Notifications
Clear all
Topic starter
27/06/2026 1:58 pm
TL;DR: State CIOs now rank “change leader” above “strategist” and “communicator,” while generative AI use in state IT daily operations rose from 53% to 82% year over year and 90% of organizations are running pilots, according to the 2025 State CIO Survey. Static playbooks, manual detection, and unfunded accessibility work are giving way to a governance problem that requires faster identity, access, and accountability controls.
NHIMG editorial — based on content published by Abnormal AI: 2025 State CIO Survey insights on AI, accessibility, and modernization
By the numbers:
- Generative AI use in state IT daily operations jumped from 53% to 82% year over year.
- 90% of state CIO organisations are running AI pilots or proofs of concept.
- Change leader has surpassed strategist and communicator as the top leadership trait for state CIOs in 2025.
Questions worth separating out
Q: How should security teams govern generative AI once it becomes part of daily operations?
A: Treat generative AI as an access-bearing workflow, not a standalone tool.
Q: Why do static playbooks struggle against AI-generated attacks?
A: Static playbooks assume threats can be classified and handled through stable steps, but AI can generate personalised attacks faster than humans can triage them.
Q: What breaks when accessibility policy is not funded and owned?
A: Policy without funding usually produces uneven implementation, weak testing, and incomplete remediation.
Practitioner guidance
- Re-baseline access governance for AI-enabled workflows Map which state IT workflows now use generative AI in daily operations, then identify the permissions, data sources, and review gates those workflows inherit.
- Shorten decision loops for identity-related security review Replace static playbooks with escalation paths that can handle faster attack generation and higher-volume, more personalised lures.
- Tie accessibility policy to funded control ownership Track which accessibility commitments depend on identity, data, or application changes, then assign resourced owners and measurable delivery milestones.
What's in the full report
Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:
- How state CIOs are prioritising AI use cases across policy drafting, translation, budget analysis, and accessibility work.
- The survey methodology spanning all 51 states and territories, which helps readers judge the confidence level behind the findings.
- The leadership commentary on how CIOs are balancing modernization, budget pressure, and public trust in practice.
- The article's examples of how AI is being used to support public-sector work without losing the human mission.
👉 Read Abnormal AI's 2025 State CIO Survey analysis of AI, accessibility, and modernization →
Machine-speed AI in state IT: what it means for security teams?
Explore further
27/06/2026 3:31 pm
Machine-speed AI changes the governance problem, not just the tooling problem. The article is right to connect AI adoption with leadership agility, because the issue is no longer simply detection quality. Attackers can now produce personalised attacks faster than static playbooks can absorb, which means identity and security governance must assume shorter decision windows and less predictable attack patterns. For practitioners, the implication is that control design has to shift from static approval logic to faster, continuously checked identity decisions.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who should be accountable when AI-driven modernization creates new identity risk?
A: Accountability should sit with the programme owner who controls the workflow, not only with the technology team. If AI changes how data is used, who sees it, or how decisions are made, security, compliance, and business leadership all need defined ownership. A shared operating model works only when responsibility is explicit and measurable.
👉 Read our full editorial: State CIOs and machine-speed AI are reshaping security leadership
