Breaking Down Rules of DevSecOps and AI Governance in India With JFrog

AI is accelerating how software is built. From OpenAIs and Google to Cursor and Anthropic, code-generation tools are saving developers time, cost, and energy. 

But the rapid shift has skipped key steps in between – chief among them, risks to the software supply chain. It’s a conversation largely missing from mainstream debates around AI and software production.

No panic button has been pressed yet. Perhaps one should be.

JFrog’s ‘2026 Software Supply Chain Security State of the Union’ report  reveals an alarming data on Indian organisations’ preparedness: 

“65% of Indian organisations lack malicious package detection and 71% don’t use container  security. With a 451% surge in malicious packages for npm – the largest enterprise  ecosystem – this lack of adequate tooling puts India’s enterprise infrastructure at  risk.”

The npm ecosystem also overtook Maven as the most-used enterprise ecosystem for the first time last year, weathering a wave of supply chain attacks, including the self-replicating “Shai-Hulud” worm.

If one of the world’s largest software security blind spots was not enough, DevSecOps teams are drowning in AI validation: “Indian teams now spend 51% of their time reviewing and hardening AI-generated code, a responsibility that didn’t exist two years ago. AI hasn’t reduced work; it has shifted the burden from writing code to validating it, while security tooling lags.”

Yet the picture is sharper than a simple alarm. 

JFrog’s accompanying APAC regional analysis identifies India as the world leader across all eight surveyed countries on AI input/output monitoring (87%), automated open-source approval scanning (57%), and auto-updates on passing security scans (38%). India isn’t behind on AI governance – it’s ahead. 

The problem is what it leads on next: India also has the highest unconditional AI-trust rate in the dataset, with 34% of respondents willing to treat an AI-suggested security fix as the definitive answer after only a quick review. That’s roughly twice the non-APAC average. JFrog’s own report flags this as a structural risk: “high AI trust without proportionate skepticism can allow confident errors to propagate quickly through the pipeline.”

READ: Anthropic Claude Mythos: The Dawn of the Autonomous Cybersecurity Era & Risks To SMEs

In an exclusive, wide-ranging conversation with Entrepreneur India, Sudhir Narla, Vice President of Customer Success and General Manager of JFrog India, dives deeper into the shifting realities of the new-age software infrastructure, challenges and opportunities for the Indian firms, and most importantly, keeping up with the security, governance and regulatory challenges.

For the uninitiated, JFrog (founded in 2008) is one of the marquee names in software production, offering a unified DevOps, DevSecOps, DevGovOps (governance-focused operations), and MLOps platform. The company serves millions of users and approximately 6,600 organisations worldwide, including a majority of the Fortune 100. 

Its long list of clientele includes names such as Google, Yahoo, Infosys, HDFC, Tata Motors, Reliance Jio, PepsiCo, VMwWare, Deloitte, Nvidia, Credit Karma, Coles, Iress, Myntra, and Flipkart.

For Q1 2026 (ended March 31), JFrog reported total revenue of USD 154.0 million, up 26% year-over-year, with cloud revenue rising 50% to $78.9 million, and now over half of the company’s business. The firm has guided Q2 revenue in the range of USD 154 million to USD 156 million. JFrog does not publish region-specific earnings, and Narla declined to share India-specific figures, saying he would refer the question to internal sales leadership.

Blind Spots & Fragmented Security

As mentioned above, developers are increasingly embracing a diverse suite of AI code assistants such as Claude, Copilot and Cursor among them. And now, there’s a massive volume of code being synthesized through these tools.

This shift has moved risk vectors from conventional source repositories to open-source model registries. According to JFrog’s report, Hugging Face alone contributed 58% of all new software packages last year, roughly 1.4 million new artifacts – making model registries the largest single input to the software supply chain. Many of these unvetted AI models can carry live payloads, increasing organisations’ exposure to active attacks.

“We’re seeing a shift from isolated vulnerabilities to systemic risk across the entire software supply chain,” Narla said. “Indian organisations will need to move beyond traditional security approaches and rethink how they establish trust in increasingly AI-powered, automated environments.”

Sudhir warns that this hyperusage of codes from fractured ecosystems and putting them into a security stack developers may end up opening the platforms to severe risks. He further warns that fragmentation is exactly where vulnerabilities are nowadays taking a birth.

“The challenge is when companies have fragmented tools managing different pieces, they create blind spots. And that’s where we believe one central system is needed, which serves as a single source of truth. And what we internally propagate, and now externally is a System of Records that governs all code, artifacts, regardless of which AI tool is creating it,” he explained.

