AI is the top NASCIO priority

New AI initiatives rise above cybersecurity and risk management

Every year, the National Association of State Chief Information Officers (NASCIO) publishes its top 10 list of strategic priorities. For 2026, artificial intelligence (AI) tops the list, swapping spots with cybersecurity and risk management, which has fallen to number two after holding the first position for 12 straight years.

The shift is not entirely surprising. Government agencies — like organizations in other sectors — are eager to implement new AI capabilities and AI agents. IT leaders in the public sector recognize the transformative power that AI can have in delivering responsive services and enhancing operational efficiencies. The challenge is achieving that transformation while controlling risks.

AI tops the list

Many state and local government agencies have already launched key AI initiatives. For example, intent on improving digital experiences, they are building AI-powered chatbots that can offer fast, consistent, and compliant responses to user requests and questions. And they are developing AI agents to enhance efficiency by automating processes.

These initiatives for implementing new AI capabilities often run ahead of security efforts. But AI security must be a high priority. IT and security leaders need to guard against corruption data and models, and they need to prevent attacks that could lead to exfiltration of highly sensitive data. At the same time, they must ensure the accuracy of AI-generated output, which could spread misinformation to users.

The need for modernization is growing

In concert with AI projects, state governments are determined to modernize legacy software, infrastructure, and processes. Modernization has risen from the fifth spot in 2025 to number four in 2026. According to the 2026 Cloudflare App Innovation Report, public sector organizations are driven to modernize apps, in particular, to support cloud adoption, improve user experiences, and foster greater collaboration.

Still, it’s clear that many organizations have a way to go with their modernization efforts. In terms of app modernization, only 37% are ahead of schedule while 22% are behind. Accelerating all modernization efforts will be critical for increasing efficiency, delivering the experiences that users expect, and cutting costs — a critical mandate for today’s government that has taken the third spot in the top 10 priorities.

Digital services remain a high priority

Digital government services have fallen from the third spot to fifth, possibly because delivering those services today could involve AI (which has claimed the top spot). There’s little doubt, however, that agencies are forging ahead with digitizing the government.

With practically everything available online, people want top-notch digital services from the government too. It shouldn’t matter that different agencies handle different things. They shouldn't have to sift through long lists of agencies, find the right website, and create another account to interact with the government. No one should suffer a “time tax” associated with complex searches, confusing processes, time-consuming applications, and long response times. But this is today’s reality for government services for much of the country.

State and local governments are keenly aware. The general public may not realize it, but government leaders care deeply about service delivery — and they’re taking action.

For example, states are investing in public-facing web portals that enable seamless, cross-agency access to every service they offer. When modernizing applications, they apply the latest human-centered design principles to put people first. They combine single sign-on with passwordless multi-factor authentication so users have only a single credential (without a password!) to manage. And they’re innovating with AI-powered digital assistants to bring the future of government services to life.

Without a doubt, great digital experiences help build trust in the government. The intense focus explains why digital services remain among the top concerns.

Strengthening resilience for your organization

Though cybersecurity and risk management remain critical (dropping only to second place for 2026), the annual ranking of priorities continues to omit priorities such as “availability,” “reliability,” and “resilience.”. But if bolstering user trust is still essential to state and local governments, then some version of these priorities should be toward the top of the list. Few things erode trust more than services that just don’t work.

Of course, availability is a core tenet of security alongside confidentiality and integrity, so you could say it’s implied. However, in recent years, the term “resilience” has appeared more explicitly as the foundation of trustworthy systems. Resilience might sound like a fancier word for availability, but there’s more to it than that. Resilience shines a bright light on the key issue: building trust. NASCIO should consider stating it explicitly, just like they do with governance, user experience, accessibility, and third-party risk.

To help organizations enhance resilience, the National Institute of Standards and Technology (NIST) issued two 800-160 Special Publications on trustworthy systems (vol 1) and cyber resilient systems (vol 2). A key quote stands out: “Trustworthiness is the demonstrated ability and, therefore, the worthiness of an entity to be trusted to satisfy expectations, including satisfying expectations in the face of adversity.” In other words, you earn trust when you deliver consistently, even when times are tough.

