Manifest, the leading platform for software and AI supply chain security, today released new research exposing a significant AI readiness gap inside enterprise security teams. In its report, Beyond the Black Box: How AI Is Forcing a Rethink of the Software Supply Chain, executives report confidence in their supply chain resilience, while application security (AppSec) teams report governance fragmentation, shadow AI usage, and operational blind spots. The findings suggest many organizations may be significantly less prepared for AI-driven and software supply chain threats than leadership believes. The full report is available for download here.
Key findings from the report include:
- Organizations are creating SBOMs but not using them:Â Though 60% of organizations generate SBOMs, more than half aren’t actually consuming or managing them in practice. Adoption in larger enterprises is higher (59%) than in small organizations (nearly 32%), likely driven by regulatory pressures.
- Shadow AI and governance gaps are rising: 63% of survey respondents acknowledge that there is “shadow AI” within their organizations. And instead of integrating AI into existing software review processes, 42.4% of teams address AI separately from standard governance structures.
- Legacy SCA tools are failing: About 56% of participants believe that Software Composition Analysis (SCA) tools are noisy and delay development teams, leading to cynicism about the ability of these tools to meaningfully reduce software related risk.
- Transparency = improvement:Â Organizations that get verifiable transparency data (such as SBOMs, provenance records or signed binaries) from vendors experience huge efficiencies: 64% see quicker implementation of new technology, and 61.6% see quicker resolution of security issues. However, those who lack this data pay a “transparency tax” in extra time and cost spent looking into opaque software.
The findings indicate that AI adoption is accelerating faster than governance and visibility mechanisms can keep pace. In many organizations, AI models, datasets, and third-party services are being integrated without unified inventory or consistent policy enforcement, increasing exposure to licensing, provenance, and supply chain risk.
Rather than a tooling shortage, the research points to an operational alignment challenge. Fragmented ownership, disconnected workflows, and the absence of a shared system of record make it difficult to translate security signals into measurable risk reduction. Organizations that lack centralized visibility struggle with audit readiness, incident response coordination, and vendor risk oversight, challenges that AI systems can amplify.
Daniel Bardenstein, CEO, Manifest, said: “This report surfaces a hard truth. Executive confidence in AI readiness does not match what AppSec teams are dealing with day to day. Leaders believe governance is in place, but practitioners are seeing unmanaged AI usage, unclear ownership, and blind spots in what is actually running across products and vendors. AI is scaling faster than enterprise visibility and accountability. To close the gap, organizations need operational control, a unified way to inventory AI components, understand how they enter the environment, and enforce consistent decisions across teams. Without that, the disconnect between strategy and execution will continue to widen.”