In July 2026, discussions about CIO priorities are increasingly less likely to begin with technology itself. AI promises productivity gains, cyber resilience sets the limits for secure scaling, and cloud costs reveal how much room there is in the budget for further projects.
This is a significant shift for boards of directors. Until recently, generative AI was, for many companies, an area of experimentation, testing and pilot schemes. Today, it is increasingly becoming a budget line item, a component of operational strategy and a source of questions about the actual return on investment. According to a survey by RBC Capital Markets, all the companies surveyed were planning AI budgets for 2026, and over half already had AI solutions in production environments.
For CIOs, this means less talk about the technology’s promise alone, and more about its implications. AI increases the demand for computing power, data and integrations. The cloud allows such projects to scale rapidly, but at the same time very quickly reveals their cost. Cybersecurity is ceasing to be a separate area of control, as any data-driven automation increases the number of access points, dependencies and potential errors.
That is why a CIO’s three priorities do not simply form a straightforward to-do list today. They are more like a single portfolio of decisions. The first concerns which AI applications are actually worth developing. The second is what level of digital resilience the company wants to have before allowing automation to penetrate deeper into its processes. The third is whether the cloud bill is already linked to business value, or whether it remains a technical invoice that is difficult to translate into results.
AI in business: fewer pilot projects, more selection
The greatest risk in AI today is not solely that the technology will fail to work. Increasingly, it lies in the fact that it works too easily. Tools are readily available, teams quickly develop their own solutions, and successive departments see AI agents as a way to speed up their work. This can bring tangible benefits, but without a common management model, it easily leads to scattered costs, duplication of tools and more difficult data control.
The Wall Street Journal has already reported on the problem of an excess of AI agents in companies such as Lyft, DaVita, GitLab and FICO. Organisations are beginning to face a situation where agents are being created faster than the mechanisms to oversee them. In the background, questions are arising about the costs of tokens, access to data, accountability for decisions and the security of processes.
From a business perspective, therefore, selection is becoming increasingly practical. Not every AI implementation will warrant scaling. Value arises where a solution has a business owner, a clearly defined objective and a measurable impact on cost, revenue, customer service, productivity or the quality of decisions. In many companies, a simple principle is becoming a good benchmark: buy the foundation, but build your competitive advantage close to your own data, processes and customers.
Cyber resilience as a prerequisite for scaling AI
The second area is cyber resilience. By 2026, this will no longer be merely a means of protection against incidents, but a prerequisite for the smooth scaling of technology. The more an organisation automates, the greater the importance of identity, permissions, access control, backups, monitoring and recovery scenarios following a failure or attack.
AI is also changing the very economics of cyber threats. Agent-based systems can support multi-stage tasks, analyse code, utilise tools and accelerate the identification of vulnerabilities. Research into agent-based AI suggests that such solutions can shorten the attack cycle, reducing the cost of phishing, credential abuse, vulnerability analysis and post-compromise activities.
This does not mean that companies should put the brakes on automation. A different perspective seems more accurate: scaling AI is much easier where access to data, responsibility for systems and post-incident procedures have already been organised. Cyber resilience is therefore becoming part of the conversation about growth, rather than merely about risk reduction.
The cloud and costs: a calculation that must be linked to the business
The third piece of this jigsaw is the cloud. For years, it has been presented as a means of achieving flexibility and faster project deployment. This remains true, but in the age of AI, flexibility comes at an increasingly clear cost. Models, agents, data, test environments and integrations can rapidly increase infrastructure usage. Consequently, the conversation about the cloud is shifting from the level of the overall bill to the level of the cost per customer, transaction, query, model or process.
Data from Flexera illustrates the scale of the challenge. According to the ‘State of the Cloud 2026’ report, 81 per cent of organisations use AI, whilst wasteful cloud spending has risen to 29 per cent for the first time in five years. At the same time, 85 per cent of companies still regard cloud cost management as one of their main challenges.
This does not necessarily mean making simple cuts. In a more mature approach, FinOps becomes a way of freeing up budget space for projects with greater business potential. A well-defined cloud cost structure makes it possible to see which applications support growth, which require modernisation, and which consume resources without delivering a clear benefit. A similar problem is beginning to affect AI itself: according to Flexera data, only 31 per cent of organisations have accurate visibility of their AI software expenditure, whilst 59 per cent are seeing an increase in wasted spending in this area.
The CIO between AI, cyber resilience and the cloud
At this point, the CIO’s role is becoming more business-focused than ever. It is no longer solely about choosing a supplier, architecture or tool. The ability to translate technology into the language of finance, risk and operational value is becoming increasingly important. AI without cost control can become an expensive experiment. Cybersecurity without an understanding of the business can stifle innovation. The cloud without product owners may remain a cost that nobody can link to a specific outcome.
That is why the most important discussion in companies today is not about the sheer number of AI projects. It is about which of them make business sense, what risks they introduce, and how much it costs to run them at scale. This brings the CIO closer to the board, the CFO, the CISO and the process owners. Technology remains the starting point, but decisions are increasingly being made where margin, resilience and pace of development intersect.
The second half of 2026 may show that the advantage will go not to the organisations with the highest number of AI implementations, but to those that can combine technological ambition with operational resilience and transparent infrastructure economics. For CIOs, this means a shift in focus: from implementing yet more tools to building a portfolio of decisions that the business can understand, fund and defend.

