Invisible Risks, Visible Consequences: New Report Warns of Software Supply Chain Blind Spots Amid AI Surge

In a cybersecurity landscape increasingly shaped by generative AI, nation-state threat actors, and sprawling digital ecosystems, a new report from LevelBlue casts a harsh spotlight on one of the weakest links in enterprise defenses: the software supply chain.

According to the LevelBlue Data Accelerator: Software Supply Chain and Cybersecurity, just 23% of organizations report having “very high” visibility into the components and vendors embedded in their software stacks. That leaves the majority navigating with partial or poor insight — a perilous position in 2025 as regulatory scrutiny tightens and supply chain breaches proliferate.

And the consequences are measurable. Of the organizations reporting “very low visibility,” a staggering 80% experienced a breach in the past year. In contrast, just 6% of those with “very high visibility” suffered a similar fate — an eye-popping gap that quantifies how much security hinges on transparency.

“Our Accelerator underscores an immediate need for organizations to prioritize a transparent and secure software supply chain,” said Theresa Lanowitz, Chief Evangelist at LevelBlue. “In an era of increasing AI disruption and evolving threats from nation-states and cybercriminal groups, the ability to withstand and recover from cyberattacks is directly tied to a clear understanding of an organization's software ecosystem.”

The findings build on data from the broader 2025 LevelBlue Futures Report, comparing organizational preparedness across industries and regions. It paints a mixed global picture, with European firms leading in software supply chain investment (67% report increased spending), but ironically trailing in engagement with software suppliers — only 23% prioritize credential verification.

North American companies, meanwhile, face mounting challenges from third-party software distribution channels and unsupported software, both cited by nearly half of respondents as critical risks. And although 57% in the region say they’re prepared for software supply chain attacks, that still leaves a large segment exposed.

Leadership perception appears to play a crucial role. While 40% of CEOs see the software supply chain as the greatest security threat, that urgency fades lower down the org chart — with only 29% of CIOs and 27% of CTOs in agreement. The AI factor also looms large: 39% of CEOs believe AI adoption increases supply chain risk, reflecting growing concern that new technologies are outpacing governance.

Yet even as awareness climbs, action lags. Only one in four organizations plans to proactively engage software suppliers about their security practices in the coming year — a disconnect that undermines stated concerns about third-party risk.

To close that gap, LevelBlue outlines a four-part roadmap: leverage executive momentum to fund security upgrades, identify key vulnerabilities internally, commit to proactive investment in threat detection and exposure management, and demand proof of security hygiene from all software vendors.

The message is clear: without full-spectrum visibility into the software lifecycle — from custom code to open-source dependencies to API integrations — organizations are flying blind into a storm of evolving cyber threats.

The cost of that blindness is no longer theoretical. It’s already being tallied in ransomware payouts, regulatory fines, and reputational damage.

As Lanowitz put it, “Cyber resilience starts with knowing who and what you’re connected to — and being brave enough to demand better from your suppliers.”