IT Leaders Report · 2026

What Are IT Leaders
Actually Buying?

Insights from direct conversations with CIOs, IT Directors, VPs of Infrastructure, and Security Leaders across 1,296 organizations. Trends that took shape in 2025, continuing into 2026.

0
Technology Evaluations
0
Organizations Represented
0
IT Leader Conversations
What's Inside
01
AI Adoption Trends Who's buying, who's still exploring
02
Cybersecurity Shifts What's surging, what's stalling
03
Backup & Recovery Gaps The false confidence problem
04
Infrastructure Under Pressure VMware, EOL, Oracle migrations
05
Budget & Spend Patterns Where the money is going
06
Industry Buying Breakdown Who's buying what by sector
07
Vendor Reputation Intel What IT leaders said unprompted
08
2026 Market Signals 7 things every IT leader should know
Artificial Intelligence

AI Has Left the Strategy Room

The "should we adopt AI?" conversation is over. IT organizations are now buying specific agents, not platforms. The shift from broad exploration to funded, named use cases happened inside a single year.

6.6x
AI Help Desk Growth
Fastest-growing AI subcategory
6x
Agentic AI Growth
Conversational + agentic use cases
5x
AI for HR Growth
Self-service HR automation
0
Legacy Code Orgs
Actively modernizing with AI
AI Category Shift: Q1 2025 vs. Q1 2026 (Now)
Volume of evaluations by AI subcategory
#1 Entry Point
IT Help Desk Automation
Low risk. Fast ROI. Self-funding through ticket deflection. The clearest path from AI exploration to AI procurement.
Infrastructure Premium
Median AI Infrastructure budget 2× the market norm. Organizations investing in compute, not just software.
Emerging Gap
AI Governance & Security
Controlling how employees use AI is becoming its own budget line. CISOs need tools to see AI usage, prevent data misuse, enforce policy and the tool sets don't exist yet.
Two Kinds of AI Buyers
When we look at who is actually in the market for AI, a clear split emerges. Some organizations have specific, funded use cases already in motion. Others are exploring because leadership asked them to. These two groups buy on very different timelines.
Active and Funded
These organizations have a named problem, a budget cycle, and are actively evaluating vendors now. Real examples include:

- Document OCR for healthcare faxes (thousands processed manually today)
- SQL performance optimization and query analysis
- Vehicle condition auto-decisioning using photo analysis
- Internal knowledge chatbots for HR and policy queries
- Legacy code modernization across 17 organizations, one with 105 applications in scope
Exploring, No Budget Yet
These organizations are in discovery mode. Leadership has asked IT to look into AI, but there is no specific use case and no approved budget. Conversations with this group often stall because there is nothing to evaluate against. They will continue exploring for another 12 to 18 months before a purchase decision gets made.
Group 1 buys within 6 months. Group 2 keeps exploring for 12 to 18 months more.
The Build vs. Buy Dilemma
Organizations with internal engineering teams are not just comparing vendors against each other. They are weighing whether to build their own AI models entirely. A VP of IT at an auto auction company building AI for vehicle arbitration decisioning put the tension plainly:

"How much should we be building versus just buying?"

VP of IT · Auto Auction Company
The Cost Surprise
Usage-based pricing is a real adoption barrier that does not show up in vendor pitches. A newspaper group IT director had decided against broad AI rollout specifically because the cost scaled faster than expected:

"The cost of using generative AI is much higher than most people expected. You have to pay for the amount of usage, and that's somewhat restrictive."

IT Director · Newspaper Group
AI Governance Is an Untapped Market
Two CISOs described spending most of their time not implementing AI, but controlling how employees use it. A CISO at an ISO-certified law firm needs tools to monitor AI usage, block AI access to client data, and enforce policy. When asked about available solutions:

"The tool sets are just not there. Not a lot of vendors can do that."

CISO · ISO-Certified Law Firm
Cybersecurity

Security: From Prevention to Response

Security remains the single most active domain but the composition is shifting fast. Broad perimeter categories are plateauing. What's surging is operational: detection, response, and identity.

0%
IAM Growth
Fastest-growing security category
0%
SIEM Growth
Compliance pressure reviving log aggregation
0
Zero-Trust Conversations
0 confidently implementing, stalled by multi-vendor complexity
0
Reactive Posture
"We don't know until users call us"
Security Category Shifts: Q1 2025 vs. Q1 2026 (Now)
Active evaluations, what's growing vs. what's maturing
Zero-Trust Status
Among organizations that mentioned it

"Every vendor pitches Zero Trust but requires you to use only their stack. Finding something that can integrate across everything has proven to be a nightmare."

IT Director · Enterprise Organization
Fear vs. Reality: Ransomware vs. Phishing
What IT leaders fear vs. what they actually fight daily
Compliance as the #1 Security Driver
HIPAA (Healthcare)Most cited
NIST / NERC (Government)High
Cyber Insurance Requirements7 orgs
CMMC (Defense Contractors)2 orgs
Cyber insurers are acting as de facto compliance bodies, mandating SIEMs, MFA, EDR, and backup validation.
MSSP Dissatisfaction
Seven IT leaders expressed dissatisfaction with their MSSP or described active plans to switch. The core complaint is consistent: MSSPs promise a fully managed service, then hand the work to a chain of sub-vendors, leaving customers managing the same complexity they were trying to escape. A CIO who evaluated CrowdStrike, Palo Alto, Juniper, and Accenture found the same pattern everywhere:

"Every company wants to come in and say we'll manage the service for you, and then they swap you over to nine new vendors instead of the nine you're using. The cost goes through the roof."