In software development, artifacts are any tangible byproducts created during the project lifecycle. Think of them as the “paper trail” or “parts” of a software. They include nearly everything starting from initial planning documents and source code to the final compiled programs that users run.

Sudhir adds: “Now, three things are changing. Security is now moving from manual checkpoints to automation. That is, security is being built into the workflow itself. The tool becomes irrelevant, whether the developers use Claude or Copilot, it shouldn’t affect how you govern it. And, full visibility becomes mandatory. We need to know what’s being created, by whom, and where it’s being deployed. Now, when you take all this into consideration, irrespective of the scale of the company, governance visibility and, and thereby, security is the mandatory part. “There are no two ways about it, and companies which understand this are going to win.”

“Organizations which are winning are building one platform, that is, one System of Record that treats every artifact the same way. The code, models, MCPs (Model, Context Protocols) – all governed with the same rigor, all auditable, all traceable, subject to the same policies. Here’s what that enables. Shadow AI detection gives visibility into every model and agent being used, one governance catalog where all artifacts live, policies enforced automatically across all artifact types, and centralized evidence system, so compliance audits are straightforward, not reconstructed months later. The organizations that will lead are those treating their entire software supply chain, from code to AI models to deployed agents, as one unified system. Not security as code, but governance as infrastructure. No point solutions – a single System of Record.”

Perhaps more troubling is the gap between leadership confidence and front-line reality. According to JFrog’s report, 97% of organisations claim certified AI model governance, yet only 59% of IT leaders report full provenance visibility, and 48% still need a week or more to produce audit-ready proof. Meanwhile, 53% of Indian engineers treat AI-generated code only as a starting point, and another 11% rewrite it entirely from scratch. Engineers, in other words, don’t trust what executives say is under control.

Sudhir Narla, General Manager for JFrog India, and VP of Customer Success

Global Landscape & India

But not everything is gloom and doom. India has the potential to be at the forefront of global security adoption. The next push can come from GCCs (Global Capability Centers) in India which are transitioning from operational back-offices to architectural hubs, opening up a new opportunity for firms to embrace global benchmarks for software security.

“From a technology perspective, India is central to our strategy, not just APAC, but globally. India has massive engineering talent. Enterprises are scaling fast, and they’re doing it the right way when it comes to securing the software delivery. Our data shows that Indian organisations are actually leading globally on critical metrics. Everyone is talking about AI, but when it comes to India, 87% of organisations have AI governance in place, 57% have automated security scanning, and 38% are auto-updating dependencies based on security results. These metrics are some of the highest in the world,” Sudhir said.

India also leads surveyed regions on automated Shadow AI detection at 60%, though that still leaves 40% of Indian organisations without any automated way to catch unsanctioned AI tools running inside their developer environments.

India’s adoption culture differs from other markets. “Australia is heavy on automation. They’re using gates and controls at infrastructure level to make it impossible to bypass security. India is very speed-focused. They try to automate as much as possible, including automating approvals, so developers never wait and compliance happens invisibly. Singapore follows what is called careful control – curated lists and network-level enforcement, but very slow on approvals compared to peer nations.”

“But what’s common everywhere is organisations realising that point solutions don’t scale. They can’t manage seven different security tools talking to each other; they need one integrated platform.”

Compliance curveball

Globally, the macro-environment for software engineering is also grappling with regulatory shifts. India has its Digital Personal Data Protection (DPDP) Act and CERT-In disclosure requirements; the European Union’s AI Act has key provisions taking effect in August 2026; and in the US, the SEC has signalled increasing expectations around AI-related corporate disclosures.

“Most of the enterprises we talk to keep asking, ‘How do we scale from 100 engineers to 1,000 without creating chaos? ‘Our answer is platform engineering. We are building self-service platforms with built-in security, standardized pipelines, and centralized governance. And, not just in India even with AI, secret detection is the biggest gap. Even the most mature teams often aren’t actively scanning for exposed credentials. That’s a low-hanging fruit for improvement.”

The objective is straightforward: consolidate artifacts into a single framework so organisations have a unified view of compliance across the pipeline, closing the gap between engineering speed and corporate governance. As Narla puts it, secure supply chains are no longer a compliance checkbox – they’re competitive infrastructure. The companies that recognise this first will be the ones that scale safely; the rest will spend the next regulatory cycle catching up.