A new report from Black Duck has highlighted changes and uncertainties in the embedded software landscape as organisations accelerate the adoption of artificial intelligence and supply chain transparency measures.
The “State of Embedded Software Quality & Safety 2025” report draws upon a survey of 785 development and security professionals globally, offering an assessment of how embedded software ecosystems are responding to rapid technological transformation.
AI adoption and challenges
According to the findings, artificial intelligence is being rapidly incorporated into embedded software development, with 89.3% of organisations using AI-powered coding assistants and 96.1% integrating open-source AI models into their products. Despite this widespread uptake, 21.1% of respondents reported a lack of confidence in their organisation’s ability to prevent AI-related security vulnerabilities, underscoring a growing gap between technological adoption and governance safeguards.
“The old software world is gone, giving way to a new set of truths being defined by AI. To navigate the changes, technical leaders should carry out rigorous validation on AI assistants. Managers should establish formal AI governance policies and invest in training for emerging technologies. Security professionals should update their threat models to include AI-specific risks and leverage SBOMs as a strategic asset for risk management to achieve true scale application security,” said Jason Schmitt, CEO at Black Duck.
The report identifies the rise of “Shadow AI” as a new challenge, with 18% of organisations noting that developers are using AI tools contrary to company policy. This often-unmonitored use of AI technology is recognised as a security risk that has not yet been widely addressed.
Supply chain transparency
Customer and business partner scrutiny is increasingly influencing supply chain visibility practices. The research indicates that 70.8% of organisations now produce Software Bills of Materials (SBOMs), and while industry regulations remain important, nearly 40% pointed to customer and partner expectations as their primary motivation for producing SBOMs. Only 31.5% cited regulatory requirements as the main factor.
This shift places transparency as a market-driven imperative, not just a compliance task, compelling companies to provide visibility into the components and origins of embedded software used throughout their products and operations.
Changing skills and technologies
The report also highlights a noticeable transition among embedded developers towards memory-safe programming languages. It found that 80.4% of organisations are now adopting such languages, with Python noted as becoming more prevalent than C++ in specific development contexts. This movement reflects both a desire to mitigate certain security risks and a response to evolving industry requirements for developer expertise.
Perceptions of project success
The data points to a significant disconnect between management and technical staff regarding the success of embedded software projects. Survey results show that while 86% of Chief Technology Officers and directors rate their projects as successful, only 56% of hands-on developers agree with that assessment. The divergence suggests differing perspectives on what constitutes success and where challenges remain in the software development lifecycle.
Recommendations for organisations
Based on the findings, Black Duck’s CEO, Jason Schmitt, recommends a coordinated approach by company leadership. Technical leaders are urged to validate AI tools rigorously, managers should formalise AI governance and provide relevant training, and security professionals are advised to update threat models to consider AI-specific vulnerabilities. SBOMs are described as a strategic component of modern risk management strategies.
The report characterises the current period as one where legacy models of embedded software development and oversight are being overtaken by new realities shaped by AI and increased demands for transparency. Data from the survey reflect how companies are adjusting – sometimes unevenly – to these shifts in technology, procedures, and expectations from both within and outside their organisations.