NASCIO 2026 and identity-first government: what changes for IAM teams?

TL;DR: State CIO priorities for 2026 put AI governance, cybersecurity, modernization, and cloud services in the same lane, and SailPoint frames identity-first control as the mechanism that keeps those initiatives from widening access risk, according to SailPoint. The harder problem is not adoption speed but governance for humans, machines, and AI agents operating across shared state data and legacy systems.

NHIMG editorial — based on content published by SailPoint: How SailPoint adaptive identity helps NASCIO’s top 10 priorities

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should state agencies govern AI tools that can reach sensitive data?

A: State agencies should inventory every AI-connected access path, assign an owner, and require a revocation path before the tool is allowed to touch internal data.

Q: Why do cloud modernization programmes increase identity risk so quickly?

A: Cloud modernisation increases identity risk because it multiplies the number of permissions, service accounts, integrations, and delegated access paths that must be governed at once.

Q: What do security teams get wrong about shadow AI?

A: They often treat shadow AI as an application-usage problem when it is also an identity problem.

Practitioner guidance

• Map all AI-connected access paths Identify sanctioned and unsanctioned AI tools, extensions, and connectors that can reach internal data.
• Unify lifecycle controls across identity types Apply joiner-mover-leaver and access review processes to human users, service accounts, and AI identities under the same governance standard.
• Reduce privilege before modernising platforms Baseline current entitlements in cloud and legacy systems, then remove excess access before expanding automation or AI use cases.

What's in the full article

SailPoint's full post covers the operational detail this post intentionally leaves for the source:

• The article walks through each NASCIO priority and shows how SailPoint maps identity governance to them in state government settings.
• It includes agency-style examples for AI governance, cloud services, modernization, and digital government workflows.
• It explains how SailPoint positions a unified control plane across human, machine, and AI identities without splitting policy by platform.
• It closes with the vendor's own framing of how adaptive identity supports secure growth across public-sector programmes.

👉 Read SailPoint’s analysis of NASCIO’s 2026 identity-first priorities →

NASCIO 2026 and identity-first government: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →