent of DevSecOps teams now cite reviewing and hardening AI-generated code as a top time burden — a category that didn’t even exist in last year’s survey. CI/CD pipelines have become active targets for supply chain attacks. IDE extensions have been weaponized. MCP servers carry live RCE vulnerabilities. JFrog found 56 malicious IDE extensions on OpenVSX and identified a CVSS 9.6 RCE vulnerability in mcp-remote, yet only 57% of organizations govern MCP usage through automated controls — the rest rely on manual lists that don’t update when new vulnerabilities are disclosed. Eighteen percent of organizations have no active governance over the tools living inside their developers’ environments. The infection point has moved upstream, before code is even written.

Three Numbers That Define the Problem

The 2026 report is built on three pillars of data: JFrog platform usage data from thousands of enterprise environments, independent security research, and survey responses from 1,508 IT professionals. That combination is what makes the illusion of mastery visible: you need both the pipeline data and the human data to see the gap between them.

Here are a few numbers that capture the problem precisely:

• 59% of organizations report full provenance visibility in production. Yet 48% still take a week or more to generate compliance audit proof per application, and 10% take a month or more. Full visibility should mean fast proof generation. The fact that it doesn’t suggests that “full visibility” means the data exists somewhere, not that it’s structured for on-demand access.
• 28% of organizations have secrets detection active – the lowest adoption rate of any named security category in the survey. JFrog found 17,637 exposed tokens in public binary repositories in 2025. Of those, 3,260 were still active at the time of discovery. The highest active rate? Hugging Face tokens, at 87%.
• 23% of developers say they would treat an AI-suggested security fix as near-definitive, requiring only a quick review before implementing it. This isn’t necessarily wrong, The question is whether the AI tool they’re trusting is operating inside a governed pipeline, or outside it.

None of these numbers say organizations aren’t trying. They say the effort is real, but the coverage is incomplete. The goal of this report is to show exactly where.

What Does This Mean for Your Team?

This year’s survey shows the share of organizations using seven or more security tools dropped from 73% to 35% — a consolidation trend that one might expect to reduce alert fatigue and close coverage gaps from fragmented point solutions. However, the gaps that matter most didn’t close alongside it. Malicious package detection is flat. Secrets detection debuted in the survey at its lowest level. Fewer tools didn’t mean better coverage.

What separates organizations that feel secure from those that actually are comes down to a single question: Is your governance running continuously in the pipeline, at the point where every artifact enters and exits, or does it live in a policy document?

The 2026 report identifies four layers where this question has the clearest answers:

1. AI model artifact governance
2. Developer tooling and MCP server governance
3. Secrets detection at the binary level
4. Compliance proof generation on demand

In each layer, the gap between what organizations claim and what the data shows is specific, measurable, and actionable.

These aren’t hypothetical risks. The GlassWorm attack in October 2025 compromised seven VS Code extensions, harvested credentials, and deployed a remote access trojan across approximately 35,800 installs. The S1ngularity campaign leaked 83,000 secrets using eight packages and a single misconfigured CI/CD workflow. The biggest supply chain events of 2025 weren’t the largest by volume, they were the most precisely targeted.

How JFrog Sees What Others Can’t

The JFrog Platform processes data across 60+ package types, including AI model artifacts, IDE extensions, and MCP servers — the three new attack surfaces tracked for the first time in this year’s report. As the system of record for more than 80% of the Fortune 100, the JFrog Platform holds 18.2 billion artifacts across JFrog SaaS customers at year-end 2025.

That scale is what makes the illusion of mastery visible. Survey data alone can only tell you what organizations believe about their security posture. Platform data tells you what’s actually moving through their pipelines. The gap between the two is the story told in this report.

Closing these gaps requires controls that operate at the pipeline level, not the policy level:

• JFrog Curation blocks malicious packages, models, and IDE extensions at ingestion, before they reach a developer’s machine.
• JFrog Xray re-rates CVEs based on real-world exploitability in your specific environment, not the theoretical NVD score.
• JFrog Advanced Security scans for secrets at the binary level, catching exposed tokens that source-code-only scanners miss.
• JFrog AppTrust makes compliance evidence available on demand, closing the gap between claiming full provenance visibility and being able to prove it.

Ready to See the Full Picture?

The JFrog 2026 Software Supply Chain Security report covers all of this and more. The supply chain isn’t just growing. It’s changing in kind: in which ecosystems carry the most risk, in how attackers are moving upstream, and in where the confidence-coverage gap is most likely to be exploited next.

The organizations that close that gap are the ones treating governance as a pipeline property, not a documentation exercise. The data to understand where your organization stands is in the report. Download the report to see the full picture.

If you’re ready to take action, schedule a demo, take an online tour, or start a free trial of the JFrog Software Supply Chain Platform.