Introduction
Every year, analyst firms survey thousands of technology and security executives to map their priorities. The 2025-2026 cycle produced an unusually coherent signal: CIOs and CISOs are converging on a shared set of pressures that cut across traditional IT-versus-security boundaries.
This post synthesizes survey data from Gartner (2,500+ CIOs), Forrester, IDC, McKinsey (600+ technology leaders), ISC2 (16,000+ cybersecurity professionals), and the World Economic Forum to identify eight trends that define the current agenda. The picture that emerges is one of executives caught between accelerating AI expectations, rising personal accountability, a burned-out security workforce, and a geopolitical landscape that is literally reshaping where workloads run.
1. AI Hits the Trough of Disillusionment
The honeymoon is over. After two years of generative AI pilots, 2026 is the year AI must prove its business value — or lose executive sponsorship.
The data is sobering. S&P Global found that 42% of companies abandoned most AI initiatives in 2025, up from 17% the year before, with the average organization scrapping 46% of proofs-of-concept before reaching production [1]. MIT research cited by CIO.com puts the overall pilot failure rate at 95% [2]. And Forrester predicts that enterprises will defer 25% of planned AI spend to 2027 because fewer than one-third of decision-makers can tie AI value to financial growth [3].
Yet investment continues to accelerate. Gartner’s survey of 2,501 CIOs shows 89% plan to increase AI spend in 2026, with AI/GenAI budgets growing 34-41% on average [4]. The paradox is explained by a maturity gap: organizations with high AI maturity keep projects operational for three or more years at a rate of 45%, versus only 20% for low-maturity peers [5]. The winners are pulling ahead. Everyone else is throwing money at experiments that do not scale.
The implication for CIOs: for every dollar spent on AI technology, plan for at least one to two dollars on change management and implementation [6]. The technology was never the hard part.
2. Agentic AI: The Next Wave (and the Next Bubble?)
If 2024-2025 was the era of generative AI, 2026 is the year of the agent. Agentic AI — autonomous systems that plan, decide, and act without continuous human intervention — is the consensus #1 emerging investment area across every major analyst firm.
The projections are dramatic. Gartner predicts 40% of enterprise applications will feature task-specific AI agents by end of 2026, up from less than 5% in 2025 [7]. IDC expects 40% of Global 2000 job roles to involve working with AI agents [8]. The Salesforce CIO Study found 96% of companies either use or plan to use agentic AI within two years, with CIOs allocating roughly 30% of their AI budgets to it [9].
But the reality check is already arriving. McKinsey research shows that while 39% of organizations are experimenting with agents, only 23% have begun scaling them within even a single business function [10]. Gartner itself predicts that over 40% of agentic AI projects will be canceled by end of 2027 due to escalating costs, unclear business value, or inadequate risk controls [11].
The security implications are severe. The AI agents market is expanding from $5.4B to a projected $50.3B by 2030 [12], creating enormous new attack surface around agent identity, credential management, and over-permissioned access. Yet only 6% of organizations have an advanced AI security strategy in place [7], and only 21% have the visibility needed to secure their agent deployments [13].
For CISOs, the message is clear: machine identity management, credential automation, and policy-driven authorization for non-human actors are now first-order IAM challenges — not future concerns.
3. Cybersecurity: Still #1, But Budgets Are Tightening
Cybersecurity has been the #1 CIO priority for four consecutive years according to Gartner/Evanta surveys of 1,200+ CIOs [14]. Global security spending is projected to reach $240 billion in 2026, up 12.5% from $213 billion in 2025 [15].
But beneath the headline numbers, the budget picture is more complicated. Cybersecurity budgets grew only 4% in 2025 — the slowest expansion in five years — and security as a percentage of IT spend actually fell from 11.9% to 10.9%, breaking a five-year upward trend [16]. CISOs who could add headcount dropped to 45%, down from 51% [16].
