2026 marks the 20th release of NASCIO’s “State CIO Top Ten Policy and Technology Priorities” list, a report drawn from surveying all 51 state and territory Chief Information Officers in the USA. This year’s list carries a headline shift: artificial intelligence claims the number one spot for the first time, ending cybersecurity’s 12-year reign at the top. In this article, Esper examines what the recommendations in this year’s list mean for state agencies.

Key Takeaways:

• AI is now the #1 priority for state CIOs — and every AI deployment depends on the quality of your policy content.
• NASCIO’s 2026 top 10 shows that CIOs are being evaluated on governance, risk exposure, and citizen outcomes — not just system uptime.
• Every one of the 10 priorities has a dependency on something your department controls: how your policies are documented, maintained, and published.
• Agencies with fragmented policy infrastructure will encounter friction at every pressure point on this list.
• The 2026 DOJ accessibility deadline is here — and it starts upstream, in how your policy content is created, not just how it is displayed.
• Workforce retirements are accelerating. Only 12% of state and local agencies have a succession plan in place.

The Move From Infrastructure to Accountability

For most of GovTech’s history, IT was responsible for keeping systems running. Stability was the metric.

That era is not over. But stability alone is no longer sufficient.

The 2026 NASCIO priorities reflect a maturation: CIOs are now being evaluated on governance, risk exposure, and the quality of services their infrastructure supports. That is a fundamentally different job description — and it creates different expectations for every department that depends on those systems.

The practical question is whether your internal operations are keeping pace.

The 2026 NASCIO top 10 at a glance

Walking Through All 10 Priorities

1. Artificial Intelligence / GenAI / Agentic AI / ML: AI depends on structured policy

For the first time in 12 years, AI has displaced cybersecurity at the top of the NASCIO list. That is not a symbolic gesture — it reflects where state government technology investment and accountability pressure are actually concentrated right now.

AI is moving into frontline service delivery. Chatbots are answering questions about public programs. Automated systems are screening applications. Agentic AI is beginning to handle multi-step administrative workflows. According to the 2025 State CIO Survey, states are already using GenAI to draft, review, and summarize policy documents, legislation, and contracts.

Every one of those systems depends on source material. Here is the operational risk that rarely gets surfaced in AI conversations:

• AI systems are only as accurate as the rules they are pointed toward.
• If your policies are fragmented across shared drives, outdated PDFs, and institutional memory, automated systems will reflect that fragmentation.
• Inconsistent or ambiguous policy language does not just confuse staff — it produces unpredictable outputs at scale, in front of residents.

This priority is as much about your regulatory content as it is about the technology layer on top of it.

2. Cybersecurity & Risk Management: Governance is the new perimeter

Cybersecurity drops to number two for the first time in over a decade, but the underlying emphasis has not softened — it has evolved. NASCIO’s framing goes beyond firewalls and endpoints. The focus is on governance: documented controls, clear ownership, and auditable decision-making.

• Informal policy update processes create compliance exposure that security tools cannot detect.
• Undocumented approval chains are a liability when auditors ask for evidence.
• Untracked version histories make it impossible to demonstrate what changed, when, and who authorized it.

If your department moves policy changes through email threads, that is a governance gap. It will surface in a security audit before it surfaces anywhere else.

3. Budget / Cost Control / Fiscal Management: Governance gaps create budget risk

Budget and cost control sees significant upward movement in the 2026 list — a reflection of the fiscal environment state governments are navigating. Every technology investment is now under scrutiny. The expectation is measurable value.

The hidden costs of poor governance tend to surface in ways that are difficult to explain:

• Audit remediation that consumes staff time and agency budget.
• Redundant systems maintained because no one documented what each one does.
• Manual policy tracking overhead that never appears in a budget line but is very real.

When asked to justify administrative costs during a constrained fiscal year, agencies with documented processes are in a stronger position than those without them.

4. Modernization: Modernization must address how rules move through your agency

Legacy modernization is usually framed as a technology problem. Replace the old platform. Migrate the database. Retire the system. But NASCIO’s framing is broader — business process improvement appears explicitly in this priority.

The agencies that have struggled most with modernization are often those that digitized their existing processes without questioning whether those processes were fit for purpose. These are all legacy processes:

• Email-based policy approvals.
• Manual version control tracked in spreadsheets.
• Printing final rules to distribute across a department.

Modernization that does not address how rules are drafted, reviewed, approved, and communicated has only solved half the problem.

5. Digital Government / Digital Services: Digital services fail without accessible regulatory content

State governments are investing heavily in portals, self-service tools, and improved citizen experiences. The goal is to let residents resolve issues without calling a phone number or waiting in line.

That goal is only achievable if the underlying content is accurate, current, and clear. When residents navigate a self-service portal and land on ambiguous program rules — or find procedures that contradict what a caseworker told them — the experience fails, regardless of how well the portal was designed.

Call volume and complaint rates are often the first signal that something in the policy layer is broken. Your digital services team cannot fix that. Your department can.

