UK organisations claim high levels of visibility into their software supply chains yet struggle to convert those assertions into rapid compliance proof.
The JFrog 2026 Software Supply Chain Security State of the Union report, which surveyed more than 1,500 security and DevOps professionals across eight countries, found that 60.8 percent of UK respondents stated they possessed full visibility into software provenance in production. At the same time 52 percent reported that producing compliance evidence for a single application took a week or more. Ten percent of organisations globally needed a full month.
These figures arrive against a backdrop of accelerating supply chain risk. The report documented a 67 percent year-on-year rise in new packages entering software ecosystems in 2025, while only 40 percent of organisations possessed tools capable of detecting malicious packages that year.
Leadership in governance, lag in automation
UK firms stand out in Europe on several governance metrics. 52 percent enforce an approved developer tool list, the highest proportion on the continent. 79.2 percent check inputs and outputs of AI and machine learning models, again leading their European peers. Every UK organisation surveyed governs MCP server access through an approved list.
Yet automation trails. 44 percent of UK organisations rely on manual audits for Shadow AI, and just 38.4 percent have automated detection for it, the lowest rate among European markets covered. Only 32.8 percent maintain automated controls for unapproved tools, also the weakest European performance, while 67 percent continue to use manual processes in that area.
The contrast reveals a machinery that records policy on paper more readily than it enforces it at machine speed. Enterprises assert oversight but default to human-scale reviews when regulators or customers demand evidence.