AI Agents Are Writing Code Faster Than Humans Can Review It. Cloudsmith Raised $72 Million to Govern What Gets Shipped.

A question that did not exist five years ago is now one of the most urgent in enterprise software security: when an AI agent writes your code, how do you know whether it is safe to ship?

The answer is not obvious. AI coding agents, from GitHub Copilot to Cursor to Factory's Droids to OpenAI Codex, generate software at a pace and volume that fundamentally exceeds what human reviewers can inspect line by line. When Nvidia's Jensen Huang tells 10,000 employees to use Codex and calls it lightspeed, he is describing a productivity gain that simultaneously creates a governance problem. Every line of AI‑generated code introduces dependencies, packages, and software artifacts that must be managed, verified, and secured before they reach production. The artifact management layer, the infrastructure that tracks and controls every software component moving through an enterprise's development pipeline, has quietly become the most critical unresolved security challenge of the AI coding era.

Cloudsmith, the Belfast, Northern Ireland‑based platform founded in 2016 by Lee Skillen and Alan Carson, has spent nearly a decade building the answer to this problem. On April 23, 2026, the company announced a $72 million Series C financing led by TCV, with participation from Insight Partners and other existing investors. Total funding raised now stands at $124 million. The round arrives exactly one year after Cloudsmith's $23 million Series B, and the fact that TCV led both rounds is the most commercially significant signal in the announcement.

Glenn Weinstein, formerly Chief Customer Officer at Twilio and now CEO of Cloudsmith, described the problem with characteristic directness: "AI agents generate so much software, so fast, it's nearly impossible for humans to carefully review it all. Cloudsmith has the scale, and the broad view across the open‑source ecosystem, to protect enterprises against the new kinds of threats that AI‑driven development introduces. TCV and Insight Partners both recognise this profound shift, and their backing is helping Cloudsmith scale up for the massive wave of adoption of AI agents across enterprise software teams."

What Cloudsmith does, stated plainly, is manage the artifacts that software development produces and depends on:

• Software packages and libraries that applications import and build on top of.
• Container images used to deploy applications across cloud environments.
• Binary files and compiled assets produced during the build process.
• Internal packages and dependencies shared between teams inside an enterprise.
• Third‑party dependencies ingested from the open‑source ecosystem.

Every one of these artifact types introduces risk. An open‑source dependency can be compromised after a development team has already trusted and ingested it, a pattern known as a supply chain attack that has become one of the most consequential cybersecurity threats of the past three years. AI‑generated code can introduce novel vulnerability patterns that existing static analysis tools were not trained to detect. Regulators across the EU and US are increasingly requiring enterprises to demonstrate that their software is "secure by design" with documented provenance for every component in production.

Cloudsmith's platform automatically detects vulnerabilities and malicious code within packages, applies policy controls to govern which packages are allowed to flow through the development pipeline, and provides the kind of audit trail that compliance teams need to respond to regulatory inquiries about software provenance. The system is cloud‑native from its architectural foundation, which matters operationally: legacy artifact management tools like JFrog Artifactory and Sonatype Nexus were designed for on‑premise deployment in a world where AI coding agents did not exist and software supply chains were orders of magnitude smaller.

The commercial growth that justified a $72 million Series C one year after a $23 million Series B is consistent across all available signals. The Series B press release noted nearly 150 percent year‑over‑year growth. Fortune 500 and Global 2000 companies are actively switching from legacy platforms to Cloudsmith's cloud‑native infrastructure. Approximately 75 percent of Cloudsmith's revenue at the time of the Series B came from US‑based enterprises, despite the company being headquartered in Belfast, a commercial profile that positions Cloudsmith as one of Northern Ireland's most significant software export stories.

TCV Partner Morgan Gerlak described the investment conviction with precision: "Cloudsmith is uniquely positioned to become a platform enterprises rely on for compliance, control, and security at global scale." Insight Partners Managing Director Thomas Krane echoed the thesis directly: "In an era increasingly defined by AI‑driven development, securing the software supply chain is critical. As a cloud‑native offering, Cloudsmith is well positioned to help power enterprise and AI‑driven builds and mitigate emerging risks."

The Series C, three times the size of the Series B, signals that both the customer base and the average contract size have expanded materially in the intervening twelve months. The capital will be deployed to accelerate product development and expand go‑to‑market capabilities, with particular emphasis on the enterprise segment where the volume of AI‑generated software artifacts is growing fastest and the compliance requirements are most stringent.

For enterprise CISOs and platform engineering leaders evaluating their software supply chain security posture in 2026, Cloudsmith's raise confirms what operational reality has been signaling for months: artifact management is no longer a developer productivity tool. It is security infrastructure, and it needs to be treated as such.

More at cloudsmith.com