For more than a decade, one issue dominated the agenda of every state chief information officer in the country: cybersecurity. Year after year, it sat atop the priority list compiled by the National Association of State Chief Information Officers, immovable, almost axiomatic. Ransomware attacks on municipal systems, data breaches exposing millions of citizens’ records, nation-state probes of election infrastructure — the threats kept multiplying, and so did the budget lines and sleepless nights devoted to stopping them.
That era just ended.
According to NASCIO’s latest annual survey, artificial intelligence has vaulted to the number one priority for state CIOs heading into 2026, displacing cybersecurity for the first time since the survey began tracking the question in a consistent format. Cybersecurity now sits at number two. Budget and cost control, legacy system modernization, and digital services round out the top five. The shift isn’t subtle. It represents a fundamental reordering of what the people responsible for running state technology operations believe matters most right now, as reported by Federal News Network.
The reasons behind the move are layered. And they tell us something not just about government IT shops but about the velocity at which AI is reshaping institutional decision-making across the American public sector.
Start with the sheer volume of legislative activity. More than 1,000 AI-related bills were introduced in state legislatures during 2025 alone. That number, compiled by NASCIO and cited by Federal News Network, reflects an explosion of regulatory interest that has forced CIOs into a dual role: they’re no longer just technologists deploying tools, they’re policy interpreters trying to figure out what their states will and won’t allow. Some bills focus on procurement guardrails for AI systems used in benefits determinations. Others target algorithmic bias in criminal justice applications. Still others attempt to define transparency requirements for any AI tool that interacts with citizens. The patchwork is growing fast, and CIOs are the ones who have to make sense of it operationally.
This legislative surge didn’t happen in a vacuum. The federal government’s own approach to AI governance has been inconsistent, oscillating between executive orders encouraging adoption and political debates about whether regulation stifles innovation. That uncertainty has pushed states to act on their own, creating a fragmented regulatory environment that adds complexity for any CIO trying to deploy AI at scale. When Washington doesn’t set clear rules, state capitals fill the gap. Sometimes unevenly.
But the priority shift isn’t just about compliance headaches. It’s about opportunity — and pressure from governors, legislators, and citizens who’ve seen what generative AI tools can do and want to know why their state agencies aren’t using them yet. Constituent expectations have changed. People who interact with ChatGPT or Google’s Gemini in their personal lives don’t understand why renewing a driver’s license or filing a tax dispute still requires navigating a phone tree built in 2007.
State CIOs are responding. Across the country, pilot programs have proliferated. Some states are testing AI-powered chatbots for Medicaid inquiries. Others are experimenting with machine learning models to detect fraud in unemployment insurance claims, a problem that ballooned during the pandemic and never fully receded. A few are deploying natural language processing tools to help caseworkers sift through mountains of documentation in child welfare cases. The use cases are real, varied, and growing.
So why did cybersecurity hold the top spot for so long? Partly because the consequences of failure are catastrophic and immediate. A ransomware attack that locks down a state’s court system or health department makes national news. It ends careers. AI failures, by contrast, have historically been slower-burning — a biased algorithm that quietly denies benefits to eligible applicants, a chatbot that gives wrong information to hundreds of users before anyone notices. The political calculus is shifting, though. As AI tools become more visible and more consequential, the risks of getting AI wrong are starting to rival the risks of getting hacked.
That doesn’t mean cybersecurity has become less important. It hasn’t. Threat volumes continue to climb. State-sponsored cyber operations targeting American infrastructure show no signs of abating. What’s changed is the relative urgency CIOs assign to AI, not a diminishment of their concern about security. In fact, many CIOs see the two issues as deeply intertwined — AI systems themselves become attack surfaces, and AI tools are increasingly being used by adversaries to craft more sophisticated phishing campaigns and exploit vulnerabilities faster than human analysts can patch them.
