Singapore organisations rank among the most rigorous in the Asia-Pacific region when it comes to cybersecurity governance, yet a significant gap persists between policy intent and operational enforcement, according to new findings from JFrog’s 2026 Software Supply Chain Security State of the Union report.
The report, which surveyed 1,508 IT professionals across eight countries — including 174 respondents based in Singapore — paints a nuanced picture of a market that has invested heavily in governance frameworks but lacks the tooling to make them self-enforcing.
The findings arrive against a backdrop of escalating global threats. Malicious packages uploaded to the npm registry surged 451 per cent year-on-year to 171,592, while 495 weaponised AI models were detected on public registries. A further 11.7 million new packages entered software supply chains over the same period.
On several headline measures, Singapore performed well. The country led all eight surveyed nations on network proxy enforcement, with 67 per cent of organisations applying controls at that layer. Additionally, 71 per cent of Singapore respondents said they carefully review AI-suggested code fixes before implementation — the highest rate of AI scrutiny recorded in the dataset.
However, those strengths are offset by a series of structural vulnerabilities.
Audit readiness emerged as a particular concern. While 95 per cent of Singapore organisations claim to track application ownership, 54 per cent said they would need a week or more to produce compliance documentation for a single application on demand, suggesting that data exists in principle but is not structured for rapid retrieval.
Open-source software approval processes also lag the region. Some 59 per cent of developers in Singapore wait a week or more for new package approvals to be granted, the slowest rate recorded across the APAC markets surveyed.
The report also identified a notable blind spot around so-called “shadow AI tools”. Eighteen per cent of Singapore organisations have formal policies prohibiting the use of unauthorised AI tools, yet have no technical mechanism to detect when those policies are violated — the highest “policy-only” rate in APAC.
Secrets detection, a control designed to identify exposed credentials and API keys embedded in code, remains significantly underdeployed. Only 25 per cent of Singapore organisations have adopted the capability, a figure broadly in line with the global average of 28 per cent.
Human review cannot match development speed
The report highlights the operational strain created by relying on manual processes to govern AI-accelerated development workflows. Sixty per cent of Singapore DevSecOps stakeholders identified security governance and policy enforcement as their primary time burden, while 41 per cent cited the review and hardening of AI-generated code as a significant drain on resources.
Also Read: The talent reset: Why AI is changing what makes people valuable
Sunny Rao, senior vice president of Asia-Pacific at JFrog, said the findings reflected a common transition point for mature markets.
“Singapore has done a lot of hard work in building governance frameworks that most markets are still debating,” Rao said. “Policies that rely on manual review and human checkpoints cannot keep up with AI-driven development. The organisations that will lead from here are the ones that embed enforcement directly into the pipeline — so that every artefact, every model, and every dependency is curated, scanned, and validated before it ever reaches a developer’s machine.”
JFrog’s report points to automated, platform-level enforcement as the recommended path forward — including pre-vetted package curation, automated secrets scanning, and contextual vulnerability analysis to prioritise remediation efforts based on actual deployment environments.
The full report is drawn from JFrog’s global survey of 1,508 IT professionals conducted across eight countries in 2026.
The post Singapore leads on security governance but struggles to enforce it, report finds appeared first on e27.