The Governance Gap Between Your Policy and Your Pipeline

The JFrog 2026 Software Supply Chain Security State of the Union report highlights a disparity between organizations' perceived security effectiveness and their actual security coverage, termed as the "illusion of mastery." Based on an analysis of 18.2 billion artifacts and insights from 1,508 IT professionals, the report reveals that confidence in security governance often outpaces actual enforcement, particularly as the software supply chain evolves beyond traditional Java-centric ecosystems. Notable findings include the prevalence of malicious models on platforms like Hugging Face and the rise of npm over Maven as the most-used package ecosystem. Despite increasing threats, such as the 451% rise in detected malicious npm packages, detection coverage remains stagnant. Additionally, the report underscores that governance should be integrated continuously into the pipeline rather than remaining as static policy documentation. The report urges organizations to adopt pipeline-level controls to close the gap between perceived and actual security postures, highlighting the importance of real-time governance in areas such as AI model artifact governance, developer tooling, secrets detection, and compliance proof generation.