Hardest IT roles to fill in 2026 and what's changed

AI/machine learning and cybersecurity are tied as the hardest IT roles to fill in 2026, according to CIO.com's State of the CIO survey, with demand shifting toward hybrid roles that combine AI expertise with business acumen. Risk management entered the top five for the first time, while cloud architecture and application development fell as AI tools reshape hiring priorities. IT leaders increasingly prefer upskilling insiders over chasing scarce talent for these evolving positions.

Skill demands have shifted toward hybrid, AI-informed roles that IT leaders view as better filled by upskilling insiders than chasing talent in a volatile market. These days, hiring a specialist is relatively easy — a SOC analyst, an ML researcher, a cloud architect. Those requisitions close in weeks. What stays open for six to nine months are hybrid roles: engineers fluent in AI who can go deep in code and also understand the business. “Three skills, one person, small pool,” says Neal Sample https://www.linkedin.com/in/nealsample/ , chief digital and technology officer at Best Buy. “These hybrids are the future of IT — and are hard to find right now.” Two years after AI leapfrogged cybersecurity as the most difficult IT skill to hire for in CIO.com’s State of the CIO survey, the top of the list hasn’t budged. AI/machine learning and cybersecurity are now tied as the hardest roles to fill, according to the 2026 State of the CIO survey https://us.resources.cio.com/resources/state-of-the-cio/ , with data science and analytics close behind. But while the rankings look familiar, the nature of the talent crunch has shifted. The hunt for LLM engineers and prompt specialists has given way to demand for people who can operationalize AI at scale, govern its risks, and wield it effectively without blindly trusting it. Meanwhile, risk management has climbed into the top five for the first time, while business/IT automation is holding steady near the top. And pressure has eased on roles that dominated just a few years ago: cloud architecture has dropped, and application development has fallen off https://www.cio.com/article/3951133/remember-when-developers-reigned-supreme-the-market-for-software-coding-goes-soft.html the list entirely as AI tools reshape what developers actually do. “The most challenging roles are anything that needs to be bundled with AI,” says Niel Nickolaisen https://www.linkedin.com/in/nielnickolaisen/ , IT advisor and field CTO at Valcom Technologies. Security analysts who can use AI to improve cyber posture while bad actors sharpen their attacks. Software engineers skilled at using AI platforms to design, build, and deploy. “There are simply not yet enough of these people available,” Nickolaisen says. Hardest-to-fill IT roles: 2026 vs. 2024 | Skill | 2026 rank | 2024 rank | Change | | AI/machine learning | 1 tie | 1 | Steady | | Cybersecurity | 1 tie | 2 | Rising | | Data science/analytics | 3 | 3 | Steady | | Business/IT automation | 4 | 4 tie | Steady | | Risk management | 5 | 8 tie | Rising | | Software engineering | 6 tie | 6 tie | Steady | | DevOps/DevSecOps | 6 tie | 11 tie | Rising | | Enterprise architecture | 8 tie | 10 tie | Rising | | Cloud services/integration | 8 tie | 12 tie | Rising | | Cloud architecture | 8 tie | 6 tie | Falling | | Design thinking/UX | 8 tie | 15 tie | Rising | Source: Foundry/CIO.com State of the CIO Survey, 2024 and 2026 AI hiring grows up IT leaders seeking LLM expertise can take heart in the fact that the frenzy around LLM engineers has eased. “Prompt engineering as a standalone job title was a short-lived fad,” Best Buy’s Sample says. “Today, it’s a baseline skill.” But what most organizations are looking for now is different: AI product engineers who can stand up agents, build testing frameworks, manage the cost-latency-quality triangle, and deploy AI at scale. They’re also trying to fill governance https://www.cio.com/article/4137022/new-it-roles-emerge-to-tackle-ai-evaluation.html and red-team https://www.csoonline.com/article/4029862/how-ai-red-teams-find-hidden-flaws-before-attackers-do.html roles that didn’t exist on anyone’s org chart three years ago. “The center of gravity moved from people who build models to people who wield them,” Sample says. “That’s a very different resume.” Gen AI and LLM tools have become intuitive enough that the skills organizations need have evolved toward more agentic AI and less prompt engineering. “We need people who understand workflows, process simplification, and can work with an agent platform to automate work and tasks,” says Nickolaisen of Valcom Technologies. “I expect this will change over the next year or two as the agent platforms get more intuitive. We can then focus our reskilling on how to make agents more autonomous.” The challenge is that AI is evolving so rapidly — and being invested in by everyone from cloud providers to