Australia Leads the World in Self-Hosted AI…So Why Is Our Security Still Lagging?

What happens when a country adopts AI faster than almost any nation on earth, but secures it more slowly? Australia is about to find out. We lead the world in self-hosting AI models, yet we trail on the basics that keep them safe.

JFrog's 2026 Software Supply Chain Security report lays out the split: Australia is racing ahead on adoption while falling behind on the security fundamentals, and the global numbers show the same gap.

• #1 globally for self-hosting AI models — Australian organisations run their own models in-house more than any other country, keeping data and infrastructure under their own control.

• #1 globally for blocking unapproved developer tools — we're also the strictest at stopping unsanctioned tools from sneaking into the development pipeline.

But the basics that keep all that AI safe haven't kept up.

• Only 38% have adopted secrets detection — most organisations still aren't scanning their own codebases for exposed credentials like passwords and API keys.

• Malicious open-source packages surged 451%in a year — the volume of deliberately poisoned code circulating in public libraries has more than quadrupled, so every dependency you pull in carries more risk than it did a year ago.

• 97 percent claim AI governance, but 53% still pull from public registries — almost everyone says they have AI rules in place, yet over half still download models from public sources where malicious payloads have already been found, meaning the governance often isn't matched by safe practice.

So the perimeter has moved. It's no longer just the code your team writes or the libraries they import; it's the AI models, agent tooling, and developer infrastructure now flooding into your environment, most of it faster than anyone can govern it.

(Join our monthly catch-up at Cyber Coffee on Wednesday 24 June, 9:30am or 4:30pm AEST. This month we’re chatting about keeping up when AI and new tools arrive faster than you can secure them, plus the latest from the SOC desk. ☕)

Speed Without Visibility Is Just Exposure

This isn't an argument against moving quickly. The organisations in that research are right to adopt AI at pace. The risk lives in the gap between how fast new software enters your environment and how fast you can see, assess, and secure it.

Australia is already a target. The Australian Signals Directorate's Annual Cyber Threat Report 2024-25 recorded more than 1,200 incidents it responded to, up 11 percent, and notified organisations of malicious activity more than 1,700 times, up 83 percent on the year before. The window between a vulnerability being disclosed and being actively exploited is now measured in days.

Every new model, package, and tool is another set of potential vulnerabilities and exposed secrets. Adoption is racing ahead. The only question that counts is whether your ability to find and fix what matters is keeping up.

The Real Problem Is the Backlog, Not the Scan

Most organisations aren't short on vulnerability data. They're buried in it, and the traditional model breaks down in three predictable ways:

• Scan and forget. A point-in-time report ages the moment it's generated. New assets, new dependencies, and new CVEs land every day.

• Alert fatigue. When everything's flagged critical, nothing is. Teams burn hours triaging noise instead of closing real exposure.

• Compliance pressure. The ACSC's Essential Eight expects continuous patching and evidence, not an annual snapshot.

The result is a backlog no amount of scanning clears on its own, now stretched across an attack surface AI is expanding by the week.

You Can't Fix What You Can't See

Building a continuous, risk-based vulnerability management capability in-house is out of reach for most Australian organisations. The tooling is expensive, the specialists are scarce, and the work never stops. Lumara Immunity gives you that capability without standing up the team yourself.

It's our managed vulnerability management service inside the Lumara SecOps Cloud platform: a continuous cycle of assessment and prioritised remediation, run with expert oversight from our Australian security team. Find your vulnerabilities, fix them fast.

What Immunity does:

• Continuous asset discovery. Automatically scans your whole environment, from endpoints and servers to cloud workloads and network devices, for known vulnerabilities, misconfigurations, and weaknesses across every asset type.

• Risk-based prioritisation. Not all vulnerabilities are equal. Immunity ranks them on real-world exploitability, active threat intelligence, asset criticality, and business impact, so you fix the right things first.

• Automated patch orchestration. Deploys patches and configuration changes at scale, cutting your mean time to remediate and shrinking the window of exposure.

• Essential Eight alignment. Maps the program to the ACSC's Essential Eight, so you meet your patching obligations, lift your maturity level, and can show compliance to stakeholders.

• Cloud and container scanning. Feeds vulnerability data into the Lumara Fabric intelligence layer, correlating known weaknesses with active attack attempts in real time.

• Remediation workflow management. Our SOC analysts report on your posture, track the trend over time, and guide the ongoing hardening and risk-reduction program.

The difference is who stands behind it. A scanner hands you a list. Our sovereign, Australian-based 24/7 SOC validates what's real in your environment, drives the fix through to done, and turns your posture into reporting your board and insurer accept. It's managed, it's measurable, and it fits the stack you already run. No rip-and-replace.

Can You See and Fix What Matters Today?

If you're not sure, it's time to act. Request your free vulnerability scan and we'll give you a clear, prioritised picture of your exposure, a practical plan to close your most critical risks first, and a straight answer on how Lumara Immunity fits the stack you already run.

Don't wait for the next disclosed CVE, failed audit, or breach to expose the gap. Get in touch and we'll show you exactly what Lumara can do for your business.

Or come along to Cyber Coffee on Wednesday 24 June at 9:30am or 4:30pm AEST. We'll talk about keeping up when AI and new tools arrive faster than anyone can secure them, plus everything else on the SOC desk this month. ☕