Solving the AI Accountability Crisis in the Software Supply Chain | Sonar Summit 2026

The Velocity Paradox: Speed Without Control

The software industry is experiencing unprecedented acceleration. AI-driven coding assistants and agents are enabling developers to produce code at a scale previously unimaginable—roughly ten times the volume compared to five years ago. While this represents a remarkable success story for development velocity, it has created what JFrog's Segev describes as a "tsunami of code" that traditional governance mechanisms simply cannot manage. Manual code reviews, spreadsheets, and checkbox-driven release processes have become obsolete bottlenecks. The fundamental problem is stark: organizational velocity is outpacing the ability to govern it, creating a dangerous collision between three unstoppable forces: accelerating code volume, expanding attack surfaces (with supply chain attacks increasing 300%), and tightening regulatory requirements like Europe's Cyber Resilience Act (CRA).

The Hidden Cost of Manual Compliance

The accountability crisis extends beyond velocity. Nearly 80% of compliance issues are discovered only after deployment, meaning organizations are shipping risk rather than preventing it. This reactive approach wastes enormous engineering resources on post-deployment remediation and manual evidence gathering. Security teams spend countless hours extracting logs, capturing screenshots of scans, and assembling spreadsheets to prove compliance—work that nearly half of all CISOs identify as their primary implementation challenge when adopting new security frameworks. The root causes are twofold: a critical context gap (organizations rarely understand which business applications own specific binaries in their repositories) and excessive reliance on manual evidence collection, which neither scales with code volume nor provides reliable audit trails.

DevSecOps and Immutable Evidence: A New Approach

Rather than continuing to fight velocity with outdated controls, organizations must shift toward integrated DevSecOps—embedding governance directly into the development and deployment pipeline rather than treating it as a separate, disconnected process. JFrog's AppTrust platform exemplifies this approach by creating "immutable evidence" that travels with the application code itself, functioning as a tamper-proof digital seal. By integrating SonarQube directly into the release process, JFrog enables automated attachment of code quality evidence to artifacts, eliminating the need for manual screenshots and verification. This integration creates three critical capabilities: application context (grouping resources into logical application entities), integrated evidence (automatically binding SonarQube results to binaries), and active enforcement (automated policy gates that block releases failing quality standards).

Governance Through Policy as Code

The platform demonstrates this integration through practical lifecycle management, where applications progress through development, QA, staging, and production stages, with each transition governed by automated policy gates. Custom policies written in Rego codify company-specific requirements—including SBOM validation, exposure checks, and mandatory SonarQube quality gate passage. When a version lacks required evidence or fails quality criteria, the platform physically blocks promotion to the next stage, removing human discretion and ensuring only trusted releases reach production. This "policy as code" approach transforms complex regulatory requirements into enforceable automated rules that developers understand upfront, preventing problematic merges and reducing failed build rates while simultaneously creating comprehensive, timestamped audit trails.

Key Takeaways

• The velocity-governance gap is unsustainable: Traditional manual controls cannot keep pace with AI-driven code volume increases; 80% of compliance issues are found post-deployment, requiring reactive fixes instead of preventive governance.

• Immutable evidence enables trust at scale: Binding SonarQube scan results directly to artifacts as tamper-proof seals eliminates manual evidence gathering and provides reliable, automated proof of code quality and security.

• DevSecOps governance must be automated and integrated: Moving security checks into the deployment pipeline via automated policy gates ensures only code meeting defined standards reaches production, without requiring manual intervention.

• Policy as code replaces checkbox compliance: Codifying security and quality requirements using tools like Rego turns regulatory frameworks into enforceable automated rules that developers can understand and follow proactively.

• Context and traceability are essential: Organizations must understand which applications own specific artifacts and maintain complete audit trails of all promotion attempts to effectively govern their software supply chain.