The AI landscape doesn't move in one direction — it lurches. Some techniques leap from experiment to table stakes in a single quarter; others stall against regulatory walls, technical ceilings, or organisational inertia that no amount of hype can dislodge. Knowing which is which is the hard part. The State of Play cuts through the noise with a rigorously maintained index of AI techniques across every major business domain — classified by maturity, evidenced by real-world adoption, and updated daily so you always know where you stand relative to the field. Stop guessing. Start knowing.
A daily newsletter distilling the past two weeks of movement in a domain or two — delivered to your inbox while the index updates in the background.
Each dot marks the weighted maturity of practices within a domain — hover for a brief summary, click for more detail
AI monitoring of software supply chains for compromised dependencies, typosquatting, and injection attacks. Includes SBOM analysis and dependency reputation scoring; distinct from dependency management in software engineering which patches rather than monitors.
Supply chain security monitoring uses SBOMs, dependency reputation scoring, and real-time integrity checks to detect compromised packages, typosquatting, and injection attacks before they reach production. The threat driving adoption is no longer theoretical -- supply chain attacks have doubled in frequency and malicious open-source packages now exceed 1.2 million -- yet the practice remains bleeding-edge because its foundational tooling is unreliable. Research shows SBOM generators can disagree by thousands of CVEs on the same container image, and fewer than half of organizations report strong visibility into their dependency chains. Large enterprises with regulatory obligations are deploying commercial platforms and documenting real ROI, but the gap between what these tools promise (transparency, auditability, fast incident response) and what they deliver at scale keeps most organizations in reactive mode. The emerging frontier -- monitoring AI model dependencies, developer-desktop components, and CI/CD pipeline integrity -- extends well beyond what current SBOM-centric workflows can cover.
The tooling that underpins supply chain monitoring is fundamentally unreliable, as demonstrated by both research and real-world attacks. A study of 2,313 Docker images found that swapping one SBOM generator for another (Syft vs. Trivy) changed reported vulnerability counts by up to 5,456 CVEs per image, with 43.7% of images triggering outright tool failures. No generator-analyzer pairing proved consistently dependable. That finding casts doubt on any monitoring workflow that treats SBOM output as ground truth.
March 2026 brought a cascade of supply chain attacks that exposed monitoring gaps at organizational boundaries. In twelve days, five coordinated campaigns compromised critical infrastructure tools: Trivy and Aqua Security (GitHub Actions tag hijacking via pull_request_target misconfiguration, affecting 1,000+ cloud environments), LiteLLM on PyPI (Python .pth file auto-execution invisible to traditional scanning, compromising 2,337 downstream packages including Google ADK, DSPy, and MLflow), and Axios npm (account takeover with platform-specific RAT payloads and C2 persistence). Each attack exposed architectural vulnerabilities in composition: when authorized operations chain together, they can produce unauthorized outcomes. Developer desktop components (stolen CI credentials) became the vector. Behavior-based automated monitoring systems from vendors like SafeDep and Cynet detected and blocked many of these campaigns in real-time -- evidence that monitoring tools can scale -- but the very organizations running these tools (Trivy, Checkmarx) became vectors themselves when their CI/CD credentials were compromised.
Enterprise platforms tell a more encouraging story -- but only for organizations that can afford them. A Forrester study of JFrog Platform deployments documented 282% ROI, a 65% reduction in critical vulnerabilities, and remediation times dropping from 80+ days to 8 hours. A large digital services provider used JFrog Curation to block 80+ malicious npm package versions proactively. Sonatype's 2026 data shows open-source malware grew 75% year-over-year to 1.233 million packages across 9.8 trillion downloads. These results are real, though access barriers persist: JFrog Xray requires a paid Artifactory subscription with no standalone option, limiting reach to well-resourced teams.
