State CIOs and machine-speed AI are reshaping security leadership

At a glance

What this is: This survey shows state CIO priorities shifting toward change leadership as generative AI becomes routine and governance gaps widen.

Why it matters: It matters because identity and security programmes must now govern AI-enabled operations, not just traditional systems, while keeping human trust, access control, and accessibility aligned.

By the numbers:

• Generative AI use in state IT daily operations jumped from 53% to 82% year over year.
• 90% of state CIO organisations are running AI pilots or proofs of concept.
• 70% of CIO organisations have embedded digital accessibility in policy, yet over half report no dedicated funding for it.
• Change leader has surpassed strategist and communicator as the top leadership trait for state CIOs in 2025.

👉 Read Abnormal AI's 2025 State CIO Survey analysis of AI, accessibility, and modernization

Context

State IT is moving into an operating model where AI is no longer an experiment at the edge of the programme. The article argues that AI use has become part of daily operations, which means governance, access control, and accountability now have to cope with machine-speed decision support rather than slow, manual workflows.

For IAM and security teams, the practical question is not whether AI is present. It is whether identity governance, access reviews, and oversight processes can keep pace when leaders are balancing modernization, tighter budgets, and public trust at the same time.

Key questions

Q: How should security teams govern generative AI once it becomes part of daily operations?

A: Treat generative AI as an access-bearing workflow, not a standalone tool. Map what data it can reach, who owns the permissions behind it, and where human review still matters. If the AI is drafting, translating, or analysing sensitive material, the governance focus should be on entitlements, accountability, and monitoring rather than the model itself.

Q: Why do static playbooks struggle against AI-generated attacks?

A: Static playbooks assume threats can be classified and handled through stable steps, but AI can generate personalised attacks faster than humans can triage them. That creates a mismatch between attack speed and response speed. Teams need escalation logic, review gates, and detection workflows that can adapt to changing patterns rather than waiting for a manual decision cycle.

Q: What breaks when accessibility policy is not funded and owned?

A: Policy without funding usually produces uneven implementation, weak testing, and incomplete remediation. In practice, the organisation may claim accessibility maturity while individual teams lack the time, budget, or mandate to deliver it. The result is governance drift, where compliance language exists but operational delivery remains inconsistent.

Q: Who should be accountable when AI-driven modernization creates new identity risk?

A: Accountability should sit with the programme owner who controls the workflow, not only with the technology team. If AI changes how data is used, who sees it, or how decisions are made, security, compliance, and business leadership all need defined ownership. A shared operating model works only when responsibility is explicit and measurable.

Technical breakdown

Why static playbooks fail in machine-speed environments

Static playbooks assume that threat patterns, escalation paths, and decision thresholds stay stable long enough for human operators to interpret them. That assumption weakens when attackers use AI to generate personalised lures at scale and defenders rely on manual triage. The operational problem is not just alert volume. It is that the attack surface adapts faster than the response model, so the control plane becomes reactive instead of governing. In public-sector environments, that creates lag across policy, monitoring, and decision approval.

Practical implication: update response logic for faster classification, escalation, and identity-related review paths before AI-driven volume overwhelms manual handling.

Generative AI in daily operations and the identity boundary

When 82% of state IT organisations use generative AI in daily operations, AI stops being a side project and becomes part of the identity and access surface. That matters because every AI workflow inherits permissions, data access, and accountability boundaries from the systems around it. If those boundaries are unclear, AI can amplify overreach rather than efficiency. This is especially true where staff use AI to draft, summarise, translate, or analyse information that was never meant to be broadly exposed.

Practical implication: treat AI-enabled workflows as access-bearing processes and map the entitlements, data sources, and review points they inherit.

Accessibility policy without dedicated funding creates governance drift

Embedding digital accessibility in policy is only one layer of control. Without dedicated funding, the policy becomes a statement of intent rather than an operational commitment, and gaps emerge in implementation, testing, remediation, and ownership. The same pattern appears in identity programmes when governance is declared centrally but executed inconsistently across teams. Policy coverage without resourcing usually produces uneven compliance and weak follow-through.

Practical implication: align policy mandates with funded ownership, review cadence, and measurable accountability for delivery.

NHI Mgmt Group analysis

Machine-speed AI changes the governance problem, not just the tooling problem. The article is right to connect AI adoption with leadership agility, because the issue is no longer simply detection quality. Attackers can now produce personalised attacks faster than static playbooks can absorb, which means identity and security governance must assume shorter decision windows and less predictable attack patterns. For practitioners, the implication is that control design has to shift from static approval logic to faster, continuously checked identity decisions.

