Singapore organisations rank among Asia Pacific’s most advanced on AI governance policy, but a new report from JFrog exposes a consistent failure to translate those policies into operational enforcement — leaving enterprises exposed in the areas where software supply chain attacks are most likely to occur.

The findings come from the 2026 JFrog Software Supply Chain Security State of the Union report, which surveyed 1,508 IT professionals globally, including 174 respondents in Singapore. The results reveal what JFrog calls a “striking contradiction”: Singapore leads all eight surveyed nations on network proxy enforcement at 67 per cent, and has the highest rate of critical AI scrutiny in the dataset, yet critical enforcement tooling remains severely under-deployed.

Policy Without Enforcement

The data paints a picture of governance frameworks outpacing the operational reality. While 95 per cent of Singapore organisations claim to track application ownership, 54 per cent still require a week or more to produce compliance proof for a single application — suggesting the underlying data exists but is not structured or accessible on demand.

Other gaps are equally stark. Eighteen per cent of Singapore organisations have policies prohibiting unauthorised AI tools but have no mechanism to detect violations — the highest “policy-only” rate in APAC. Only 25 per cent have adopted secrets detection, despite exposed credentials representing one of the most common software supply chain attack vectors. And 59 per cent of developers wait a week or more for open-source package approvals, the slowest rate in the region, creating conditions where teams may seek workarounds rather than wait for clearance.

“Singapore has done a lot of hard work in building governance frameworks that most markets are still debating. That foundation is a genuine competitive advantage, but only if their enforcement can keep pace. Policies that rely on manual review and human checkpoints cannot keep up with AI-driven development.” — Sunny Rao, SVP APAC, JFrog

The Shadow AI Problem

The report situates Singapore’s enforcement gap within a broader global context of record-high supply chain attacks: 171,592 malicious npm packages detected in the survey period (up 451 per cent), 495 weaponised AI models found on public registries, and 11.7 million new packages entering supply chains. Against this backdrop, Singapore’s shadow AI blind spot — policies without detection — represents a structural vulnerability as AI agents and open-source components become embedded in developer workflows.

JFrog found that 60 per cent of Singapore DevSecOps stakeholders cite security governance and policy enforcement as their top time burden, while 41 per cent identify reviewing and hardening AI-generated code as a significant resource drain. The company argues that making governance self-enforcing — through automated secrets scanning, curated package registries, and contextual vulnerability analysis — is the next frontier for Singapore’s security posture.