the startup ecosystem — that experience at one company may not translate to another, and what someone learned six months ago may already be outdated. “Best to look for people with a broad understanding and ability to consume market shifts constantly happening,” says Scott Hicar https://www.linkedin.com/in/scotthicar/ , a fractional technology leader focused on the private equity market. Cybersecurity: A skills crisis, not a headcount crisis Cybersecurity’s rise to share the top spot with AI reflects more than just demand. It also signals a fundamental shift in the challenges organizations face. Six in 10 organizations now say skills gaps outweigh staffing shortages as their primary workforce challenge, according to the 2026 SANS/GIAC Cybersecurity Workforce Report https://www.sans.org/white-papers/2026-cybersecurity-workforce-research-report , a 20-point shift from just a year ago. And the consequences are measurable: 27% of cybersecurity leaders surveyed report breaches directly tied to capability gaps, while 61% say that team stress has increased over the past two years. The skills scarcity isn’t at the entry level; it’s at the senior architect tier. “People who can make a good security trade-off under real constraints, rather than read a dashboard, are hard to find,” Best Buy’s Sample says. “Those people are naming their price.” The strain on security teams is compounding. Attack surfaces have expanded with every SaaS addition, API, and agent deployed. Cyber adversaries are using the same AI tools as defenders. Security teams are burning out. Nickolaisen frames it in operational terms: “Cyber with AI is the biggest need because it’s the most near-term threat. If the bad guys can use vibe programming to build an attack in less than an hour and revise it in minutes, I need to be able to respond and modify my response in near real-time.” The SANS research found that 74% of organizations say AI is already impacting the size of their cybersecurity teams and the roles within them. SOC and security analysts are the roles most likely to be cut as AI reshapes security teams, and these are precisely the entry-level positions https://www.csoonline.com/article/4058190/ai-is-altering-entry-level-cyber-hiring-and-the-nature-of-the-skills-gap.html where the next generation of cybersecurity leaders traditionally learned their craft. At the same time, new roles are emerging, including AI/ML security specialists, AI security engineers, and AI governance analysts. The rise of ‘second-order’ AI skills Automation and risk management skills have both climbed into the State of the CIO’s top five hardest-to-fill roles for the first time — and they’re rising for the same reason. “AI blew out the surface area,” says Sample of Best Buy. “Every agent you deploy is a new automation and a new risk, and most governance, risk, and compliance GRC and ops functions weren’t designed for that pace.” With automation, the need isn’t for more RPA developers; that work has become a commodity. Organizations need people who can look at a process and decide what to automate https://www.cio.com/article/4157466/cios-reimagine-business-processes-to-reap-ai-benefits.html , what to retire, and what to redesign. “That’s three jobs welded together,” Sample says. “Business analyst, process engineer, and technologist. Anyone who does all three well is rare — and expensive.” The shift from chatbots to agents is driving much of this demand for automation talent. “The first wave of agents won’t invent new tasks; they’ll replace how existing work gets done,” says Ameya Kanitkar https://www.linkedin.com/in/ameyakanitkar/ , co-founder and CTO at AI measurement platform Larridin. “Enterprises are rearchitecting critical business workflows around fully or semi-autonomous agentic flows, and the demand for people who can build and operate these is massive.” The catch, he says, is that it requires an uncommon combination: understanding how systems work and how the business runs. Risk management presents a similar challenge. GRC functions built for SOX and PCI compliance aren’t necessarily optimized for model risk, prompt injection, or third-party AI exposure. “We’re hiring for a discipline that’s maybe five years old, against a job description that’s twenty years old,” Sample says. “That gap is the problem.” One capability that’s grown more critical is third-party risk management https://www.csoonline.com/article/4002765/third-party-risk-management-is-broken-but-not-beyond-repair.html . “With AI being embedded in most of what we purchase and use, the question becomes do I need both more people and a better-governed process to assess the AI that comes from third parties?” says Nickolaisen of Valcom Technologies. Dr. James Stanger https://www.linkedin.com/in/jamesstanger/ , chief technology evangelist at CompTIA, notes that risk management requires a different mindset than many technical workers bring to the