For most of the past two years, business leaders have focused on one question: How do we deploy AI?
I understand the urgency. Generative AI has exploded into the mainstream, with boards demanding AI strategies and organizations rushing to pilot tools that promise increased productivity, automation, and competitive advantage.
But at Gartner Security & Risk Management 2026, a different conversation emerged.
Throughout keynotes, analyst presentations, and executive discussions, a common theme emerged: AI adoption is no longer the primary challenge. For many organizations, AI is already integrated into workflows, business processes, and employee productivity efforts. The current challenge is operational maturity. Organizations must establish the governance, workforce readiness, visibility, security, and resiliency required to manage AI at scale.
For CIOs, this change represents a defining moment. Success will no longer be measured by how quickly organizations adopt AI. Instead, you will be evaluated on how effectively you can operate it.
The AI conversation is changing
One of the most powerful messages from Gartner’s opening keynote came from Leigh McMullen, Distinguished Vice President Analyst and Gartner Fellow, who challenged attendees to rethink how they view the future of AI and cybersecurity.
While headlines continue to focus on the increasingly sophisticated threat posed by AI, McMullen argued that organizations should focus on transformation rather than fear.
He suggested that greater opportunities lie in automation, modernization and resilience.
“The most tangible value from AI today is not in replicating or replacing existing workers with AI reasoning,” McMullen said. “This eliminates technical debt and modernizes to a secure software stack designed around AI.”
His comments highlight the changes occurring across the company.
The question is no longer whether AI will become part of your business. That question has already been answered. The challenge now is to determine how organizations can effectively manage, protect, and optimize these investments over time.
In many ways, the industry is entering the second phase of AI adoption, with a focus on execution rather than experimentation.
Governance becomes the new competitive advantage
As AI adoption accelerates, organizations are realizing that visibility can be just as important as innovation.
According to Neil Cohen, VP of Marketing at Portal26, conversations with enterprise customers have evolved significantly over the past year.
When AI governance first emerged, the discussion focused primarily on security and risk management. Today, organizations are asking broader operational questions.
- Which tools are delivering measurable value?
- How can organizations identify successful use cases?
- How should leaders measure return on investment?
- How can you tell if your AI efforts are actually delivering business results?
“AI is not about security,” Cohen says. “AI is about how can we be more competitive?”
This perspective reflects the growing reality facing CIOs.
While security remains essential, business leaders increasingly need visibility into how AI is used across their organizations. they need to understand Adoption trendsmonitor costs, assess business impact, and identify optimization opportunities.
This challenge is particularly complex because AI adoption often begins organically. Employees try out the tools on their own. Teams develop their own workflows. New applications emerge faster than governance frameworks can keep up.
As a result, organizations are moving beyond simple risk management to evidence-based AI governance. Rather than asking if AI is being used, they are asking how it is being used and whether it is delivering measurable value.
Organizations that can effectively answer these questions have the potential to gain a significant competitive advantage.
Talent gap becomes AI gap
Technology alone does not determine success.
Employee readiness remains one of the biggest barriers to enterprise AI maturity, according to Victoria Cason, senior principal analyst at Gartner.
In a breakout session focused on building AI-enabled cybersecurity teams, Cason described the challenge as a new take on a familiar problem.
“Cybersecurity has always had a talent issue,” she explained. “Right now, we don’t have the right AI skills or we don’t have enough AI skills.”
This issue extends beyond cybersecurity.
Organizations across all industries struggle to develop the knowledge and expertise needed to support rapidly evolving AI initiatives.
Cason highlighted an important distinction that many organizations overlook: the difference between AI literacy and AI proficiency.
AI literacy includes understanding basic concepts, identifying hallucinations, and recognizing the limitations of AI systems.
However, mastering AI requires practical application. This includes rapid engineering, model validation, AI governance, workflow integration, and the ability to securely deploy and manage AI systems in real-world environments.
This distinction is important because organizations are often assumed to be automatically primed when exposed to AI tools.
In fact, AI-enabled organizations require structured learning programs, role-specific training, continuing education, and cross-functional collaboration.
This challenge is especially urgent as AI innovation continues to outpace talent development.
As organizations pursue ambitious AI initiatives, many employees are still learning how to use the technology effectively.
Talent development can no longer be treated as a secondary consideration for CIOs. Building AI capabilities has become as important as deploying AI technology.
Infrastructure still matters
While AI dominates the C-suite conversation, fundamental technology disciplines are as important as ever.
John Walsh, field CTO for government and critical industries at IGEL, believes AI is accelerating conversations that many organizations are already having around modernization, identity, and zero trust.
“It’s interesting in the sense that there are two pieces,” Walsh said. “One is modernization, including at the edge. And of course, you can’t leave a conversation about modernization and advanced workloads without talking about AI.”
For many companies, AI implementation has exposed weaknesses in their existing infrastructure.
Organizations are realizing that a successful AI strategy requires more than a powerful model and an ambitious roadmap. They also require trusted endpoints, resilient architecture, strong identity frameworks, and integrated security controls.
Walsh argues that Zero Trust continues to be one of the most effective foundations for addressing these challenges, especially as organizations seek to balance modernization efforts with increasing regulatory requirements.
As companies move toward agent AI, the debate becomes even more complex.
As autonomous agents begin to participate in business processes, traditional approaches to identity and access management may need to evolve.
“We need to treat it like non-human identity” Walsh said.
This idea reflects growing awareness across the industry.
AI systems are no longer just tools used by employees. They are increasingly actively participating in workflows, making decisions, accessing information, and performing tasks independently.
As these capabilities expand, organizations may need to apply many of the same principles used to manage human users to the AI agents themselves, such as identity management, access control, monitoring, and accountability.
The future of AI governance may ultimately look a lot like the future of identity management.
Resilience becomes the decisive strategy
Perhaps the most important takeaway from Gartner Security & Risk Management 2026 is the increased focus on resilience.
For years, the conversation around cybersecurity has centered on prevention.
- How can we eliminate the risk?
- How can I prevent a breach?
Mr. McMullen disputed that idea.
He argued that as AI accelerates both innovation and cyber threats, organizations need to focus on their ability to adapt, recover, and continue operations when disruption occurs.
“Resilience is the only strategy,” he says.
This concept goes far beyond cybersecurity.
Operational resilience includes technology, people, processes, governance, and culture. To do so, organizations must continually test resiliency capabilities, modernize aging systems, automate repetitive tasks, and build operating models that can adapt to change.
In an AI-driven world, resilience will become inseparable from business performance.
Organizations that can quickly adapt to new technologies, evolving threats, and changing market conditions are in a position to move faster than their competitors.
Those who cannot do this may find it difficult to keep up with the pace.
conclusion
Taken together, the conversation at Gartner suggests a larger transformation is underway.
- AI governance is now an integral part of workforce strategy.
- Workforce strategy is now inseparable from infrastructure modernization.
- Infrastructure modernization has become an integral part of resilience.
- Resilience has become an integral part of business success.
Today, the CIO is at the center of all four.
The next stage of AI will not be defined by who adopts the tools the most.
It all comes down to who can operate AI most effectively.
This means gaining visibility into AI usage, developing an AI-ready workforce, modernizing underlying technology, establishing governance frameworks, and building resilient operating models that can adapt as AI continues to evolve.
The AI race is entering a new chapter.
Organizations that gain an advantage are not necessarily those that have adopted the most AI tools. They can manage, secure, scale, and continuously optimize AI across the enterprise.
For CIOs, the challenge is no longer just beginning.
We are putting AI to work at scale.