AI use in daily operations turns every workflow into an access-bearing system. Once generative AI is embedded in routine work, the programme is no longer managing isolated tools. It is managing how data, privileges, and judgment flow through AI-assisted processes, which makes accountability harder if ownership is unclear. This is a NIST Cybersecurity Framework issue as much as an AI issue, because protect and govern functions now extend into AI-enabled operational paths. Practitioners should treat this as a boundary-management problem, not a usage-policy problem.

Change leadership is now an identity governance requirement, not just an executive trait. The survey’s leadership finding matters because identity programmes fail when they are built for stable operating conditions. Budget pressure, accessibility commitments, and AI adoption all compete for attention, so governance has to prioritise what gets enforced, reviewed, and funded. A static IAM roadmap will not survive a machine-speed environment. Practitioners need governance that can adapt as quickly as the workflows it protects.

Digital accessibility without sustained funding is a governance control gap, not a communications win. The article shows that policy adoption alone does not guarantee execution. That same gap appears in identity governance when organisations declare controls but leave them without funding, monitoring, or operational owners. The result is predictable drift between policy and practice. Practitioners should read this as a reminder that declared control maturity is not the same as enforced control maturity.

Human-centred modernization still depends on identity discipline. The strongest thread in the article is that technology leadership succeeds when systems adapt to people without losing accountability. That principle applies directly to IAM, where modernisation efforts fail if identity proofing, access decisions, or lifecycle controls become detached from real operational use. The implication is straightforward: modernization programmes need identity governance that is measurable, funded, and owned end to end.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For a deeper governance lens, see Ultimate Guide to NHIs , Why NHI Security Matters Now for how machine identity scale changes the control model.

What this signals

Change-leader governance will matter more as AI becomes operationally normal. The programme risk is not simply adopting AI faster than policy can catch up. The deeper issue is that identity, compliance, and operational teams will need a faster decision model for who may access what, when, and under whose accountability. The NHI Lifecycle Management Guide is useful here because lifecycle governance is where policy becomes enforced control.

Machine-speed attacks will expose slow identity review cycles. When defenders rely on monthly or quarterly review rhythms, AI-generated attacks can move through the environment before governance ever sees the pattern. In practice, teams should expect more pressure to connect access decisions, logging, and review outcomes into a single operational loop.

Accessibility and security are converging as governance disciplines. The same organisations that embed accessibility in policy without funding often do the same with security controls: they declare intent and under-resource execution. That pattern weakens trust because controls that look mature on paper can still be inconsistent in practice.

For practitioners

• Re-baseline access governance for AI-enabled workflows Map which state IT workflows now use generative AI in daily operations, then identify the permissions, data sources, and review gates those workflows inherit. Where AI is drafting, analysing, or translating sensitive information, require explicit ownership for the underlying access path.
• Shorten decision loops for identity-related security review Replace static playbooks with escalation paths that can handle faster attack generation and higher-volume, more personalised lures. Build review triggers that operate before manual queues become the default control point.
• Tie accessibility policy to funded control ownership Track which accessibility commitments depend on identity, data, or application changes, then assign resourced owners and measurable delivery milestones. A policy that is not funded and reviewed behaves like an unenforced access rule.
• Treat AI adoption as a governance change programme Use the rise in daily generative AI use to trigger policy review, accountability mapping, and operational control checks across security, compliance, and business teams. AI is now part of the operating model, not an isolated technology choice.

Key takeaways

• The article shows that AI has moved from experimentation into daily operations, which raises the bar for governance and accountability.
• It also shows a widening execution gap, with policy intent, funding, and control enforcement not always aligned.
• For practitioners, the practical response is to treat AI-enabled workflows as access-bearing systems and govern them accordingly.

Key terms

• AI-enabled workflow: A business or operational process that uses generative AI to help produce, transform, or analyse work. In identity terms, it matters because the workflow inherits permissions, data exposure, and review obligations from the systems and people around it, even when the model itself is not the owner of access.
• Governance drift: The gap between a policy that exists on paper and the control that is actually enforced in practice. It usually appears when an organisation has declared expectations but has not funded ownership, testing, monitoring, or escalation paths strongly enough to keep execution aligned with intent.
• Access-bearing process: Any workflow that can read, move, or transform data because an identity has been granted permissions behind it. This includes AI-assisted processes, service accounts, and automated systems. The critical issue is not the tool label, but the access rights and accountability attached to the process.
• Control plane: The set of governance decisions, review points, and enforcement mechanisms that determine how access and security rules are applied. In practice, it is where policy becomes operational. When attacks move faster than the control plane, the organisation can still see risk but cannot govern it in time.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: 2025 State CIO Survey insights on AI, accessibility, and modernization. Read the original.