Manifest Report Reveals AI Readiness Gap Between Executives and AppSec Teams

Enterprise leaders increasingly say their organizations are ready for artificial intelligence. The engineers responsible for securing the software behind those systems often disagree.

A new research report from Manifest, a platform focused on software and AI supply chain security, highlights a growing divide between executive perception and operational reality.

The study, titled Beyond the Black Box: How AI Is Forcing a Rethink of the Software Supply Chain, finds that 80 percent of executives believe their organizations are prepared to manage AI risk. Only 40 percent of application security professionals share that view.

The results suggest that many enterprises are moving quickly to integrate AI technologies while governance, visibility, and security oversight lag behind.

AI Adoption Is Outpacing Governance

The research indicates that AI capabilities are entering enterprise environments through a wide range of channels including internal development, third party integrations, and cloud services. Security teams report that many of these deployments occur without unified inventory systems or consistent policy enforcement.

This disconnect creates a situation where organizations believe they have adequate oversight, yet the teams responsible for reviewing software risk are dealing with fragmented workflows and incomplete visibility into what is actually running in production environments.

One of the clearest signals of this gap is the widespread presence of shadow AI. According to the report, 63 percent of respondents acknowledge that unsanctioned AI tools or services are already in use within their organizations. In many cases these tools bypass existing governance frameworks that were designed for traditional software.

Security teams also report that AI systems are often evaluated outside standard software review processes. Roughly 42 percent of organizations treat AI governance as a separate track rather than integrating it into existing application security and supply chain oversight.

SBOM Adoption Is Growing But Often Underutilized

Software Bills of Materials, commonly known as SBOMs, have become a central concept in modern software supply chain security. Regulators and security leaders promote them as a way to provide transparency into the components that make up modern applications.

The Manifest research shows that adoption is rising, but operational usage remains inconsistent.

About 60 percent of organizations say they generate SBOMs. Yet more than half of those companies do not actively consume or manage that data once it is created. Larger enterprises report higher adoption levels, with roughly 59 percent producing SBOMs compared to about 32 percent among smaller organizations. Analysts attribute the difference largely to regulatory requirements and compliance pressure.

Without operational processes to analyze and act on SBOM data, the documents risk becoming compliance artifacts rather than active security tools.

Security Tools Struggle to Keep Up With AI Driven Development

The report also highlights growing frustration with traditional Software Composition Analysis tools. Around 56 percent of respondents say these tools produce excessive noise and slow down development pipelines. As a result, many engineering teams become skeptical about whether the alerts meaningfully reduce software risk.

This tension reflects a broader shift in how software is built. AI assisted development tools, automated dependency management, and rapid iteration cycles are changing the speed and scale of code creation. Legacy security approaches that depend heavily on manual review or static alerts struggle to keep pace with that velocity.

Transparency Still Delivers Measurable Security Benefits

Despite the challenges, the research identifies clear advantages for organizations that achieve strong supply chain transparency.

Companies that receive verifiable transparency data from software vendors report measurable operational gains. Sixty four percent say they implement new technologies faster when they have access to trusted information such as SBOMs, provenance records, or signed binaries. Another 61.6 percent report faster resolution of security issues when that data is available.

Organizations without this visibility face what the report describes as a transparency tax. Security teams spend additional time investigating opaque components and tracing dependencies before they can assess risk or approve new deployments.

The Operational Alignment Problem

The findings suggest that the primary challenge is not a lack of security tools. Instead, the report points to an operational alignment issue across engineering, security, and executive leadership.

Fragmented ownership and disconnected workflows make it difficult for organizations to translate security signals into measurable risk reduction. Without a shared system of record for software and AI components, teams struggle to coordinate incident response, vendor risk management, and regulatory compliance.

Daniel Bardenstein, CEO of Manifest, says the research reveals a fundamental disconnect between strategy and execution.

“This report surfaces a hard truth. Executive confidence in AI readiness does not match what AppSec teams are dealing with day to day. Leaders believe governance is in place, but practitioners are seeing unmanaged AI usage, unclear ownership, and blind spots in what is actually running across products and vendors. AI is scaling faster than enterprise visibility and accountability. To close the gap, organizations need operational control, a unified way to inventory AI components, understand how they enter the environment, and enforce consistent decisions across teams. Without that, the disconnect between strategy and execution will continue to widen.”

AI Supply Chain Security Is Becoming a Board Level Issue

As enterprises integrate AI models, training datasets, and third party services into core business systems, the software supply chain becomes more complex and difficult to audit.

Security experts increasingly warn that AI systems introduce new forms of supply chain risk. These include model provenance issues, licensing conflicts, hidden dependencies, and the possibility of compromised datasets or malicious code embedded in open source packages.

For organizations pursuing aggressive AI adoption strategies, closing the readiness gap between leadership and security teams may become a critical requirement. Without improved visibility and governance, the promise of AI driven innovation could introduce new operational and security risks that many enterprises are not yet prepared to manage.