6. Accessibility: Policy publication is compliance infrastructure

Accessibility sees significant upward movement in the 2026 list. That timing is not coincidental — the deadline is now.

The Department of Justice’s April 2024 final rule updated Title II of the ADA to require state and local governments to make their websites, mobile apps, and digital content conform to WCAG 2.1 Level AA standards. Compliance deadlines began in April 2026 for larger jurisdictions.

Accessibility is not a design sprint. It is a workflow requirement that starts upstream — in how policy content is created and published. Agencies that produce regulations in inaccessible PDFs, or maintain public-facing guidance in formats that screen readers cannot parse, are sitting on a compliance liability right now.

7. Identity & Access Management: Access to policy must be controlled and documented

Authentication and credentialing infrastructure is expanding across state government. For policy systems specifically, this matters in ways that are often overlooked:

• When multiple staff members can edit a policy document without tracking who changed what and when, role clarity breaks down.
• When contractors or vendor staff have access to internal procedures without documented controls, it creates both security and compliance exposure.

Identity management is not just an enterprise IT problem. It reaches directly into the policy and procedure workflows of every department.

8. Data Management & Analytics: Policy is data

This priority focuses on data governance, accountability metrics, and defensible reporting. But there is an operational detail worth surfacing: policy stored in static documents is largely invisible to analytics.

If you are expected to report on program performance or compliance rates, those reports need to trace back to clearly defined rules. When policy lives in PDFs or unstructured documents, connecting performance data to specific rules becomes a manual exercise that most agencies do not have the bandwidth for.

Data management and analytics has ranked in the NASCIO top 10 every year since 2016. The pressure on agencies to produce defensible, data-driven reporting is not going anywhere.

9. Consolidation / Optimization: Centralization requires documented processes

Consolidation returns to the NASCIO top 10 in 2026 after a period off the list — reflecting renewed pressure to centralize services, operations, and infrastructure across state government.

The operational reality: you cannot consolidate what you cannot see or audit. Agencies attempting to merge policy and regulatory functions across departments will encounter an immediate obstacle if procedures are undocumented, version-uncontrolled, or siloed in individual inboxes. Consolidation without documentation infrastructure creates as many problems as it solves.

10. Cloud Services: Cloud tools must support transparent governance

Cloud adoption at the state level is no longer in its early stages. The 2026 priority reflects that maturity — the emphasis has shifted from adoption to oversight.

For department leaders, this means the SaaS tools your team uses are subject to the same governance expectations as enterprise systems. The question is not just whether a tool works well. It is whether it:

• Supports audit requirements.
• Integrates with enterprise identity frameworks.
• Produces a documented record of activity that can withstand scrutiny.

A Note on Workforce: The Documentation Risk Is Specific

The 2026 list does not include Workforce as a standalone top-10 item — but that does not mean the risk has diminished. According to a 2024 survey by the MissionSquare Research Institute, 54% of human resource managers at state and local agencies expect a large wave of retirements in the coming years. Only 12% of those agencies have a succession plan in place.

The operational risk is specific. When a program specialist who has managed a regulatory process for fifteen years retires, what they leave behind tells the whole story. If procedures are documented, version-controlled, and accessible, the transition is manageable. If the process lives primarily in that person’s head — or in email chains they will no longer have access to — no amount of onboarding fully solves the problem.

Workforce resilience is increasingly a documentation problem. That thread runs through nearly every priority on this list.

What Connects All 10 Priorities

Read through the full list and one dependency appears across every priority area: documented, controlled, and accessible policy infrastructure.

• AI requires authoritative source material to function reliably.
• Cybersecurity requires auditable approval processes.
• Digital services fail without clear, current policy content.
• Budget justification requires defensible process documentation.
• Consolidation requires visible, auditable workflows.
• Accessibility compliance starts in the publishing workflow.

Not ten separate problems. Ten different expressions of the same underlying condition.

Agencies with rules stored in inboxes, PDFs, and disconnected systems will encounter friction at every one of these pressure points. That friction shows up in audit findings, in AI systems producing unreliable outputs, in accessibility complaints, and in staff spending hours reconstructing approval histories before a legislative hearing.

The pattern is consistent enough to name directly: most of the operational risk embedded in this year’s NASCIO priorities does not originate in your IT department. It originates in how your agency manages its rules.

The Practical Question Your Agency Should Be Asking

NASCIO’s 2026 priorities reflect what state CIOs are being held accountable for. And because their accountability flows downstream to the departments they serve, those same standards are coming for you — if they have not arrived already.

The question is straightforward: does your current policy and regulatory workflow support the governance, transparency, and accessibility expectations embedded in this list? Or does it create friction against them?

That assessment may be one of the most consequential modernization steps your agency takes this year. Tools like Esper were built specifically for this; helping agencies bring their policy and regulatory workflows into a structured, auditable, and accessible environment. But regardless of the tool, the underlying work is the same.

You need to know where your policy infrastructure stands before you can determine what it needs.