New research from leading cloud-native software artifact management platform Cloudsmith finds that, despite 93% of respondents’ organizations using AI-generated code, 31% spend 10 hours or less per month validating, auditing, or securing it—including 5% who do not explicitly audit AI code at all. This, and other findings, released today in the Cloudsmith 2026 Artifact Management Report, highlight gaps in how organizations are managing risk across the modern software supply chain.
A rise in software supply chain vulnerabilities
The risks posed by weak software supply chain security have become increasingly clear in the past 12 months. With threat campaigns including Shai Hulud 2.0 and SANDWORM_MODE specifically targeting the software supply chain via upstream repositories, 44% of respondents have experienced a security incident caused by a third-party dependency.
In the same time period, 44% of respondents reported their organization spent over 50 hours per month investigating potential security issues linked to third-party dependencies, whether or not they resulted in a breach.
READ MORE: Competing Globally with AI: Why Northern Ireland SMEs Can’t Sit Out The AI Wave
Confidence in AI-generated code
Confidence in AI-generated code is also lacking. 58% of respondents spend at least 11 hours per month validating and securing AI-generated code—rising to over 40 hours for 8% of respondents—as teams work to catch hidden dependencies and potential vulnerabilities. In fact, only 17% are very confident that AI is not introducing new vulnerabilities into their codebase.
These concerns are well-founded, as AI is known to introduce risks in software development by generating insecure or incorrect code, including “slopsquatting”—where models hallucinate non-existent package names that attackers can then register and exploit—embedding hidden vulnerabilities that can compromise systems.
Regulation on the horizon
In addition to growing exploitation of third-party dependencies and concerns about the adoption of AI, there are a wider range of issues putting pressure on the software supply chain. With the arrival of new legislation like the EU’s Cyber Resilience Act, companies have an incredibly tight deadline to respond to cyber attacks. This involves the obligation to provide a detailed assessment 48 hours after becoming aware of a breach. To do so, organizations will need to provide provenance data with little to no notice.
Despite this, however, Cloudsmith’s research shows that, if they were hit with a surprise audit tomorrow, 53% of respondents could only produce a comprehensive report of artifact versions, origins, and security attestations with a significant amount of manual effort or time. This is a particularly significant gap, given the number of organizations that are committing AI-generated code to production without understanding exactly how it functions, or why it was created.
An inflection point for the software supply chain
“We are at a huge inflection point in the history of software development,” says Glenn Weinstein, CEO of Cloudsmith. “In a matter of months, we’ve gone from, ‘How can AI help me write better code?’ to, ‘How can I help AI write better code?’ But at the same time, AI tools are expanding the attack surface, introducing more open source dependencies. And those same tools are being used by malicious actors to find more vulnerabilities in existing libraries, leading to more CVEs.”
He continues: “Agentic development is an incredibly powerful way to build software, and teams will be far more productive and write even more software as a result. That is a good thing, because the world certainly needs more software and more automation! For enterprises to manage this new velocity and productivity, automated guardrails and context are the new keys to unlock the production of safer, more efficient code.”
READ MORE: Advances in AI signal changes for internet search, marketing, recruitment and more
In addition to these findings, the Cloudsmith 2026 Artifact Management Report also reveals respondents’ plans for the future. The top three challenges respondents expect to face this year are:
Meanwhile, the top three areas in which respondents plan to increase investment are
To download the report, visit here.
Read the Spring 2026 edition free online →
Stay connected with NI's tech community:
