That’s because whether the topic is AI, modernization, data or workforce readiness, security is showing up early — and often — in the conversation.
In a recent interview, the state’s CIO Shawnzia Thomas, executive director of the Georgia Technology Authority (GTA), made it clear that nearly every major technology decision now hinges on this question: Is it secure enough to scale? From AI pilots to workforce development and citizen-facing services, what she calls “cyber discipline” has become the foundation for how Georgia plans to move forward in 2026.
SECURITY AS THE THROUGHLINE
Cybersecurity has held the top spot on the National Association of State Chief Information Officers’ Top 10 priorities list for the past decade — until this year, when AI surged to the No. 1 position. However, despite AI’s rise, Thomas emphasized that security remains deeply intertwined with her state’s technology growth. As she put it, “AI is No. 1, but you still have AI governance in that, which is security as well.”
The state tech leader was straightforward about what to do when these top two priorities intersect: “Security is security.” For her, that means applying the same National Institute of Standards and Technology controls — access control, audit logging, data protection, oversight — to AI as to any other technology. “Making sure you know who’s accessing your data, making sure you have an audit log of all of that because those are the same controls you need for regular security versus AI security,” she said.
But this approach isn’t limited to emerging tech. It extends to all major initiatives, with cyber discipline now a baseline expectation — especially as new ideas flow through one of the state’s newest tech creation engines, the Innovation Lab.
INNOVATION WITH GUARDRAILS
The Innovation Lab, opened in July at the GTA’s Atlanta headquarters, provides state agencies, local governments, school systems and partners a “low-risk environment” to experiment with emerging tech, particularly AI. But that experimentation comes with clear security boundaries.
“In the Lab, we only focus on synthetic data — not production data,” the CIO said. The goal, she explained, is to allow agencies to test tools and ideas “without the worry of production data getting out into the World Wide Web.”
Even beyond the lab, data minimization has become an undeniable principle. State agencies are now urged to critically evaluate their requirements. Thomas emphasized the importance of "focusing on just the data that’s needed for this particular use case — and that data only."
For agencies handling sensitive or personally identifiable data — such as those in health, revenue or human services — the state prioritizes consent and transparency. And Thomas highlighted the importance of making sure residents are aware when their data is used in AI pilots.
Behind the scenes, AI pilots in Georgia are categorized by risk — low, medium and high — to determine how much governance is actually required. The goal, Thomas said, is not to slow innovation but to scale what works.
“We don’t want to run the same use case for a different agency. That’s just a waste of time. If we’ve got a use case that will fit, that we can tweak from one agency to another agency, we will do that.”
MEASURING SUCCESS BY OUTCOMES, NOT TOOLS
While cybersecurity and AI often dominate the conversation, the state’s 2026 priorities focus less on the specific tools in these areas and more on the results they deliver. Improving outcomes for employees, Thomas said, is a direct path to improving outcomes for residents — and that shapes how technology investments are being evaluated.
“When the governor gives us appropriations, we’re not funding technology,” she said. “We’re funding the outcomes — the outcomes of making things better for citizens and our staff. Technology is just a means of getting there.”
That mindset has sharpened the state’s focus on reducing cost, time and risk, especially after a year spent laying what she considers “groundwork.” All the work done in 2025 is paying off, the CIO said, and the state is “now making sure we’re getting the fruits of our labor from that.”
CYBER RESILIENCE THROUGH PEOPLE
Georgia’s overall shift to cyber resilience is as much about people as it is about platforms. Large-scale exercises like Cyber Dawg, a red team/blue team simulation, are designed to help state agencies test their technical defenses and their ability to coordinate and communicate during simulated cyber attacks. Last year’s exercise was, the CIO said, one of the largest to date, with participation from the National Guard lending the exercise scope and realism through the creation of real-world scenarios. She pointed out plans to increase the frequency of the exercises beyond its current once-a-year schedule.
But beyond cyber resilience, the state is applying this focus on people to workforce development as well. Upskilling and reskilling remain central priorities as AI becomes more embedded in daily operations because, according to the CIO, “AI is not just clicking a button. AI is a true mindset — a mindset shift.”
Her concern isn’t that AI will replace workers, but that workers could be asked to use or manage AI systems without adequate training. To lessen and prevent those occurrences, the state is investing heavily in AI literacy — from open Q&A sessions for agency staff to hackathons and training partnerships with companies like Google, Microsoft, AWS, Palo Alto and Oracle.
TRUST AS A DELIVERABLE
All of this — cybersecurity, data protection, AI governance, workforce readiness — ultimately feeds into what the CIO described as one of the state’s most important goals for 2026: citizen trust.
“Citizens entrust us with their data. They entrust us with the services,” she said. Maintaining that trust, she added, requires transparency, explainability and communication — especially as technology grows more complex.
“With AI, it’s got to be transparent. It’s got to be explainable. You’ve got to be able to explain how you got the outcome you got.”
As Georgia moves into the legislative session and deeper into 2026, the CIO said she doesn’t expect a dramatic pivot — but rather a tightening of focus, with “2026 being about doing fewer things better.” To her, that means driving real outcomes, strengthening cyber resilience, evaluating and upskilling the workforce, and continuing to earn public trust.
What comes next may depend on what emerges from the legislative session, she said. But one direction is already set. Cybersecurity isn’t just a priority on the state’s 2026 list — it’s the lens through which everything else is viewed.