And times can get tough quickly when systems slow down or stop responding. The cause might be a cyber issue like ransomware or a denial-of-service attack, but it might also be an operational issue like an unexpected traffic spike or human error that turns into a full-blown crisis. Few will forget how the pandemic shut down businesses all around the country, and millions of people flooded states’ unemployment application systems — crashing websites and causing long delays for vital benefits. That sort of failure in the face of adversity helped undermine trust in the government at a critical time.

Building resiliency for state and local governments

Is resilience toward the top of your organization’s list? Here are five areas where you might focus your efforts.

• DDoS mitigation
  Attackers use distributed denial-of-service (DDoS) attacks to disrupt services, or sometimes simply to divert attention away from another attack. DDoS attacks overwhelm systems with traffic originating from many sources, making them difficult to stop — even for upstream Internet service providers. But it doesn’t have to be this way. Today, you can connect your digital services to a modern, global connectivity cloud that has the visibility and expertise necessary to identify and stop DDoS attacks.

• Secure DNS
  Like other core Internet services, the domain name system (DNS) was not designed with security in mind. Attackers can therefore exploit its weaknesses and degrade service quality, redirect users to malicious sites, or intercept email. DNS enhancements like the domain name system security extensions (DNSSEC) protocol evolved to authenticate DNS requests but still did not defend against DDoS attacks. Therefore, a top priority should be adopting a secure DNS solution that combines high-performance DNS services with DNSSEC and DDoS protection to ensure your services are always available and protected from DNS-based attacks.

• Web application protection
  Web platforms are constantly being attacked with ever-emerging threat vectors and tactics. Whether threats are well known and defined by the Open Worldwide Application Security Project (OWASP) or emerging new zero-day threat vectors, a modern web application firewall (WAF) needs to be able to address both at scale. Exposed credential checks, API-centric controls and sensitive data detection within responses are also critical table stakes for a holistic approach to protecting web applications. These controls must constantly be updated with the ever-changing landscape. Therefore, consider a WAF provider that leverages machine learning trained by an extensive global sensor network to identify and respond to these emerging threats.

• Application acceleration services
  Driving user experience within digital services not only centers around the application architecture and human-centered design principles but also the availability and acceleration of the content to the end user. Advanced caching and content management capabilities that are intrinsically wrapped in the security controls mentioned above are critical components to driving performance, resiliency, and ultimately trust in those systems. To effectively achieve these goals, providers must have a distributed footprint where acceleration and security are tightly coupled together.

• Network acceleration services
  Providers that operate the network backbone interconnecting their service nodes or policy enforcement points (PEP) bring another aspect to resiliency. For example, when bottlenecks arise, traffic can be rerouted around congested areas to alternate nodes. This ability to see the end-to-end path and exercise control of how requests and responses are routed in response to real-time conditions significantly drives resilience and performance. Consider a cloud security provider that not only operates with a global distribution of PEPs for security and acceleration services but also the network infrastructure interconnecting those PEPs.

Make service resilience an explicit goal

It’s not surprising that AI topped this year’s NASCIO list. Technology leaders for state and local governments see the tremendous promise for AI to improve user experiences, enhance internal efficiency, and drive down costs.

But to maintain those improved experiences and strengthen user trust, governments must also prioritize resilience. User satisfaction and trust depend on critical services being available in the face of adversity.

Cloudflare offers a suite of services designed specifically for US government and public sector organizations. These services enable organizations to accelerate AI initiatives while enhancing security and improving resilience. Services are delivered from a single platform built on a global, highly resilient cloud network with built-in security and performance. With Cloudflare, organizations can address both of the NASCIO priorities without adding complexity.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Key takeaways

After reading this article you will be able to understand:

• Why state and local agencies must prepare for future disruptions now

• The Internet’s key role in delivering government services

• Three steps to strengthen digital infrastructure

Related resources

• Cloudflare for state and local government

• Connecting and protecting everything

• The last frontier of cloud transformation