10 Tough AI Questions for the 2026 Public-Sector CIO

For the first time in more than a decade, cybersecurity and risk management are not the top priority for state chief information officers and other technology leaders across the country.

The new list of top National Association of State CIOs (NASCIO) priorities for 2026 includes:

1. Artificial Intelligence
2. Cybersecurity and Risk Management
3. Budget/Cost Control/Fiscal Management
4. Modernization
5. Digital Government/Digital Services
6. Accessibility
7. Identity and Access Management
8. Data Management and Analytics
9. Consolidation/Optimization
10. Cloud Services

DEEPER DIVE

GovTech covered the NASCIO top priority list when it came out last month, and you can read that analysis here.

You can see Gartner's Top Tech Trends for 2026 in this video:
You can read much more about AI and cybersecurity in my year-end piece on how cybersecurity has now crossed the AI Rubicon. I explain in this piece that “'Crossing the Rubicon' means passing a point of no return. The idiom comes from Julius Caesar illegally leading his army across the river Rubicon in 49 B.C., an act that sparked the Roman civil war and ultimately made him dictator for life.”

Also, for context looking forward, see my two-part series on The Top 26 Predictions for 2026:
The Top 26 Security Predictions for 2026 (Part 1)
The Top 26 Security Predictions for 2026 (Part 2)

GETTING TOUGHER ON AI

But in this blog, I want to offer you some deeper questions that need to be asked of your teams, vendor partners and others about AI and where it is going in your organization.

So here are my top 10 "tough" questions for AI projects and priorities:

1. The "Agentic" Responsibility Question: "As we deploy autonomous AI agents to handle citizen services, who is legally and ethically accountable when an agent makes an unauthorized decision or leaks sensitive data?"
Gartner predicts a surge in agentic AI — AI that doesn't just suggest but acts. For government, this creates a "black box" accountability gap. You must decide if your current governance frameworks can handle a machine making real-time decisions without a human "in the loop."

2. The Identity Authenticity Crisis Question: "How do we maintain 'Trust in the Citizen' when deepfakes can now bypass our existing voice and video authentication systems?"
My annual report highlights that deepfakes and synthetic media will hit a turning point in 2026. If a "citizen" calls a state agency to change benefits or a "director" orders a wire transfer via video call, your current multifactor authentication may be insufficient. Is your team ready to move toward behavioral biometrics?

3. The "Shadow AI" Visibility Gap Question: "Do we actually know which 'free' AI tools our staff are using to summarize confidential legislative memos or write sensitive code?"
"Shadow AI" (employees using unauthorized AI tools) is cited as a top threat for 2026. In a government setting, this isn't just a policy violation; it's a potential violation of open records laws and national security. How will you regain visibility without stifling the productivity gains staff are seeing?

4. The Quantum "Harvest Now, Decrypt Later" Threat Question: "Which of our high-value data sets (Social Security numbers, health records) are currently being 'harvested' by adversaries to be decrypted once quantum computing arrives?"
Industry expert reports predict that "Q-Day" (the point when quantum computers can break encryption) moves from a theoretical worry to a strategic priority in 2026. Even if the tech isn't fully here, the data being stolen today is at risk. What is your road map for post-quantum cryptography?

5. The Workforce "Hollow Middle" Problem Question: "As AI automates entry-level 'Tier 1' security tasks, how are we training the next generation of senior leaders if the bottom rungs of the career ladder are gone?"
A paradox for 2026: AI helps small teams do more, but it eliminates the "learning" jobs for new graduates. CIOs must answer how they will build a talent pipeline when the "entry-level" work is now done by an algorithm.

6. The Supply Chain "Service" Pivot Question: "We’ve secured our software; but have we secured the service supply chain — the third-party consultants and SaaS platforms that have 'God-mode' access to our data?"
Predictions suggest a shift from targeting software vulnerabilities to targeting software-as-a-service app permissions. If your cloud-based HR or finance platform is compromised, the "blast radius" is your entire agency. How frequently are you auditing the permissions granted to your vendors?

7. The Resilience vs. Recovery Benchmark Question: "Can our agency continue to provide critical public services during a 48-hour total system outage, or is our strategy purely focused on 'restoring from backup'?" Gartner emphasizes that cyber resilience is different from recovery. For government, "success" in 2026 is measured by the ability to operate during an attack. Have you conducted "offline" drills for your most critical citizen-facing functions?

8. The Machine Identity Explosion Question: "We have a plan for user passwords, but do we have a plan for the 10,000 'machine identities' (IoT devices, AI bots, APIs) that now outnumber our human employees?"
Machine identities are expanding the attack surface exponentially. Most government agencies lack a centralized way to manage the credentials used by bots and IoT sensors. Who owns "Machine IAM" in your organization? What are you doing about identity management and system access in 2026?

9. The Budgetary "AI Tax" Question: "Are we prepared to reallocate 20 percent of our general IT budget to 'AI security' just to maintain our current risk posture?"
As cyber crime becomes a "corporate-class business,” the cost of defense is rising. You will likely face a choice: fund new digital services or fund the AI-driven security needed to protect them. How will you defend this "security tax" to the board or legislature?

10. The Geopolitical Sovereign Cloud Question: "In the event of a major geopolitical conflict, can our digital infrastructure remain functional if we are cut off from global public cloud providers?" Gartner notes a trend toward "geopatriation" — moving workloads back to sovereign or regional infrastructure. For government, the risk of depending on a single global cloud provider is now a matter of national and state security. Is "digital sovereignty" part of your 2026 cloud strategy? What else are we doing to secure our cloud infrastructure against AI attacks?

FINAL THOUGHTS

OK, so we all agree that AI is the No. 1 priority for 2026. But what does that really mean?

Just as saying “health is important” is not enough to address specific health problems or take advantage of new exercises, diets or medicines to become healthier, saying "AI is my top priority" is just the beginning of our journey.

So I ask: What is next for your AI situation in 2026?