The 2026 Artifact Management Report

Organizations have made meaningful investments in vulnerability visibility, but visibility alone does not constitute security.

Many can quickly determine whether a specific vulnerability affects their environment soon after disclosure, yet only a minority have automated security policies in place to act on that information. The majority still rely on manual investigation and remediation - an approach that does not scale with the speed and volume of AI-assisted development, or with the reporting timelines mandated by emerging regulation.

AI adoption has outpaced governance frameworks. AI-generated code is now near-universal in professional software development, with the vast majority of organizations using it to accelerate delivery. The security implications are significant and remain underaddressed.

AI coding agents introduce dependencies that have not been vetted against organizational risk tolerances, while hallucinated package references - a known failure mode of large language models - create new vectors for supply chain compromise. At the same time, AI/ML models have themselves become a primary artifact type, yet only a small minority of organizations govern these models using the same security policies and provenance tracking applied to traditional binaries.

The result is a fragmented control plane: AI is generating more of the software supply chain while remaining largely outside the governance systems designed to secure it.

Dependency risk is rising. Modern applications are compositional by design, with the average application now containing more than 1,200 dependencies - each representing an artifact with its own provenance, maintenance history, and vulnerability surface.

Over the past 12 months, a significant proportion of organizations have experienced dependency-related security incidents or near misses, reinforcing that the probability of encountering a compromised or vulnerable dependency is no longer a tail risk, but a baseline operating condition.

Compliance pressure is increasing. The EU Cyber Resilience Act enters enforcement in September 2026, establishing strict, time-bound reporting requirements for actively exploited vulnerabilities, from early warning through to final reporting following corrective action.

While most organizations now generate SBOM data, only a minority integrate SBOMs into automated security gatekeeping. For the majority, SBOMs remain static compliance artifacts rather than operational tools - a posture that is directly incompatible with the Act’s requirements.

Confidence is also low when it comes to passing an unannounced software supply chain audit, highlighting a clear gap between compliance activity and true operational readiness.

Most organizations operate artifact management systems that were not designed for the scale, distribution, or threat environment of AI-accelerated development. The consequences are clear: distributed team members frequently experience performance issues, and many teams are forced to manually provision infrastructure in response to usage spikes.

This operational overhead - what the report terms the “operational tax” - diverts engineering resources away from high-value work and compounds existing security exposure. Organizations that are most resistant to infrastructure modernization often cite security as their rationale, while continuing to run systems that represent some of their greatest architectural vulnerabilities.