The budget and cost control priority sitting at number three is telling, too. AI deployments aren’t cheap. They require cloud infrastructure, specialized talent, data governance frameworks, and ongoing monitoring. States are grappling with how to fund these initiatives at a time when many face fiscal constraints. Federal pandemic-era funding has dried up. Revenue projections in several states have softened. CIOs are being asked to do more with AI while simultaneously being told to watch spending — a tension that will define state IT strategy for the next several years.
Legacy modernization, at number four, connects directly to the AI conversation. You can’t run modern AI workloads on COBOL-based mainframe systems built in the 1980s. Many states still operate core systems — tax processing, benefits administration, motor vehicle databases — on technology that predates the internet. Modernizing these systems has been a priority for years, but AI has added new urgency. If a state wants to deploy machine learning models against its data, that data first has to be accessible, clean, and structured in ways that ancient systems often don’t support.
Digital services, the fifth priority, is where citizens actually feel the impact. Online portals, mobile applications, automated document processing — these are the front-end manifestations of back-end AI capabilities. States that get this right will see measurable improvements in citizen satisfaction and operational efficiency. States that don’t will fall further behind private-sector service standards that keep rising.
The NASCIO survey results carry weight because they reflect the collective judgment of the officials who actually run state technology operations. These aren’t think-tank projections or vendor marketing pitches. They’re the stated priorities of the people who have to sign contracts, manage teams, brief governors, and answer to legislators. When this group says AI has moved to the top, it means budgets, hiring plans, and organizational structures are already shifting to match.
There’s a historical parallel worth considering. In the early 2010s, cloud computing made a similar ascent up the NASCIO priority list. It started as an emerging technology that a few forward-leaning states experimented with. Within a few years, it became the default infrastructure model for new deployments. AI appears to be on a similar trajectory, but compressed — moving from experimentation to expectation in roughly half the time.
The workforce implications are significant. State governments have long struggled to compete with the private sector for technology talent. That challenge intensifies with AI. Data scientists, machine learning engineers, and AI governance specialists command salaries that state pay scales often can’t match. Some states are getting creative — offering remote work flexibility, mission-driven recruitment pitches, and partnerships with universities. But the talent gap remains one of the biggest obstacles to executing on AI ambitions.
And then there’s the trust question. Public trust in government use of AI is fragile. Surveys consistently show that Americans are wary of automated decision-making in areas that affect their lives — benefits eligibility, law enforcement, child welfare. CIOs know that a single high-profile AI failure could set adoption back years. That’s why governance frameworks, transparency policies, and human-in-the-loop requirements feature prominently in state AI strategies. Getting the technology right matters. Getting the governance right matters more.
The 1,000-plus AI bills introduced in 2025 represent just the beginning of what’s likely to be a sustained period of legislative activity. As AI capabilities advance and deployment expands, lawmakers will continue proposing new rules. Some will be well-crafted and informed by technical expertise. Others won’t. CIOs will need to engage proactively with legislators, educating them on what AI can and can’t do, and helping shape policies that protect citizens without making innovation impossible.
None of this means cybersecurity will stay in second place permanently. A major cyber incident — a devastating attack on critical state infrastructure, for instance — could easily push it back to the top. Priorities are dynamic. But the 2026 survey captures something real: a moment when the gravitational center of state technology leadership shifted from defense to transformation. From protecting what exists to building what comes next.
For vendors, the implications are clear. State procurement offices are actively seeking AI solutions, but they want products that come with governance tools, explainability features, and compliance documentation baked in. The days of selling AI as a black box to government buyers are over before they really started. For federal policymakers, the message is equally direct: states aren’t waiting. They’re moving on AI with or without federal guidance, and the resulting patchwork of rules will only grow more complex absent a coherent national framework.
The NASCIO survey is, in the end, a snapshot. But it’s a revealing one. It shows that the officials closest to the operational reality of running state government technology have made a collective bet: artificial intelligence isn’t a future priority. It’s the present one. Everything else — security, budgets, legacy systems, digital services — now orbits around it.


WebProNews is an iEntry Publication