The attack surface is now outpacing what repository-centric monitoring can see. Traditional SBOM-based monitoring is blind to nearly one-third of exploitable vulnerabilities -- those hidden in transitive dependency layers. AI model dependencies, developer-desktop components, and CI/CD pipeline integrity fall outside current scope. Regulatory mandates from CISA, the EU CRA, and India's CERT-In now require SBOM production, but generating an SBOM is the solved problem. The unresolved ones -- generator consistency, complete transitive dependency capture, behavior-based zero-day detection, AI supply chain visibility, and CI/CD enforcement that cuts mean remediation time from months to hours -- define the bleeding edge.
— CISA and G7 nations released joint guidance extending SBOM requirements to AI systems, mandating model provenance, training data sources, and AI-specific dependency documentation, formalizing bleeding-edge practice expansion.
— Operational guide documenting 'major npm supply chain incident every fortnight' cadence (May 2026) with real SIEM detection queries and AI-assisted threat-hunting methodology enabling fast kill-chain mapping and false-positive suppression.
— May 2026 incident: 170+ packages with 518M+ cumulative downloads compromised by worm exploiting GitHub Actions pull_request_target vulnerability, with valid SLSA provenance signatures, defeating signature-based detection.
— Peer-reviewed research demonstrates semantic supply chain attacks on AI agent skill registries via natural-language metadata manipulation, bypassing security verdicts 36.5%-100% of the time and extending monitoring scope to AI agent ecosystems.
— Case studies of six May 2026 attacks (node-ipc, Mini Shai-Hulud, intercom-client, tanstack) revealing escalating evasion tactics: credential harvesters in ESM-blind entry points, SLSA-signed backdoors, deadman's switch persistence in .claude/ and .vscode/ that survives uninstall.
— Quantifies supply chain threat acceleration (malicious packages grew 55K→454.6K over 3 years; time-to-exploit collapsed from 700→44 days) and documents Chainguard blocking 99.7%-98% of malicious packages across npm/Python, showing structural defense adoption.
— JFrog Xray automated malicious package detection scans all public repositories (npm, PyPI, Maven) in production, demonstrating enterprise-ready tooling maturity for supply chain monitoring.
— FDA mandates SBOM submission for all remote monitoring medical devices effective May 15, 2026, with automatic rejection of non-compliant submissions, advancing SBOM from best practice to hard regulatory requirement.
2022-H1: SBOM frameworks and tools emerging. Linux Foundation reports 78% of 412 surveyed organizations expect to produce/consume SBOMs in 2022 (66% growth YoY). Academic research identifies 12 major SBOM adoption challenges; Idaho National Lab surveys 83 tools, revealing tool ecosystem maturity but consensus gaps. Real deployments begin: Enel deploys JFrog Xray for IoT supply chain security; Google demonstrates SBOM consumption for vulnerability tracking. Yet capability gaps remain stark: only 37% of organizations can detect software tampering, and 27% generate/review SBOMs. Signal balance: intention is high, but execution capability and organizational readiness lag behind threat prevalence.
2022-H2: Vendor ecosystem expands and regulatory drivers appear. Snyk and JFrog launch GA SBOM capabilities; IETF formalizes SBOM discovery standards; U.S. government mandates secure development practices and SBOMs for federal contractors (Executive Orders, NIST guidance). Real-world deployments scale: Bendigo and Adelaide Bank runs Xray across 600+ cloud-native applications. Threat-driven adoption accelerates: 73% of organizations report increased security efforts post-Log4Shell and SolarWinds. However, capability gaps remain stark: independent assessment of 3,248 research repositories shows average OpenSSF score of 3.5/10, with signed releases and branch protection rarely implemented; 34% of surveyed organizations were exploited via OSS vulnerabilities despite increased efforts. Standardization and regulatory mandate are now the primary maturity drivers.
