The 2026 software supply chain security gap

Cloudsmith

Apr 28, 2026

AI-generated code is now nearly universal. Enforcement is not. That gap is where your software supply chain is most exposed.

Cloudsmith's CEO Glenn Weinstein, Co-Founder & CTO Lee Skillen, and VP of Product Alison Sickelka join Product Marketing Manager Meghan McGowan to unpack the 2026 State of Artifact Management report – a survey-based look at how AI development is reshaping the threat landscape, what organizations are getting wrong, and what the highest-leverage fix actually looks like.

93% of organizations now use AI-generated code. Only 17% have automated scanning to catch AI-specific risks like hallucinated dependencies and malicious model weights. 74% lack the visibility to produce audit reports quickly – a real problem with the EU Cyber Resilience Act's September 2026 enforcement deadline approaching. This session covers the data behind those numbers and the architectural shift that closes the gap: a unified control plane that governs Python packages, Docker containers, and ML models under the same policy engine.

Chapters

0:00 - Intro

1:28 - Why now is the time for artifact management

3:30 - From AI-assisted coding to AI-led software development

7:15 - The software supply chain in 2026 – what's changed under the hood

10:15 - The enforcement gap: detection vs. automated security gatekeeping

12:55 - AI-specific risks: hallucinated dependencies, model weights, and slopsquatting

15:54 - Moving from trust-then-verify to verify-then-trust

17:55 - Why a unified control plane is the answer to siloed governance

19:30 - Risks of conflating reputation and trust

21:38 - How the control plane helps with compliance

24:45 - How to think about supply chain security with the rise of consolidated AI power in the enterprise