New research from leading cloud-native software artifact management platform Cloudsmith finds that, despite 93% of respondents’ organizations using AI-generated code, 31% spend 10 hours or less per month validating, auditing, or securing it – including 5% who do not explicitly audit AI code at all. This, and other findings, released today in the Cloudsmith 2026 Artifact Management Report, highlight gaps in how organisations are managing risk across the modern software supply chain.
A rise in software supply chain vulnerabilities
The risks posed by weak software supply chain security have become increasingly clear in the past 12 months. With threat campaigns including Shai Hulud 2.0 and SANDWORM_MODE specifically targeting the software supply chain via upstream repositories, 44% of respondents have experienced a security incident caused by a third-party dependency.
In the same time period, 44% of respondents reported their organisation spent over 50 hours per month investigating potential security issues linked to third-party dependencies, whether or not they resulted in a breach.
Confidence in AI-generated code
Confidence in AI-generated code is also lacking. 58% of respondents spend at least 11 hours per month validating and securing AI-generated code — rising to over 40 hours for 8% of respondents — as teams work to catch hidden dependencies and potential vulnerabilities. In fact, only 17% are very confident that AI is not introducing new vulnerabilities into their codebase.
These concerns are well-founded, as AI is known to introduce risks in software development by generating insecure or incorrect code, including “slopsquatting” – where models hallucinate non-existent package names that attackers can then register and exploit – embedding hidden vulnerabilities that can compromise systems.
Regulation on the horizon
In addition to growing exploitation of third-party dependencies and concerns about the adoption of AI, there are a wider range of issues putting pressure on the software supply chain. With the arrival of new legislation like the EU’s Cyber Resilience Act, companies have an incredibly tight deadline to respond to cyber attacks. This involves the obligation to provide a detailed assessment 48 hours after becoming aware of a breach. To do so, organisations will need to provide provenance data with little to no notice.
Despite this, however, Cloudsmith’s research shows that, if they were hit with a surprise audit tomorrow, 53% of respondents could only produce a comprehensive report of artifact versions, origins, and security attestations with a significant amount of manual effort or time. This is a particularly significant gap, given the number of organisations that are committing AI-generated code to production without understanding exactly how it functions, or why it was created.
An inflection point for the software supply chain
“We are at a huge inflection point in the history of software development,” says Glenn Weinstein, CEO of Cloudsmith. “In a matter of months, we’ve gone from, ‘How can AI help me write better code?’ to, ‘How can I help AI write better code?’ But at the same time, AI tools are expanding the attack surface, introducing more open source dependencies. And those same tools are being used by malicious actors to find more vulnerabilities in existing libraries, leading to more CVEs.”
He continues: “Agentic development is an incredibly powerful way to build software, and teams will be far more productive and write even more software as a result. That is a good thing, because the world certainly needs more software and more automation! For enterprises to manage this new velocity and productivity, automated guardrails and context are the new keys to unlock the production of safer, more efficient code.”
In addition to these findings, the Cloudsmith 2026 Artifact Management Report also reveals respondents’ plans for the future. The top three challenges respondents expect to face this year are:
Ensuring builds and releases remain available during spikes and third-party outages (21%).
Meeting new regulatory standards (NIS2, FedRAMP) and securing the supply chain (20%)
Reducing cloud spend and consolidating toolchains (19%).
Meanwhile, the top three areas in which respondents plan to increase investment are:
Security Scanning (SCA/SAST) (29%).
AI/ML Ops Infrastructure (29%).
Internal Developer Portal (IDP) (13%).
To download the report, visit here.
A recent podcast with Glenn Weinstein can be heard here.
See more stories here.
More about Irish Tech News
Irish Tech News are Ireland’s No. 1 Online Tech Publication and often Ireland’s No.1 Tech Podcast too.
You can find hundreds of fantastic previous episodes and subscribe using whatever platform you like via our Anchor.fm page here: https://anchor.fm/irish-tech-news
If you’d like to be featured in an upcoming Podcast email us at [email protected] now to discuss.
Irish Tech News have a range of services available to help promote your business. Why not drop us a line at [email protected] now to find out more about how we can help you reach our audience.
You can also find and follow us on Twitter, LinkedIn, Facebook, Instagram, TikTok and Snapchat.