2023-H1: SBOM quality and consumption emerge as core challenges. Empirical analysis reveals fundamental tooling gaps: Endor Labs study finds SBOMs from different generators are barely comparable; OpenSSF analysis of 3,000 SBOMs shows only 1% meet NTIA minimum elements. Adoption metrics strengthen: 90% of surveyed professionals report detecting supply chain risks; but critical finding shows 74% say traditional SCA tools are ineffective, and OpenSSF practitioner feedback confirms extremely high false positive rates in container scanning. OpenSSF shifts focus from SBOM generation to consumption, noting 48% generate SBOMs but few consume them productively. Industry study across 15 countries identifies major barriers: 83% report third-party software lacks SBOMs, and 80% view adoption as most urgent unresolved concern. Trend: regulatory mandate continues to drive SBOM production, but tooling immaturity and organizational capability gaps now present the clearest limitation to practice maturity.
2023-H2: Threat landscape accelerates; tooling gaps persist despite increased focus. Sonatype reports 245,032 malicious packages detected in 2023—2x the combined 2019-2022 total—with 2.1B vulnerable OSS downloads. Academic research confirms core barriers: SBOM generators produce incomparable outputs; only 1% of real-world SBOMs meet NTIA standards; StackOverflow analysis shows persistent developer friction with tool usability and coverage. Practitioner survey (321 IT professionals) finds traditional SCA and appsec tools inadequate for supply chain monitoring. Open-source tools (dependency-management-data) emerge as practitioner alternatives, signaling recognition that vendor ecosystem remains immature. Regulatory mandate drives production but not consumption; organizational integration into DevOps remains the binding constraint.
2024-Q1: Threat impact becomes routine organizational risk; adoption remains asymmetric. ReversingLabs reports 1,300% cumulative increase in malicious packages; ESG data shows 91% of organizations experienced supply chain incidents. Practitioner research establishes baseline: tasks mitigating novel attack vectors through components and build infrastructure in early adoption. SBOM ecosystem analysis identifies 86 tools but reveals systematic quality gaps—Python SBOM generators produce incomparable outputs due to standards divergence. Threat has moved from emerging to critical, but organizational deployment scale and tooling maturity have not followed proportionally.
2024-Q2: Vendor ecosystem accelerates with major product launches (Synopsys Black Duck Supply Chain Edition, Red Hat Trusted Software Supply Chain, JFrog Xray enhancements) signaling investment maturity. However, empirical SBOM quality assessment of 9,970 documents reveals compliance failures (license 32%, copyright 14%, accuracy <26%) across 6 tools, confirming tooling gaps as binding constraint. Regulatory compliance readiness lags: only 20% of organizations prepared for CISA SSDA deadline despite explicit mandate. Adoption metrics show asymmetry: 54% suffered attacks but only 35% produce SBOMs; incident response times exceed one month for half. Integration friction persists as primary barrier despite threat prevalence and vendor investment.
2024-Q3: Threat prevalence established as universal organizational risk: Checkmarx survey (900+ professionals) confirms 100% of organizations experienced supply chain attacks, yet only 7% possess adequate monitoring tools. SBOM tooling quality gaps remain severe: Python ecosystem analysis identifies systematic completeness and correctness failures across four popular generators due to lack of metadata standards. Build system integration lags: Bazel deprioritizes SBOM support following developer resource constraints. Positive signals emerge: Snyk Kubernetes admission control patterns (September 2024) demonstrate advanced enforcement monitoring. Practitioner consensus identifies SBOM-as-checkbox problem: automation and operational integration remain the unresolved maturity frontier. Deployment scale remains concentrated among early adopters; organizational integration patterns and tool ecosystem quality gaps prevent proportional scaling despite near-universal threat exposure.
2024-Q4: Threat escalation continues: Sonatype reports 156% surge in malicious packages; 80% of dependencies unpatched for over a year. Organizational response lags adoption intent: Snyk survey (62% SBOM monitoring, 45% replacing vulnerable components) reveals AppSec exhaustion; Anchore survey shows only 21% confident in dependency visibility despite 200% prioritization increase. Peer-reviewed research confirms 11 adoption barriers across SBOM ecosystem; tool gaps in CI/CD integration, dependency tracking, and regulatory compliance persist. Visibility and execution gaps remain primary constraints preventing proportional organizational response to threat escalation.
