JFrog Ltd (Nasdaq:FROG), the creators of the JFrog Software Supply Chain Platform, the system of record for trusted software artifacts, binaries, and AI assets, released new research showing that UK organisations are vulnerable. Why? Because most UK organisations are still struggling to verify what they’re shipping and detect rogue AI entering their ecosystem proactively.
The JFrog 2026 Software Supply Chain Security State of the Union report shows that although 60.8% of UK organisations claim full visibility into software provenance in production, 52% still take a week or more to produce compliance evidence for a single application. This shows a lack of operational control and with the volume and velocity of software attacks increasing, this introduces significant business risk.
Similarly, 44% of the organisations surveyed stated that they still rely on manual audits to spot Shadow AI, with only 38.4% having automated detection – 12 points below the 50.5% global average and the lowest automated rate of any European market surveyed.
The pressure on UK organisations to demonstrate software supply chain security has never been greater – driven by escalating regulatory obligations from the EU Cyber Resilience Act and NIS2, plus high-profile security incidents, and customers routinely demanding verifiable proof of what is running in their vendors’ environments before contracts are signed.
“The fact that 60% of UK organisations tell us they have full visibility into their software supply chain, but over half can’t produce the evidence to prove it in under a week is a concern,” said Matthew Parker, RVP, UKI & France at JFrog. “This gap is where real risk lies: not in what you can see, but in what you can demonstrate when it counts. In a threat environment measured in minutes, manual governance simply can’t keep up. Organisations need a trusted system of record that enforces policy, continuously captures evidence and provides immediate and complete responses in line with regulatory requirements and business needs”.
UK leads Europe on governance frameworks, but automated enforcement lags behind
Despite gaps in automation, more than half (52%) of UK organisations maintain and enforce a certified approved developer tool list, the highest rate of any European market surveyed (Germany: 45.8%, Spain: 42.7%, France: 29.6%), and just over 20% higher than the global average (43%). Generally speaking, the UK demonstrates one of the strongest governance postures in the global survey, demonstrated by:
- 100% governance of MCP server access through an approved list, either through automated controls (59.2%) or manual curation (40.8%).
- 79.2% check the inputs and outputs of AI/ML services, the highest of any European nation surveyed and above both European and global averages.
Yet only 32.8% of UK organisations have automated controls in place to monitor and block unapproved developer tools (aka Shadow AI), the lowest rate of any European market surveyed. For more than two thirds (67%), enforcement still depends on manual review. As AI-assisted development accelerates the rate at which new tools and AI services enter the environment, manual oversight cannot keep pace with what is actually running inside it.
Visibility does not always mean audit readiness
The same manual processes driving the gap between governance and enforcement are also slowing the ability to demonstrate governance when it matters most. The inability to produce audit evidence on demand is a business risk that surfaces in crucial moments including a regulatory submission under deadline or an active security incident. Being able to provide immediate, verifiable answers about what is running in the software supply chain and whether it can be trusted is a growing requirement for UK organisations, and one that manual processes alone cannot meet.
To explore the full findings of this year’s Global report and learn how your organisation can close the AI governance gap, download the JFrog 2026 Software Supply Chain Security State of the Union. You can also check out our blog
