Introduction
Software projects are an invaluable driver of business transformation, but also one of the riskiest investments for many organizations. This year, the software development market continued to grow rapidly, but so did the types and scale of risks teams had to manage: delivery disruptions, technical debt, supply chain disruptions, and rapidly evolving security threats (now exacerbated by the implementation of AI). This paper examines the most common risks in software development, provides reliable data for 2025, offers practical methods and key performance indicators (KPIs) for risk mitigation, and provides forecasts and recommendations for 2026–2027.
Quick Takeaways
Only about one-third of IT projects delivered in recent CHAOS analyses meet the classic definition of “successful” (on time, on budget, full scope).
Security incidents remain costly but show early signs of improvement in containment: average breach costs in 2025 fell to about $4.44M, helped by faster detection/containment and wider AI use in security. Yet AI adds governance gaps that increase risk if unmanaged.
DevOps and internal developer platforms plus disciplined metrics (DORA-style) remain among the strongest predictors of lower risk and faster recovery – and the 2025 DORA research examines how AI is reshaping delivery.
Forecast: by 2026–2027, AI-native development platforms and LLM-driven features will be mainstream across many teams (Gartner predicts majority adoption trends through 2027), bringing both productivity gain and new governance/security requirements.
The Risk Landscape: What Organizations Face in 2025
Delivery & project risk
Project outcome studies continue to demonstrate a high rate of problematic projects. Recent CHAOS-style industry surveys indicate that only about 30% of projects are fully successful; the rest either suffer from problems or fail. Large-scale efforts and unclear decision-making processes lead to significantly worse results than smaller, focused initiatives.
Why this matters: Failed or problematic projects lead to direct financial losses, delays in time-to-market, and technical debt, which exacerbates future risks.
Security & data risk
Major breaches in 2025 (and repeated supply chain incidents) clearly demonstrate that security is more than just an add-on. The IBM/Ponemon report, "The Cost of a Data Breach 2025," found that the average cost of a breach globally has decreased to approximately $4.44 million (a decrease from the previous year due to faster detection and containment), while emphasizing that unmanaged AI implementation dramatically increases the risk of a breach. At the same time, high-profile breaches (in the supply chain or by insiders) continue to lead to mass disclosures and business disruptions.
Supply-chain and third-party risk
Supply chain breaches are on the rise: multiple recent surveys and 2025 incident data show that over 60% of organizations reported supply chain incidents in the previous year in some regions/segments, making supplier risk a board-level concern. Attackers are increasingly using smaller suppliers as intermediaries.
People, process and AI-era risk
AI tools improve delivery productivity and facilitate programming, but a 2025 study (DORA/Google Cloud, "The State of AI-Powered Development in 2025") found that AI also exacerbates team dysfunction if it lacks clear boundaries. Organizations that implemented AI without governance faced increased vulnerability to configuration errors, data breaches, and ineffective decision-making.
Root Causes: Why Risks Keep Appearing
Unclear requirements & shifting scope – scope creep without strong product governance remains the top root cause of delivery failure.
Weak architecture & technical debt – shortcuts early on increase long-term fragility.
Poor test automation and release discipline – infrequent releases and manual processes cause long MTTR and slow feedback loops.
Lax security practices / missing shift-left – security treated as post-release adds detection and remediation costs.
Insufficient vendor governance – no SBOM, poor dependency scanning, or inadequate SLAs.
Talent & decision latency – slow or poor decisions by leadership correlate with worse outcomes. (The latest CHAOS analysis highlights decision latency as a key differentiator.)
More in our whitepaper:https://instandart.com/whitepapers-reports/how-to-minimize-risks-in-software-development/
Top comments (0)