2025-Q1: Threat sophistication accelerates: ReversingLabs analysis shows 12% increase in exposed development secrets in open-source; 6 critical and 33 high-severity flaws per scanned package. Critical visibility metric established: LevelBlue research quantifies risk—80% of low-visibility organizations experienced breach vs. 6% with high visibility. Organizational confidence gap persists: 75% of IT professionals report insufficient supply chain visibility despite increased priority. Production deployments continue among early adopters (fintech case study), but practitioner analysis identifies persistent SBOM quality failures (incompleteness, inaccuracy, format divergence) as systemic barrier. Compliance-driven production expands; operational consumption and integration remain unresolved maturity frontier.
2025-Q2: Framework limitations identified as binding constraint: NC State University research finds that full enforcement of 10 major SSCS frameworks (NIST, OWASP, SLSA) would not prevent attacks like SolarWinds or Log4j, revealing insufficiency of current approaches. Vendor ecosystem matures: Snyk available on AWS Marketplace; ecosystem breadth signals adoption pathway. Yet practitioner critique escalates: Anchore and Black Duck analyses document pervasive SBOM inadequacy—"most SBOMs barely valid, few meet government standards"—and identify 70% transitive dependency challenge, requiring supplementary SCA automation. Standards evolution advances: CycloneDX xBOM ratified as Ecma standard with 12 specialized BOMs (SaaS, crypto, ML, hardware, ops), expanding scope beyond software. Academic research formalizes supply chain security: STRIDE-based threat modeling frameworks for CI/CD pipelines advance methodological rigor. Asymmetry persists: threat severity, framework documentation, and vendor investment increase proportionally, but critical research exposes framework gaps and tooling remains inadequate for operational integration. Practice remains at bleeding-edge maturity with unresolved organizational execution challenges.
2025-Q3: Threat landscape escalates dramatically: supply chain attacks double to 26/month (historical 13/month) starting April; Verizon DBIR 2025 shows third-party breaches reach 30% of all incidents (100% YoY increase). SBOM tooling quality gap persists as binding constraint: CMU SEI analysis of 243 SBOMs from CISA 2024 plugfest reveals significant divergence between tools; ReversingLabs research demonstrates SCA-generated SBOMs capture only ~50% of components, creating serious visibility gaps. Real-world incident case studies (CrowdStrike, Puppet, 3CX) underscore systemic vulnerabilities in automated update chains and CI/CD pipelines. Organizational preparedness gap continues: 98% recognize risk but only 60% feel prepared (ReversingLabs survey). Vendor ecosystem operational maturity signals: Snyk SBOM API reaches GA (July 2025); OpenSSF publishes whitepaper (Sept 2025) advancing SBOMs from compliance to operational consumption. Yet critical gap emerges: survey data documents only 23-40% report strong visibility, with direct correlation—80% breach rate for low-visibility organizations vs. 6% for high-visibility. Standards maturation continues (CycloneDX xBOM as Ecma standard), but operational integration, continuous monitoring automation, and CI/CD pipeline enforcement remain unresolved. Threat acceleration and regulatory mandate drive SBOM production, but tooling quality, visibility gaps, and operational integration friction prevent proportional scaling of monitoring effectiveness.
2025-Q4: Regulatory adoption reaches critical mass: global frameworks mandate SBOMs (EU CRA enforcement, CISA updates Aug 2025, India CERT-In/SEBI/RBI). Threat surge continues: 567% year-over-year attack increase documented; detection rate remains critically low at 3%; mean time to remediation stalled at 252 days. Critical negative signal emerges: framework insufficiency. NC State research finds that 10 major SSCS frameworks' 73 recommended tasks fail to prevent attack techniques from SolarWinds, Log4j, and XZ Utils, exposing gap between prescribed guidance and real threat landscape. Enterprise tooling consolidation signals maturity: Fortune 500 company migrates from Snyk to JFrog Xray; standards converge (CycloneDX xBOM ratified as Ecma standard with 12 specialized BOMs). Yet organizational execution gap persists: only 21% confident in dependency visibility despite 200% security prioritization increase; emerging AI adoption risk (95% using AI tools, only 24% with adequate security controls). Bleeding-edge frontier clarifies: SBOM production now driven by regulatory mandate and mainstream organizational concern; bottleneck shifts from generation to three operational challenges: (1) SBOM quality/completeness; (2) continuous, automated risk decision-making from SBOM data; (3) embedded supply chain monitoring in CI/CD pipelines reducing MTTR from months to hours. Framework gaps and AI supply chain risks represent new monitoring frontiers.
