5 key questions about the CIO AI agenda in 2026

The pressure for AI strategy to change comes from many fronts including the ​​market entering a correction phase due to difficulties of translating it into financial returns, Europe launching a new wave of regulatory enforcement including the AI ​​Act, and the risk landscape being reshaped.

Bearing all this in mind, here are five key questions surrounding how the CIO’s AI plan will be shaped over the next 12 months.

Do AI and budgets see eye to eye?

By 2025, a clear pattern was emerging where many AI projects were failing to overcome the scalability barrier. This bottleneck is now an investment issue, so CFOs are more involved in the decision-making process, and are tightening budget allocation criteria.

As a result, this forces CIOs and user business units to change focus. It’s no longer enough to show that an initiative works technically. It must be demonstrated that it’s scalable, profitable, and controllable. Such increased evaluation scrutiny becomes more demanding because it has to incorporate economic aspects and the likelihood of scaling from the outset.

In this context, agent systems emerge as a potential mechanism to bridge the gap between pilot and production, though not as a guaranteed solution. Implementations have made it clear that the scaling gap lies not in the model itself, but in its integration into operations.

A well-designed agent system has the advantage of making AI consistently chain tasks, integrate tools, and standardize processes for production deployment. But it also requires more analysis because it can significantly increase costs, incidents, and risks. Therefore, the agents that’ll deliver the most value are those that incorporate robust governance from the outset.

Is it all trustworthy and thoroughly tested?

Starting this year, we enter the era of evidence. Trust in content and software is no longer assumed, and must be based on verifiable facts. Large-scale impersonation and manipulation, facilitated by AI, are already on the radar of senior management.

The first area is trust in content, both what the company consumes and produces. With increasingly compelling synthetic content, the problem shifts from reputational to operational like approvals, auditing, and internal communication. This is why there’s growing discussion about verifiable content sources and standards like C2PA, which allow for the inclusion of provenance metadata and edits so third parties can verify the origin and chain of custody.

The second area is trust in the software that the organization runs and develops, including the software it uses internally. Organizations are aware that risks exist in the software supply chain and they want to verify it. This translates into key pieces of evidence including the Software Bill of Materials (SBOM), the signing of artifacts to ensure authenticity, and build provenance. The European Union Agency for Cybersecurity (ENISA) promotes practical guides to implement these measures and reduce risks.

Evidence by default will enter into purchasing, risk assessment, and auditing processes, and increasingly more proof of software authenticity, composition, and construction will be required.

How is AI rewriting the software lifecycle and supporting agents?

Throughout 2025, the conversation about AI and software focused on productivity: writing code faster, and reducing development time, costs, and personnel. This year, a more profound shift is beginning as AI is transforming how software is built, tested, and delivered.

This shift demands organizational learning for a simple reason. AI enables faster change, but that change will be fragile if quality, testing, and observability aren’t simultaneously strengthened. So the CIO’s priority isn’t simply adding assistants, but redesigning the software factory to absorb that speed without sacrificing reliability.

Within this redesign, the emerging software engineering agents come into play, which execute specific lifecycle tasks according to certain rules. This approach is beginning to appear in products described as agents capable of resolving incidents, or as AI software engineers.

Agents will now begin to be integrated into the software factory as a controlled component, meaning they’ll have minimal permissions, clear limits on what they can do, a traceable record of every change, and human review when the risk warrants it. Without this framework, agents don’t accelerate delivery. Instead, they shift the complexity to quality assurance, security, and operations.

To what degree is AI crossing into the physical world?

AI is poised to make a significant physical impact, and the possibilities are vast in areas like computer vision, robotics, maintenance, security, logistics, retail, and healthcare. The key is that AI is no longer just providing analytics or recommendations, but it’s now moving toward performing intelligent actions.

This entry will be implemented in conjunction with regulatory compliance. The question here is what’s permitted and under what limits rather than what can be done. So compliance ceases to be an add-on and becomes an integral part of the design.

Two European frameworks in particular will shape this reality. For one, the AI ​​Act will enter an activation phase in August, increasing requirements for control, documentation, and supervision. Then the Cyber ​​Resilience Act, which comes into effect in September, mandates reporting obligations for products with digital elements.

For the CIO, the conclusion is clear that separating IT/OT, or the digital and physical worlds, is ineffective to manage this new phase. The priority is to operationally coordinate engineering, security, suppliers, and operations, because risk and liability permeate the entire chain. So the key lies in incorporating AI into operations that can withstand audits, incidents, and escalation.

What’s the remedy to combat industrialized fraud?

It’s an uncomfortable reality but needs to be faced head on. Digitally enabled fraud is escalating in volume and sophistication, and requires a cross-cutting capability that goes beyond the SOC.

The increased emphasis on content verification is part of the answer, but covering the “who” is necessary in addition to the “what.” That’s why identity verification is gaining prominence, encompassing customers, employees, and suppliers, but also non-human identities like services, APIs, and agents. The goal is to reliably verify this identity at the most critical moments.

To this end, FraudOps is emerging as a way to operationalize the fight against fraud, but it’s not limited to one-off checks, or reacting only when an alert is triggered. It transforms fraud prevention and response into a continuous and measurable process folded into critical business workflows like onboarding, payments, new account setup, data changes, and approvals. It’s a cycle of measurement and learning, where rules are adjusted to reduce false positives and improve results, while minimizing user friction.

Meanwhile, European digital identity is accelerating. The EC indicates that each member state will offer at least one version of the EU Digital Identity Wallet this year. For CIOs, this matters because it promotes verifiable credentials and avoids heavy controls.

In short, if 2024 and 2025 were years of exploration and experimentation, 2026 is the year of responsibility, both in terms of economics, or results that justify the investment, and compliance to demonstrate authenticity and identity.