table. “You’ve got to know your technical stuff, but you have to understand the business use of the technical stuff — otherwise you’re addressing technology, not risk,” he says. The midlevel squeeze AI coding tools and low-code platforms haven’t reduced the demand for software engineers, but they’ve changed its shape. A strong engineer with good AI tooling now produces roughly what three engineers did just a few years ago. “The squeeze is on the middle tier: the people whose day job was wiring APIs together,” Sample says. Engineering hiring is bifurcating, says Larridin’s Kanitkar: strong demand for experienced leaders who bring judgment and ownership, and for junior talent that’s AI-native from day one. “The squeeze is in the middle,” he says. “People coasting on midlevel execution are finding themselves on the wrong side of the job market.” AI tools are pushing engineers to think more like architects. “At one time, the industry was looking for IT ‘plumbers’ who could code,” CompTIA’s Stanger says. “Now the industry is demanding people who can think architecturally and in terms of risk and privacy. We don’t need keyboard code punchers; we need proactive designers who use AI to model potential performance issues.” For DevOps specifically, a consolidation is under way. “Platform engineering is the growth role,” Sample says. “The generic DevOps engineer title is being absorbed into platform or site reliability engineering SRE , and I don’t think it survives the next few years as a distinct function.” Cloud has stabilized Cloud roles have become easier to fill. Already visible in 2024, the trend has only continued. Most organizations have reached a cloud steady-state, says Valcom Technologies’ Nickolaisen. “Unless something big changes, we have our public, private, and on-prem workloads,” he says. “The skills of my system administration teams are adequate to support that.” Training programs have caught up with cloud, Stanger notes — though he adds it’s hard to say exactly why the pressure has eased. “Cloud has matured into a real profession,” Sample adds, “and more people have done it at scale for many years now.” Some cloud specialties remain hard to fill: FinOps, regulated-industry migrations, and reverse migrations. And certain workloads are coming back on-prem. “Especially AI inference, where the unit economics in cloud can be brutal at scale,” Sample says. “That’s shifting the skill mix again, and nobody’s resume says, ‘I can move workloads off the cloud intelligently.’” What’s working to close the gap If there’s one point of agreement among IT leaders, it’s this: Upskilling and internal mobility are more effective than external hiring in terms of speed, cost, and retention. “Our most productive AI engineers in 2025 were not hired as AI engineers,” says Best Buy’s Sample. “They were strong software engineers, upskilled with good internal training and real projects.” Outside expertise offers less advantage than it used to. AI has moved so fast that contractors aren’t necessarily ahead of internal teams, according to Nickolaisen. “Once my teams are over the initial hump and embrace AI, their skills develop quickly,” he says. The key is trust. “Assure the teams that we will not use the resulting productivity to get rid of people, and it’s amazing what can be done to accelerate the delivery of value,” says Nickolaisen. One change that dramatically expanded Best Buy’s talent pool was to stop treating AI hiring as a separate pipeline. “We hire engineers, then we introduce them to our take on AI,” Sample says. “That one reframe opened a pool at least 10 times larger and gave us better output.” Stanger advocates cross-skilling, apprenticeship-based mentoring, and pathway-based learning — tactics that focus on building capabilities rather than checking off credential boxes. “Instead of the tired, old, pedigree-based lens that asks, ‘Where is your four-year degree from,’ the most progressive hiring institutions are now asking, ‘What are your skillsets, and where can you take us with them?’” says Stanger. Chasing the latest job titles carries risk. “The prompt engineer hiring wave of 2023 — those roles aged out in eighteen months, and the people who took them are reskilling now,” Sample says. “Hiring a job title rather than a capability has a short shelf life. That lesson is already repeating with agentic AI in some places. It won’t age better the second time.” Soft market, hard problem The tech hiring market is sluggish, driven by uncertainty about AI-driven job displacement, economic conditions, and what Nickolaisen characterizes as “pretty much everything in our lives.” But for the skills that matter most, the competition remains fierce. “The next couple of years are critical,” Kanitkar says. “This is when the separation happens.” The frontier moves every day, which means the gap between IT organizations that master the shift and those that resist it will only widen.