2026-Jan: AI supply chain risks emerge as primary new threat vector; traditional SBOM scope proves insufficient. Regulatory standardization advances. CISA publishes updated SBOM guidance (January 2026) with expanded minimum elements (Component Hash, License, Tool Name, Generation Context) and emphasis on automation and interoperability, continuing federal standardization progression. Threat landscape evolves. Sonatype 2026 analysis documents 75% year-over-year malware growth to 1.233M packages; ReversingLabs reports npm malicious packages doubled to 10,819 with Shai-hulud worm compromising ~1,000 packages, advancing beyond individual package attacks to ecosystem-scale compromise campaigns. Critical discovery: SBOM inadequacy for AI systems. Snyk analysis reveals traditional SBOMs cover only 50% of AI supply chain surface; half of AI components exist outside repositories on developer machines (local MCP servers, model files), creating monitoring visibility gaps that current frameworks fail to address. Organizational capability gaps codify. NOVALOGIQ survey finds 62% of organizations cannot identify where LLMs operate; 97% lack AI access controls; 48% organizations behind on basic SBOM requirements despite regulatory pressure. Enterprise deployments continue (digital services provider blocking 80+ malicious npm versions with JFrog Curation), confirming platform maturity for traditional supply chain monitoring but exposing insufficiency for emergent AI risks. Emerging risk crystallizes: AI-generated supply chain vectors exceed current monitoring scope. Convergence of evidence shows SBOM-centric practices now require AI-BOM extensions (model provenance, training data lineage, runtime dependencies) and developer-desktop visibility for effective real-world coverage. The practice's maturity ceiling becomes visible: regulatory compliance and enterprise vendor tooling mature; operational gaps shift from SBOM generation/consumption to (1) AI supply chain visibility; (2) framework extensions for AI systems; (3) developer tooling integration capturing components outside repository-based scanning.
2026-Feb: Tooling interoperability failures and real-world attack evidence escalate, exposing practice limitations. SBOM generator interoperability reveals critical vulnerability. Research on 2,313 Docker images demonstrates that choice of SBOM generator (Syft vs. Trivy) alters reported vulnerabilities by up to 5,456 CVEs per image, with 43.7% of images triggering tool failures—evidence that current supply chain monitoring relies on fundamentally unreliable tooling. Threat incidents confirm vulnerability surface. Compromised npm token on Cline CLI installs malicious code (OpenClaw) on developer systems; real-time attack reach (4,000 downloads in 8 hours) demonstrates supply chain monitoring gap at developer tooling layer. Organizational risk scales. Black Duck analysis of 947 commercial codebases documents 107% increase to 581 mean vulnerabilities per codebase; 65% of organizations experienced supply chain attacks; 93% contain zombie components. Vendor consolidation maturity increases. Forrester TEI study of enterprise JFrog Platform deployments shows 282% ROI, 65% vulnerability reduction, 80% faster remediation, confirming operational effectiveness at scale—yet practitioner review notes vendor lock-in constraints (no free tier, Artifactory dependency). Binding constraints clarify. Monitoring practice effectiveness hinges on three unresolved challenges: (1) SBOM tooling interoperability and consistency; (2) extension to non-repository supply chain layers (developer tools, AI systems); (3) cost and vendor lock-in barriers reducing accessibility beyond large enterprises.
