JFrog has published research on software supply chain security in Singapore, pointing to a gap between formal security policies and the tools used to enforce them.
The Singapore sample covered 174 respondents as part of a wider survey of 1,508 IT professionals across eight countries. The local findings showed strong governance measures on paper, but weaker controls in the areas where developers and security teams manage day-to-day software and AI risks.
Among the stronger indicators, Singapore ranked highest in the survey for network proxy enforcement at 67%. It also recorded the highest rate of scrutiny of AI-generated fixes, with 71% saying they carefully review such changes.
Against that, the study identified several operational weaknesses. Only 25% of organisations said they had adopted secrets detection, close to the global average of 28%. The report described it as the most underused security control in the dataset relative to the volume of threats.
Audit readiness also emerged as a problem. More than half of respondents, 54%, said they need a week or longer to produce compliance proof for each application, despite 95% saying they track application ownership.
Package approval times were another pressure point. The survey found that 59% of developers in Singapore wait a week or longer for approval to use new open-source packages, the slowest rate in Asia-Pacific in the study.
JFrog also highlighted a shadow AI enforcement gap. It found that 18% of organisations in Singapore have policies against unauthorised AI tools but no way to detect violations, the highest policy-only rate in Asia-Pacific.
Manual strain
The research suggests security teams rely heavily on manual review processes while software development speeds up, especially with AI-assisted coding. In the survey, 60% of Singapore DevSecOps stakeholders said security governance and policy enforcement were their biggest time burden.
Another 41% said reviewing and hardening AI-generated code was a significant drain on resources. Together, those findings indicate a mismatch between the pace of software creation and the speed at which organisations can inspect, approve and document what enters production systems.
JFrog's wider report placed the Singapore findings against a backdrop of growing software supply chain threats. It cited 171,592 malicious npm packages globally, up 451%, alongside 495 weaponised AI models on public registries and 11.7 million new packages entering supply chains.
Those figures matter because modern software teams increasingly depend on third-party components, package repositories and AI-generated suggestions. Delays in approval processes or weak detection controls can encourage staff to bypass formal checks, particularly when business teams are under pressure to ship code quickly.
Governance gap
Sunny Rao, Senior Vice President, APAC, at JFrog, said the findings showed Singapore had already put in place frameworks that many other markets were still debating.
"Singapore has done a lot of hard work in building governance frameworks that most markets are still debating. That foundation is a genuine competitive advantage, but only if their enforcement can keep pace," Rao said.
He added that manual controls were unlikely to keep up with AI-led software development.
"Policies that rely on manual review and human checkpoints cannot keep up with AI-driven development. The organizations that will lead from here are the ones that embed enforcement directly into the pipeline - so that every artifact, every model, and every dependency is curated, scanned, and validated before it ever reaches a developer's machine," Rao said.
The study drew on a mix of JFrog platform usage data, vulnerability analysis from its security research team, and a commissioned survey of full-time security, DevOps and IT professionals. Atomik Research conducted the survey.
Rao said the issue was not a lack of intent, but a lack of systems that make policy checks automatic rather than optional or delayed.
"Every organization in Singapore that has invested in governance frameworks has the right intent. The next step is making those frameworks self-enforcing," Rao said. "That means curating trusted packages and AI models before they reach the pipeline, scanning for exposed secrets automatically rather than hoping developers catch them, and using contextual analysis to focus remediation on the vulnerabilities that actually matter in your environment. When governance is built into the platform, security teams stop being bottlenecks and start being business accelerators."