Singapore organisations lead Asia-Pacific in cybersecurity policy and AI governance on paper — yet a new report from JFrog reveals a systemic enforcement gap that leaves enterprises exposed in the areas most actively targeted by attackers.

Singapore findings from JFrog’s 2026 Software Supply Chain Security State of the Union report — drawn from 174 local respondents in a global survey of 1,508 IT professionals — show that 95 per cent of organisations claim to track application ownership, yet 54 per cent need a week or more to produce compliance proof for a single application. The contradiction points to data that exists but is not structured or accessible on demand.

Enforcement Gaps Across Key Controls

Singapore leads all eight surveyed nations in network proxy enforcement (67 per cent) and scores the highest rate of careful review of AI-suggested code fixes (71 per cent). But the same data reveals four consistent enforcement blind spots. Eighteen per cent of Singapore organisations have policies against unauthorised AI tools but no mechanism to detect violations — the highest “policy-only” rate in Asia-Pacific. Only 25 per cent have adopted secrets detection, the most under-deployed security control relative to threat volume. Fifty-nine per cent of developers wait a week or more for open-source package approvals — the slowest rate in the region — creating pressure to work around controls. And 60 per cent of DevSecOps stakeholders cite governance and policy enforcement as their top time burden.

“Singapore has done a lot of hard work in building governance frameworks that most markets are still debating. That foundation is a genuine competitive advantage, but only if their enforcement can keep pace. Policies that rely on manual review and human checkpoints cannot keep up with AI-driven development.” — Sunny Rao, SVP APAC, JFrog

Machine-Speed Development Needs Machine-Speed Governance

The report situates Singapore’s gap in a global context of accelerating supply chain attacks: 171,592 malicious npm packages were recorded globally in the past year (up 451 per cent), alongside 495 weaponised AI models on public registries and 11.7 million new packages entering supply chains. Against this backdrop, organisations fighting machine-speed threats with human-speed review processes face an inevitably widening gap between governance intent and operational reality.

The full report is available at jfrog.com.