2026-Apr: March 2026 produced the most concentrated supply chain attack wave on record: five coordinated campaigns in twelve days compromised Trivy, Checkmarx, LiteLLM (2,337 downstream packages including Google ADK and MLflow), and Axios npm, each exploiting authorized operations chaining to produce unauthorized outcomes and using developer-side credentials as the entry vector. OWASP elevated supply chain failures to #3 in its 2025 Top 10 (up from #6 in 2021, with 50% of voters ranking it #1). Against this, SBOM-centric monitoring continued to show structural limits: SafeDep documented that one-third of exploitable vulnerabilities live only in transitive layers invisible to tools stopping at direct imports, and SBOM false-positive rates in vulnerability pipelines reached 97.5% with MTTR exceeding 400 days in some pipelines. Research from KU Leuven revealed critical integrity vulnerabilities: attackers can manipulate dependency versions in package managers, causing SBOMs to remain mathematically accurate while actual systems are compromised. Behavior-based monitoring from vendors like StepSecurity and Cynet detected and blocked many March attacks through multi-vector analysis (static + behavioral), but monitoring vendors themselves became vectors when their CI/CD credentials were compromised. ML supply chains emerged as new frontier: clawRxiv research shows attacks on ML model registries go undetected for 14 days on average, with detection failures accounting for 25.9% of variance in security outcomes. Agentic AI systems introduced new supply chain surface: ClawHub malicious Claude Skills spread via agent-to-agent infection; prompt injection in GitHub issue titles compromised 4,000 developers via malicious npm packages; network-level guardrails frameworks (ShieldNet) emerging as detection strategy with 0.995 F1-score. Sonatype launched a GA malware-defense API for on-demand evaluation of OSS components and AI/ML models, marking a shift from static SBOM generation toward active threat intelligence. Enterprise monitoring scale: Sonatype's Repository Firewall prevented 136,107 supply chain attacks in Q1 2026 alone, serving 70% of Fortune 100—quantifying operational effectiveness. OWASP's official Q1 2026 GenAI Exploit Round-up documented 7+ major supply chain incidents and formalized an AI-specific incident taxonomy mapping to its Top 10 LLM/Agentic risk categories, signaling the practice's conceptual frontier is shifting from software packages to AI model and agentic tool chains. Practice maturity crystallizes: SBOM generation regulatory-driven and enterprise-deployed; monitoring effectiveness hinges on three technical challenges: (1) SBOM integrity and transitive dependency visibility; (2) behavior-based detection for zero-day and novel attacks; (3) extension to ML and agentic AI supply chains currently outside traditional SBOM scope.
2026-May: International regulatory convergence establishes AI supply chain as distinct practice; operational threats accelerate faster than monitoring can detect. CISA and G7 nations (May 13) released joint "AI Bill of Materials" guidance extending supply chain monitoring to model provenance, training data sources, fine-tuning history, and prompt-injection vectors; FDA simultaneously made SBOM submission mandatory for all remote monitoring medical devices effective May 15, with automatic rejection of non-compliant submissions — moving SBOM from best practice to hard regulatory requirement. The threat escalated in parallel: the Shai-Hulud worm (May 11) compromised 170+ packages with 518M+ cumulative downloads via GitHub Actions cache poisoning while carrying valid SLSA Build Level 3 provenance signatures, defeating signature-based detection; operational threat hunting documented a major npm supply chain incident every fortnight. Research exposed AI agent ecosystems as a new attack surface: semantic supply chain attacks on skill registries manipulate embedding-based discovery with 86% retrieval win rate and bypass security verdicts 36.5%–100% of the time. Enterprise monitoring demonstrated scale (JFrog Xray automated detection across npm/PyPI/Maven; Chainguard blocking 99.7% of malicious npm packages), but SBOM tooling fundamentals remained unreliable — swapping generators changed vulnerability reports by 5,456 CVEs per image on the same container. Bleeding-edge boundaries clarified: regulatory compliance and enterprise detection capacity are maturing while detector evasion (valid provenance, dotfile persistence), AI supply chain scope gaps, and the decision clarity gap (97.5%+ SBOM false-positive rates, 400+ day MTTR) remain unresolved.