The workforce crisis compounds the budget squeeze. There are 4.8 million unfilled cybersecurity jobs globally [17]. ISC2’s 2025 study of 16,000+ professionals found that 33% of organizations lack resources to adequately staff security teams, and 88% experienced at least one significant cybersecurity event directly attributable to skills shortages [18]. The most critical gap? AI skills, cited by 41% as the top deficit [18].
Gartner’s six cybersecurity trends for 2026 reflect this tension between expanding threats and constrained resources [19]:
- Agentic AI demands cybersecurity oversight — unmanaged agent proliferation is creating unsecured code and compliance violations
- Cyber risk becomes a board-level business priority — regulators are holding boards personally liable
- Post-quantum cryptography moves into action plans — NIST guidance deprecates RSA/ECC by 2030; “harvest now, decrypt later” attacks are already underway
- IAM adapts to AI agents — machine identity registration becomes an IAM challenge
- AI transforms SOCs — shifting to human-in-the-loop frameworks
- GenAI breaks traditional security awareness — 57% of employees use personal GenAI accounts for work; 33% input sensitive data into unapproved tools
4. Shadow AI: The Governance Gap That’s Already Causing Breaches
Shadow AI has become one of the most pressing governance challenges facing both CIOs and CISOs. The numbers are stark: 98% of organizations have employees using unsanctioned AI applications, and 65% of AI tools now operate without IT approval [20]. This is not a theoretical risk — shadow AI already accounts for 20% of all breaches, with affected organizations facing costs averaging $670,000 more than standard incidents [20].
Only 36% of organizations have a dedicated AI policy [21]. Meanwhile, 57% of employees use personal GenAI accounts for work, and a third admit to inputting sensitive data into unapproved tools [19]. Yet 59% of organizations respond by restricting employee GenAI usage entirely [22] — a prohibition that demonstrably fails, since the unauthorized usage statistics show employees simply route around the restrictions.
The emerging consensus is that structured enablement beats blanket prohibition. Approaches gaining traction include AI sandboxes (contained environments with synthetic data), approved tool catalogs, continuous control monitoring, and agent lifecycle management frameworks. Singapore’s Model AI Governance Framework, launched in January 2026, offers one model: four dimensions covering risk assessment, human accountability, technical controls, and end-user responsibility [23].
5. The CISO Role in Crisis
The data on CISO burnout and attrition has moved from anecdotal to systemic. ISC2’s 2025 study found that 49% of cyber chiefs do not see a long-term future in their roles [18]. Approximately 32% have considered leaving due to stress and regulatory pressure. Average tenure sits at 18-26 months [24].
Proofpoint’s 2025 Voice of the CISO report adds more texture: 66% of CISOs face excessive expectations, 63% have experienced or witnessed burnout in the past year, and board alignment with the CISO has dropped from 84% to 64% year-over-year [22]. At the same time, 76% feel at risk of a material cyberattack within 12 months, and 58% admit their organizations are unprepared.
There is a structural dimension to this crisis. When the CISO reports to the CIO, there is a built-in conflict of interest — “the person responsible for securing infrastructure answers to the person responsible for delivering it” [25]. Without organizational independence, security decisions are routinely overridden in favor of delivery timelines or budget goals.
Compensation is rising — average CISO pay now tops $500K, and job-changers see a 31% boost [24] — but money alone does not solve the problem. Over 50% of US/Canadian CISOs now receive D&O insurance (up from 40%), but many are still excluded from traditional D&O policies because companies do not classify the CISO as a corporate officer [26].
The role is evolving from technical gatekeeper to strategic business leader, AI governance owner, and board communicator. Whether organizations will give CISOs the authority to match their expanding responsibility remains an open question.
6. Geopolitics Is Reshaping IT Architecture
Gartner coined a new term for 2026: geopatriation — the practice of rethinking where workloads run, which vendors to engage, and how to ensure data sovereignty based on geopolitical factors [6].
