State CISO Confidence Crashes from 48% to 22% as AI Attacks Surge

State cybersecurity chiefs are watching their confidence collapse. The 2026 NASCIO-Deloitte Cybersecurity Study, the biennial benchmark for public-sector security, found that just 22% of state CISOs now describe themselves as "extremely" or "very confident" in their ability to protect public data — down from 48% in 2022. That's less than half the confidence level of four years ago, and the cause is unmistakable: AI is reshaping the attack surface faster than government defenses can keep up.

The study, released by the National Association of State Chief Information Officers and Deloitte, surveyed CISOs across all 50 U.S. states. It paints the clearest picture yet of how AI is changing public-sector cybersecurity — and how badly the people responsible for defending state systems feel they're falling behind.

The numbers

The headline drop — 48% to 22% over four years — is the steepest fall the survey has ever recorded. Other findings reinforce the picture. Sixteen percent of states reported cybersecurity budget reductions in 2026, up from zero in 2024. Only 22% reported budget increases of 6% or more, down from 40% two years ago.

Meanwhile, CISOs' responsibilities are expanding. Ninety-four percent said they're actively involved in developing GenAI security policies — a brand-new line item that didn't exist on the 2022 survey. Forty-nine percent named effectiveness metrics as their top initiative for 2026, more than triple the 15% who said so four years earlier.

The combination is brutal: more responsibility, less budget, and a threat landscape transforming under their feet.

What's actually changing on the attack side

The study identifies three emerging AI-driven threats hitting state systems. First, deepfakes — synthetic voice and video that can fool human reviewers and evade existing detection tools. Voice cloning attacks against state benefit programs and unemployment systems have already been documented in multiple states.

Second, autonomous AI agents that probe defenses continuously. Unlike traditional vulnerability scanners, these agents adapt to what they find — adjusting payloads, varying timing, and routing through different infrastructure to avoid signature-based detection. The probe-and-adapt loop is exactly the pattern state CISOs say they can't keep up with.

Third, AI-driven ransomware-as-a-service. The barrier to running a sophisticated ransomware operation has dropped because the AI does most of the work: target reconnaissance, phishing email generation, negotiation chat handling, even cryptocurrency laundering. Foreign adversaries and organized criminal groups now have the same toolkit, and they're using it on state and local agencies that historically had weaker defenses than federal targets.

Why this matters

State governments hold an enormous share of America's most sensitive personal data — driver's license records, tax returns, health records via Medicaid, child welfare files, voter rolls. They're also the layer of government most likely to run aging IT systems with patched-over security. AI-enabled attackers are pricing those targets very differently from a year ago.

The budget picture makes the gap structural. Federal cyber resources from CISA and the FBI exist to backstop states, but the day-to-day defense responsibility sits with CISOs who in many cases report decreased budgets. When the attackers' costs are falling because of AI automation and the defenders' budgets are falling because of fiscal pressure, the gap widens every quarter.

Industry impact

Expect state procurement to shift. The survey shows nearly every CISO is now writing GenAI security policy, which means vendors selling deepfake detection, AI-aware identity proofing, and autonomous defensive agents are about to see public-sector demand spike. Companies like Reality Defender, Pindrop, and CrowdStrike already have state customers; expect contract sizes to grow.

For private companies that hold contracts with state agencies — IT services firms, cloud providers, identity verification vendors — the survey signals tighter security requirements coming in upcoming RFPs. Several state CIO offices have begun adding GenAI-specific clauses to vendor contracts, including disclosure requirements when AI is used to process state data.

The federal picture matters too. If states are this exposed, federal agencies that share data with them — Social Security Administration, IRS, HHS — inherit the risk. Expect renewed pressure for federal-state cyber coordination, including expanded use of CISA's shared services.

Expert reactions

Industry coverage has been blunt. Cybersecurity Dive characterized the survey as "the strongest evidence yet that state cyber leaders feel they're losing." BankInfoSecurity highlighted the disconnect between rising CISO responsibility and falling budget authority. StateTech Magazine flagged the 49% effectiveness-metrics number as a sign CISOs are being asked to prove ROI on cybersecurity at exactly the moment they have the least to work with.

Srini Subramanian, Deloitte's principal for state and local cyber, said state CISOs are "asked to defend more, with less, against threats that are changing faster than at any point in the survey's history." That framing is being widely repeated.

What's next

The survey's findings will feed directly into the FY27 state budget cycle starting this summer. Several state legislatures have already announced cyber-focused hearings for July and August. NASCIO is pushing for a federal cyber grant program specifically targeting AI-defense capabilities at the state level — a proposal that has some bipartisan support but no formal vehicle yet.

Watch for two things. First, whether any of the larger states announce significant new GenAI defense budgets in their FY27 proposals. Second, whether the federal government expands CISA's shared services to include AI-specific threat detection, which would partially offset the state-level budget gap.

Bottom line

State cybersecurity leaders are telling Deloitte and NASCIO that AI has changed the game and they don't have the resources to keep up. For citizens, that means state-held data — your driver's license, your tax records, your benefits applications — is being defended by teams who openly say they're less confident than they were four years ago. The fix requires either substantially more state spending, much heavier federal involvement, or both. None of that is on the table yet.