JFrog has revealed analysis displaying Australian organisations lead globally in self-hosted AI use and automatic software program governance. The findings additionally level to persistent gaps in secrets and techniques detection and audit readiness.
The survey discovered 68% of Australian organisations self-host AI fashions, the best fee among the many nations surveyed, whereas 47% use automated controls to dam unapproved IDE extensions and MCP servers. It additionally reported that 67% have full visibility into the provenance of software program operating in manufacturing, the best degree in Asia-Pacific.
The outcomes are primarily based on 165 Australian respondents and kind a part of a wider survey of 1,508 IT professionals throughout eight nations. Respondents labored in organisations with software program growth groups of no less than 50 staff.
World menace rise
The report comes as assaults on software program provide chains broaden past open-source packages to AI fashions, developer instruments and agent-based programs. JFrog recognized 171,592 malicious npm packages in 2025, up 451% yr on yr, together with 495 malicious AI fashions and 969 malicious AI agent expertise.
It additionally tracked 56 malicious extensions on OpenVSX, a registry utilized by AI-focused IDEs. Greater than 48,000 new CVEs have been disclosed globally over the yr, an increase of 20%.
Australian companies are additionally dealing with increased prices from cyber incidents. Citing the Australian Alerts Directorate’s annual cyber menace report, JFrog stated the common value of cybercrime for Australian companies rose 50% to $80,850 per incident, with provide chain assault routes flagged as a rising threat.
Automation positive aspects
The Australian knowledge factors to intensive use of automated controls in software program growth workflows. Greater than half of organisations, 53%, approve new open-source packages inside 5 days, making Australia the quickest in Asia-Pacific for this course of.
That tempo was linked to using pre-approved bundle lists and automatic enforcement instruments, decreasing the necessity for guide approval. The figures recommend many native organisations have embedded coverage controls deeply into developer environments and software program supply pipelines.
Use of self-hosted AI fashions additionally stood out. By maintaining fashions inside infrastructure underneath their very own management, Australian organisations look like taking a extra cautious method to knowledge dealing with and software program governance than friends elsewhere.
Blind spots stay
Regardless of these strengths, the report highlights areas the place controls seem weaker. Solely 38% of Australian organisations have adopted secrets and techniques detection, that means most should not actively scanning codebases for uncovered credentials, API keys or tokens.
That issues as a result of uncovered secrets and techniques stay a typical route into programs. JFrog discovered 17,637 uncovered tokens throughout public repositories in 2025, with 33% of AWS credentials and 87% of Hugging Face tokens nonetheless lively when found.
Audit preparation additionally stays sluggish for a lot of organisations. Though 67% stated that they had full visibility into software program provenance in manufacturing, 44% nonetheless wanted per week or extra to provide compliance audit proof for every utility.
The figures recommend traceability doesn’t routinely translate into documentation that may be assembled shortly for regulators, prospects or inner governance groups. In observe, many safety and compliance groups nonetheless seem to depend on guide effort to collect proof.
One other stress level is AI-generated code. The survey discovered 51% of Australian safety groups considered reviewing and hardening AI-generated code as a significant time burden, the best fee in Asia-Pacific.
On the identical time, 34% of Australian builders deal with AI-suggested safety fixes as near-definitive and settle for them after solely a fast overview. That factors to a possible mismatch between the velocity of AI-assisted growth and the scrutiny wanted to confirm code modifications.
Sunny Rao, Senior Vice President, APAC, at JFrog, stated the analysis confirmed each progress and threat within the Australian market. “Australian enterprises have achieved one thing most markets are nonetheless working towards – they’ve constructed automated gates throughout the developer toolchain and introduced AI fashions inside their very own infrastructure for sovereign management,” Rao stated.
He stated the assault floor had shifted as AI instruments grew to become extra deeply embedded in software program growth. “However as AI fashions change into provide chain dependencies and agentic instruments achieve direct entry to codebases and credentials, organisations want a single supply of fact that governs each artifact – each binary, each mannequin, each IDE extension – from the second it enters the pipeline to the second it reaches manufacturing. That is the belief layer Australian organisations have to be safe. With out it, essentially the most automated perimeter on the planet nonetheless has gaps that attackers can stroll by way of,” Rao stated.
Rao stated the subsequent step was to increase governance throughout extra components of the software program stack somewhat than counting on remoted controls. “Australia is in a uniquely sturdy place as a result of the toughest half – constructing the tradition and infrastructure for automated enforcement – is already achieved. What’s wanted now’s a system of report that extends that self-discipline to each layer of the provision chain: curating AI fashions and open-source packages earlier than they attain the pipeline, scanning each artifact for uncovered secrets and techniques routinely, and utilizing contextual evaluation to chop by way of CVE noise so groups repair what really issues,” Rao stated.
He added that compliance processes additionally wanted to be extra tightly built-in with software program governance programs. “When governance is platform-native somewhat than bolted on, compliance proof turns into one thing the system generates in minutes, not one thing a workforce assembles underneath stress over weeks. That is the way you flip Australia’s automation benefit into end-to-end safety,” Rao stated.