Software supply chains are under unprecedented pressure—from dependency risk and regulatory scrutiny to the coming impact of post-quantum cryptography (PQC). Yet many organizations report that their security programs are already where they need to be (or nearly there). 

DigiCert’s State of Software Supply Chain Security 2026 report reveals a very different reality. 

While almost half of organizations classify their programs as “established” or “optimizing,” automation, code signing, SBOM adoption, audit readiness, and cryptographic preparedness remain uneven.

The result is clear: Critical blind spots persist across software supply chains, where foundational controls remain inconsistent, manual, or incomplete. In a threat landscape defined by dependency risk, regulatory scrutiny, and emerging cryptographic disruption, perception is no substitute for proof.  

When “established” doesn’t mean automated

84% of surveyed organizations say they’ve established or are developing a comprehensive program for software supply chain security. Nearly half describe their maturity as “established” or “optimizing.” 

But when we look at measurable indicators of maturity, the picture shifts. Only: 

• 13% fully automate code signing  
• 13% fully automate security checks in CI/CD pipelines  
• 11% actively provide software bills of materials (SBOMs) today  
• 17% always sign their SBOMs  
• 12% always sign container images  

If automation, cryptographic signing, and artifact integrity are core pillars of modern software supply chain security, then many “advanced” programs still rely heavily on partial automation or ad-hoc controls. 

That gap matters. Partial automation creates uneven enforcement, leaving some pipelines protected and others exposed. Risk becomes asymmetric, and attackers look for the weakest link. 

Integrity gaps: SBOMs, automation, and post-quantum readiness

If these blind spots share a common thread, it’s this: Integrity controls aren’t keeping pace with expectations. And in many cases, neither are the policies that enforce them. 

SBOM requirements are accelerating, but readiness is uneven. Only a small percentage of organizations actively provide SBOMs today, even as many expect requirements soon. For those already facing mandates, implementation is still underway, often slowed by challenges around accuracy, tool integration, and automation in CI/CD. 

And even when SBOMs are generated, they’re not consistently signed. An unsigned SBOM is an assertion. A signed SBOM is proof. If software provenance and tamper evidence matter, signing must become a defined and enforced release requirement, not an optional step. 

The same gap appears in automation and signing practices. Many organizations still rely on partial or ad-hoc automation, even as container use and CI/CD velocity increase. Development has modernized; integrity enforcement often hasn’t. 

True software supply chain security maturity requires moving from selective controls to systemic ones: 

• Define and enforce formal code signing policies before scaling automation 
• Automate security checks and signing across all pipelines 
• Secure private keys in HSMs or managed KMS platforms 
• Sign binaries, containers, and SBOMs by default 

Finally, there’s the PQC blind spot. Regulatory timelines are approaching, yet most organizations haven’t meaningfully begun preparation. Migrating to quantum-safe algorithms requires cryptographic inventory, testing, and roadmap planning, work that cannot be compressed at the last minute. 

Mature organizations don’t wait for mandates. They formalize policy, automate comprehensively, and build cryptographic agility into their foundations. Because in modern software supply chains, integrity must be consistent, provable, and future-ready. 

What these blind spots reveal

The blind spots in the software supply chain are about misalignment, not failure.

Organizations understand the importance of software supply chain security. They’re investing in policy, governance, and vulnerability management. But automation, cryptographic enforcement, SBOM integrity, and PQC readiness PQC readiness have not kept pace with execution.

In cybersecurity, what matters isn’t what’s planned—it’s what’s consistently enforced through:

• Consistency
• Automation coverage
• Cryptographic enforcement
• Audit confidence
• Future readiness

Confidence without measurable execution creates blind spots.

Execution without automation creates friction. And delay, especially in cryptographic transitions, creates compressed timelines and unnecessary risk.

The organizations that close the maturity gap will be those that treat signing as non-negotiable, automation as foundational, and future-proofing as urgent, not optional.

The path forward is clear. But it requires moving beyond perception to enforceable control, consistent visibility and measurable execution.