Technology

JFrog report exposes gaps between UK software supply chain visibility claims and audit speed

UK organisations assert strong oversight of their software provenance yet half require a week or longer to generate compliance evidence, according to new JFrog data. The findings point to persistent shortfalls in automation despite leadership in select governance practices, underscoring the need for enterprises to strengthen internal tooling rather than await external mandates.
Listen
AI-generated image: JFrog report exposes gaps between UK software supply chain visibility claims and audit speed
AI-generated image for illustrative purposes.
Intelligent summary
  • 60.8 percent of UK organisations claim full visibility into software provenance yet 52 percent take a week or more to produce compliance evidence.
  • UK leads Europe in enforcing approved developer tools and checking AI model inputs and outputs but records the lowest automation rates for Shadow AI detection.
  • The findings emphasise enterprise responsibility to deploy trusted internal systems rather than depend on further government regulation.

UK organisations claim high levels of visibility into their software supply chains yet struggle to convert those assertions into rapid compliance proof.

The JFrog 2026 Software Supply Chain Security State of the Union report, which surveyed more than 1,500 security and DevOps professionals across eight countries, found that 60.8 percent of UK respondents stated they possessed full visibility into software provenance in production. At the same time 52 percent reported that producing compliance evidence for a single application took a week or more. Ten percent of organisations globally needed a full month.

These figures arrive against a backdrop of accelerating supply chain risk. The report documented a 67 percent year-on-year rise in new packages entering software ecosystems in 2025, while only 40 percent of organisations possessed tools capable of detecting malicious packages that year.

Leadership in governance, lag in automation

UK firms stand out in Europe on several governance metrics. 52 percent enforce an approved developer tool list, the highest proportion on the continent. 79.2 percent check inputs and outputs of AI and machine learning models, again leading their European peers. Every UK organisation surveyed governs MCP server access through an approved list.

Yet automation trails. 44 percent of UK organisations rely on manual audits for Shadow AI, and just 38.4 percent have automated detection for it, the lowest rate among European markets covered. Only 32.8 percent maintain automated controls for unapproved tools, also the weakest European performance, while 67 percent continue to use manual processes in that area.

The contrast reveals a machinery that records policy on paper more readily than it enforces it at machine speed. Enterprises assert oversight but default to human-scale reviews when regulators or customers demand evidence.