The trend is pronounced outside the United States. 50% of non-U.S. CIOs anticipate changes to vendor engagement based on regional factors, compared to only 16% of U.S. CIOs [27]. In Europe, private cloud and industry-specific public cloud offerings are increasingly preferred over U.S. hyperscalers, driven by data sovereignty concerns. In APAC, 88% of decision-makers anticipate increased IT spending — the highest growth rate globally — with security as the top challenge [3].
McKinsey identifies infrastructure sovereignty and resilience as one of four strategic imperatives for CIOs [28]. Forrester expects five governments to nationalize or restrict telecom infrastructure in 2026 [3]. The practical effect is that CIOs can no longer make technology decisions purely on cost and capability — regulatory geography, supply chain origin, and vendor nationality have become first-order selection criteria.
7. Personal Liability Comes for the C-Suite
The regulatory environment has shifted from organizational compliance to personal accountability. The SolarWinds case — where SEC charges against the former CISO were not dismissed — and the Uber case — where former CISO Joe Sullivan was convicted of obstruction for concealing a breach affecting 50 million users — have established precedent [25] [29].
CMMC 2.0, NIS2, DORA, and SEC enforcement are all shifting accountability to the individuals who sign the forms. The SEC’s 2026 examination priorities explicitly include cybersecurity governance, identity theft prevention, vendor oversight, and preparedness for AI-driven intrusions [30]. Form 8-K requires public companies to file within four business days of determining a material incident; Form 10-K mandates annual disclosure on cyber risk management and governance.
For CISOs, this means working with General Counsel and the CFO on materiality judgments, briefing boards with metrics that investors can compare across peers, and blending what one analysis described as “technical command with investor-grade communication and defensible documentation” [25].
The CISO Evanta survey captured the shift at the enterprise level: driving growth became the top enterprise-level focus for CISOs for the first time in survey history [31] — displacing purely defensive priorities. CISOs are expected to connect security investments to revenue protection, regulatory compliance, and enterprise resilience, not just threat prevention.
8. The Threat Landscape: AI-Powered Attacks, Supply Chain Blind Spots, and Triple Extortion
The World Economic Forum’s Global Cybersecurity Outlook 2026 puts ransomware as the leading CISO concern, with supply chain disruption consistently in second place [32].
Ransomware has evolved to triple-extortion — combining data exposure, DDoS attacks, and encryption/leak threats. Supply chain attacks have shifted from opportunistic to deliberate, targeting SaaS platforms and upstream suppliers. A 2026 Panorays study found that 85% of CISOs lack full visibility into third-party threats [33]. BlueVoyant reported that 98% of UK businesses were negatively impacted by supply chain breaches [33].
AI is accelerating both sides of the conflict. On offense, 40% of survey respondents experienced AI-optimized social engineering, and attackers are shifting from passive AI use to automation of full attack campaigns [34]. AI-assisted reconnaissance now discovers and exploits vulnerability chains within hours rather than weeks. On defense, AI enables SOC teams to triage alerts and block threats in seconds, and Gartner expects preemptive security solutions to account for 50% of all security spending by 2030 [15].
The emerging threats on the horizon — data poisoning of AI training sets, “harvest now, decrypt later” quantum attacks, deepfake-powered social engineering, and AI-physical convergence targeting critical infrastructure — suggest that the pace of escalation will not slow.
What This Means
The convergence is striking. CIOs and CISOs face the same core tension: accelerate AI adoption while governing its risks, prove business value while absorbing budget pressure, respond to geopolitical fragmentation while maintaining operational efficiency, and accept expanding personal liability while losing the workforce needed to manage it all.
The organizations that navigate this successfully will be those that treat AI governance as a first-class discipline (not an afterthought), invest in change management alongside technology, give their CISOs both authority and organizational independence, and plan their infrastructure for a world where regulatory geography matters as much as technical capability.
The data suggests most organizations are not there yet. But the gap between leaders and laggards is widening fast — and in 2026, the cost of being on the wrong side of that gap is no longer abstract.
