The Gartner Security & Risk Management Summit is where CISO-level thinking gets set for the year. Less hands-on than Black Hat or KubeCon, more strategic than RSA, the SRM Summit tends to produce the frameworks, vocabulary, and priorities that get built into enterprise security roadmaps over the following twelve months. The 2025 edition was no exception.
For practitioners working on software supply chain, the summit was especially consequential. Analyst sessions, the Magic Quadrant conversations on the Expo floor, and the CISO hallway discussions all reflected a maturation of how large organizations are thinking about third-party software risk — and how they are beginning to measure whether their investments in this area are actually working.
Here is the analyst view of the themes that defined the summit and what they mean for security leaders building 2026 plans.
What were Gartner's headline themes for 2025?
Three kept surfacing across keynotes and track sessions: AI governance as a CISO responsibility, continuous exposure management as an operational model, and the ongoing shift from point tools to integrated platforms.
The AI governance thread was unavoidable. Analyst sessions and keynote coverage repeatedly framed AI adoption as a topic that security leaders cannot delegate — the risk surface is too broad, the pace too fast, and the regulatory environment too active. Supply chain came up repeatedly as the surface where AI governance becomes concrete: what coding assistants are your developers using, what models are in your products, and how do you demonstrate to auditors and customers that you have control over both.
Continuous threat exposure management (CTEM) continued to be a recurring framework. The message — that traditional vulnerability management is not fit for purpose in modern environments, and that security teams need to move toward prioritized, ongoing remediation of validated exposures — is now several years old but had a notable influence on how vendors were positioned at the summit. Almost everyone on the Expo floor referenced CTEM or similar exposure-centric language in their messaging.
The consolidation thread — enterprises buying platforms rather than point tools — was a constant undercurrent. Gartner's public coverage of security tool rationalization resonated strongly with CISOs in attendance, many of whom are actively consolidating their vendor roster and looking for reasons to eliminate redundant tooling.
How is software supply chain risk being framed at the CISO level?
As a governance discipline rather than a technical domain. The most consistent signal from the summit was that CISOs are increasingly treating software supply chain as a top-level risk category — on par with identity, cloud, and endpoint — and are structuring their programs accordingly.
This reframing shows up in several concrete ways. Reporting structures are changing: where supply chain security was often buried inside application security, it is increasingly its own function with a dedicated leader. Metrics are changing: CISOs are tracking exposure to upstream incidents, time to respond to disclosed vulnerabilities in critical dependencies, and the fraction of software in production with complete SBOMs. Budget conversations are changing: supply chain security is no longer competing for a slice of the AppSec budget; it is increasingly a line item of its own.
The Gartner analyst guidance reinforces this direction. Sessions on third-party cyber risk management, software bill of materials requirements, and vendor consolidation all treated supply chain as foundational rather than peripheral. The message to CISOs was direct: if you cannot answer basic questions about what is in your software, where it came from, and how you would detect a compromised component, you are not managing one of the most material risks to your organization.
What did sessions on AI and the supply chain emphasize?
That AI raises both the complexity and the urgency of supply chain governance. Several analyst sessions and vendor-led panels drilled into specific sub-topics: securing AI models as software supply chain components, governing AI coding assistants in regulated enterprises, and handling AI-driven pull requests in the SDLC.
The guidance that emerged had a few consistent elements. Treat models as supply chain artifacts — know their provenance, their training data lineage where possible, and their known risks. Treat coding assistants as third parties — evaluate their security posture, understand what data they receive and emit, and govern the outputs they produce. Treat AI-generated code as untrusted input — apply the same review, testing, and policy controls you would for any other change, and maintain an audit trail of accepted and rejected suggestions.
The practical challenge is that most organizations are behind on this. The pace of AI adoption inside engineering organizations has outrun the pace of governance, and CISOs at the summit were candid about the gap. The sessions that drew the largest audiences were the ones offering concrete frameworks for closing it — not the ones describing the problem in theoretical terms.
How did Gartner frame measuring supply chain security effectiveness?
In terms of outcomes rather than activities. This was one of the subtler but more consequential themes of the summit. Analyst sessions and attendee discussions repeatedly emphasized that CISOs are being pushed — by boards, auditors, and customers — to move past activity metrics (how many scans ran, how many CVEs were surfaced) toward outcome metrics (how much reachable risk was reduced, how quickly material exposures were remediated, how measurably the attack surface changed).
This shift is harder than it sounds. Activity metrics are easy to collect; outcome metrics require reasoning about what actually matters. The Gartner guidance, and the practitioner sessions that reinforced it, pointed toward a short list of concrete metrics: the number of critical, reachable vulnerabilities in production code; mean time to remediate validated exposures; the fraction of the software estate with complete and verified SBOMs; the percentage of dependencies covered by maintained, trusted sources. These are not new metrics, but the consensus that they are the right metrics was sharper at SRM 2025 than in previous years.
The implication for security leaders is that the tooling landscape matters. Measuring outcomes requires tooling that can distinguish reachable from theoretical, validated from noise, and material from background — which in turn requires capabilities like reachability analysis, provenance verification, and VEX consumption to be operationally available, not just marketing claims.
What did the Magic Quadrant conversations look like?
Engaged and sometimes impassioned. The Magic Quadrants and Market Guides that touch supply chain security — application security testing, software composition analysis, CNAPP, and related categories — remain reference points that CISOs take seriously, and the floor conversations reflected that.
The patterns that emerged in hallway discussions: leaders' positions are increasingly contested, as vendors converge on similar feature sets and the differentiation moves toward execution quality. Challengers and visionaries are getting more attention from buyers willing to trade the safety of an incumbent for depth of capability. And the ongoing consolidation of the space — SCA vendors becoming CNAPP vendors, CNAPP vendors acquiring SBOM tooling, ASPM platforms absorbing adjacent categories — is making it harder to compare products apples-to-apples.
For CISOs evaluating tooling, the practical takeaway is that the Magic Quadrant is a starting point, not an answer. The useful work happens in structured POCs that test specific capabilities — reachability quality, policy granularity, integration depth — against your actual environment, not in vendor demos.
What should CISOs take back to their organizations?
Three priorities. First, make supply chain security a named function, not a subset of AppSec. The risk surface is too large and the regulatory attention too direct for it to remain a secondary responsibility. A named owner, a defined metric set, and a clear roadmap are the minimum viable governance structure.
Second, build the capability to measure outcomes. If your current program reports activity numbers — scans completed, CVEs surfaced, tickets opened — that is not enough anymore. Invest in the tooling and process that let you report on how much reachable, material risk actually got reduced, and at what cost.
Third, align AI governance and supply chain governance under the same framework. They are already converging in practice. Teams that keep them as separate tracks end up with inconsistent policy, duplicated tooling, and gaps that attackers will find before your auditors do. The organizations that handled this integration early are the ones whose 2026 plans looked sustainable at the summit.
How Safeguard.sh Helps
Safeguard.sh is built to give CISOs the operational capability that Gartner's 2025 guidance calls for. Our reachability engine produces the outcome-focused metrics that boards and auditors increasingly expect — not how many CVEs were surfaced, but how many reachable, material exposures were remediated and how quickly. Our SBOM, VEX, and provenance capabilities provide the raw artifacts for regulatory compliance and third-party risk management, while our policy framework allows a single control plane to govern both human-authored and AI-generated changes. For security leaders translating Gartner themes into 2026 program plans, Safeguard.sh is the platform layer that makes "outcome-based supply chain risk management" an operational reality rather than a slide in a roadmap deck.