References
[1] S&P Global, “2025 AI Adoption Survey” (2025). Cited in CIO.com.
[2] MIT research on AI pilot failure rates. Cited in CIO.com.
[3] Forrester, “Global Technology Spend Forecast 2025-2030” and “2026 Predictions.” Forrester.
[4] Gartner, “2026 CIO and Technology Executive Survey” (2,501 respondents, May-June 2025). Gartner.
[5] Gartner, “Survey Finds 45% of High AI Maturity Organizations Keep AI Projects Operational for 3+ Years” (June 2025). Gartner.
[6] Gartner IT Symposium/Xpo 2025, Orlando. Day 1 Highlights. Gartner.
[7] Gartner, “40% of Enterprise Apps Will Feature Task-Specific AI Agents by 2026” (August 2025). Gartner.
[8] IDC, “FutureScape 2026 Predictions: Rise of Agentic AI” (October 2025). BusinessWire.
[9] Salesforce, “CIO Trends 2026.” Salesforce.
[10] McKinsey, “The New CIO Mandate: Strategy, Speed, and Scaled Intelligence.” McKinsey.
[11] Gartner, “Over 40% of Agentic AI Projects Will Be Canceled by End of 2027” (June 2025). Gartner.
[12] CSO Online, “8 Things CISOs Can’t Afford to Get Wrong in 2026.” CSO Online.
[13] Akto, “State of Agentic AI Security 2025.” Akto.
[14] Evanta/Gartner, “Top 3 Priorities for CIOs in 2025” (1,200+ CIOs). Evanta.
[15] Gartner, “Worldwide End-User Spending on Information Security to Total $213 Billion in 2025” (July 2025). Gartner.
[16] Forrester/Wiz, “2026 CISO Budget Benchmark Report.” Wiz. Also: GovTech.
[17] Fortinet, “2025 Cybersecurity Skills Gap Report.” Fortinet. Also: Deepstrike.
[18] ISC2, “2025 Cybersecurity Workforce Study” (16,029 respondents). ISC2.
[19] Gartner, “Top Cybersecurity Trends for 2026” (February 5, 2026). Gartner.
[20] CIO.com, “Shadow AI: The Hidden Agents Beyond Traditional Governance.” CIO.com. Also: ISACA (2025).
[21] ISACA, “The Rise of Shadow AI: Auditing Unauthorized AI Tools in the Enterprise.” ISACA.
[22] Proofpoint, “2025 Voice of the CISO Report.” Proofpoint.
[23] Deloitte, “Tech Trends 2026: AI in Cybersecurity.” Deloitte.
[24] SecurityWeek, “CISO Burnout: Epidemic, Endemic, or Simply Inevitable?” SecurityWeek. Also: IT Pro, “Bigger Salaries, More Burnout: Is the CISO Role in Crisis?”
[25] Computer Weekly, “CISO Burnout: A Crisis of Expectation and Isolation.” Computer Weekly.
[26] Hunton Andrews Kurth, “D&O Insurance for CISOs: A Critical Shield.” Hunton. Also: CSO Online.
[27] Gartner, “50% of Non-U.S. CIOs Anticipate Changes to Vendor Engagement” (October 2025). Gartner.
[28] McKinsey, “The CIO Agenda.” McKinsey.
[29] Cybersecurity Insiders, “Between the Breach and the Boardroom: Navigating CISO Liability.” Cybersecurity Insiders.
[30] SEC, “2026 Examination Priorities.” SEC.
[31] Evanta/Gartner, “2025 CISO Leadership Perspectives.” Evanta.
[32] World Economic Forum, “Global Cybersecurity Outlook 2026.” WEF.
[33] Panorays, “2026 Study: 85% of CISOs Can’t See Third-Party Threats.” CIO.com.
[34] Nextgov/FCW, “Cyber Experts Pinpoint What to Look Out for in 2026.” Nextgov.