CIO · 23-College System
Microsoft E5 Effect
Upgrading to Microsoft E5 bundles Defender, Intune, and Purview into a single license at a price that is starting to make standalone security vendors hard to justify. Multiple IT leaders described reaching this calculation independently. Two of them were Sophos customers of 10 years or more, reconsidering not because Defender is better, but because the math stopped working:

"The only thing that really has made us look to Microsoft is obviously the way that they bundle their licensing. If we go E5, we get a whole bunch of tools and it sort of closes the gap on what we're paying individually for Sophos."

10-Year Sophos Customer
AI Deepfakes as Social Engineering
A senior cybersecurity director demonstrated a 15-second AI-generated video of their CEO requesting a password reset as a security awareness exercise. It worked. His takeaway: the threat has moved from theoretical to demonstrated, and most security training programs are not keeping up.

"You can mimic people really, really well now."

Senior Cybersecurity Director
Standard phishing simulations no longer cover the full threat surface. Security awareness programs need to include AI-generated voice and video attacks.
Backup, Storage & Recovery

Backup: The False Confidence Problem

Most organizations have backup solutions. Very few have tested whether they work. There is a widening gap between what was purchased, what was deployed, and what can actually be recovered.

~90%
Have a backup solution in place
~20%
Have actually tested restore capability
What Ransomware Recovery Actually Taught One IT Leader
An IT director who lived through a ransomware incident shared a finding that rarely makes it into post-mortems. The backup held. The real problem was that when he lost access to everything, he realized he did not know what his own environment contained. After recovery, his top priorities were documentation, software inventory, and SaaS visibility. Not more security tools.
4 organizations experienced ransomware vs. 9 who name it as their #1 fear
Backup Vendor Landscape
Named vendors with active pricing pressure or switching intent
Cloud Backup Cost Shock
Backup data stored in Microsoft's cloud is not deduplicated. Organizations that migrated their backup workloads to cloud are discovering that ongoing storage costs were never properly modeled at purchase time. A CISO at a law firm put it simply: "When we back up data and put it in the cloud, it's very expensive to keep it there."
Rubrik: The Hidden Infrastructure Cost
Rubrik is well-regarded, but a senior IT leader at McKesson described what an enterprise rollout actually requires before a single backup runs. This is not in the brochure. Her advice after going through a $3M deployment was to let others go first and watch what happens during setup:
25-gigabit network ports required throughout the environment
Minimum 96 ports for a basic install
6 racks of hardware before a single backup runs
Full deployment estimated at $100M in infrastructure alone

"I'm not sure they quite understood that when they did it."

Senior IT Leader · McKesson
Veeam: Widely Used, Quietly at Risk
Veeam has the largest installed base in this dataset. But usage does not equal satisfaction. The typical profile is an organization that bought Veeam, never set up automated restore testing, is not backing up all cloud data, and has no deduplication in cloud storage. They are paying for a capability they are only partially using.
0
Organizations using Veeam with active pricing pressure at renewal
Rubrik, Commvault, and newer competitors are actively targeting this gap. Renewal conversations are becoming competitive evaluations.
Cloud Reversal: A Signal Worth Watching
This is not yet a broad trend, but it is showing up consistently enough to flag. A higher education IT leader described intentionally keeping his Nutanix cluster on-premises after watching peer institutions reverse their cloud migrations:

"The schools I've talked with that have moved to the cloud are now trying to move back to premise because the cloud expenses keep going up."

IT Leader · Higher Education
Infrastructure & Operations

The Infrastructure Disruption Map

VMware's post-Broadcom pricing changes, Windows 10 end-of-life, the Microsoft Software Assurance trap, and decade-long Oracle migrations. The infrastructure layer is under more simultaneous pressure than at any point in recent memory.

VMware Disruption — The Ripple Effect
Organizations affected by Broadcom pricing changes
The Ripple Effect Nobody Expected
When Broadcom acquired VMware and repriced licensing, some organizations saw rate increases of 800%. The pricing shock did not just affect the hypervisor decision. It froze server, storage, and hyperconverged infrastructure purchases across 11 organizations. Until teams know which hypervisor they are staying on, nothing adjacent can move forward.
The Breakout Alternative: Scale Computing
When IT leaders described what they were evaluating instead of VMware, Scale Computing came up more often than VMware-approved alternatives. It was described as the biggest up-and-comer in the hypervisor space and compared favorably to Nutanix on simplicity and cost. The VMware disruption has opened a real window that Scale Computing is walking through.

"Our hypervisor determines the direction we go with a lot of this stuff. If we stay with VMware, we don't need to change our servers. But if we step away, there are some hyper-converged players we need to look at."

Infrastructure Manager · Enterprise Organization
Windows 10 End of Life: Decisions Can No Longer Be Deferred
0
Organizations with active hardware or migration decisions tied to Windows 10 EOL
The deadline is forcing refresh cycles that had been deferred for years. One company is migrating all 65,000 employees to Windows 11. Others are weighing whether to buy devices pre-loaded with Windows 11 or attempt in-place upgrades. This urgency did not exist 12 months ago.
The Software Assurance Trap
Organizations that did not purchase Software Assurance when they first licensed Microsoft products cannot buy it retroactively. Continuing on expired software costs more than buying a current license from scratch. One IT director managing infrastructure that is 25 years old described being stuck on Windows Server 2012 for exactly this reason. Most organizations only discover this trap when they are already inside it.
Patching: Named as Urgent by 7 IT Leaders
0
IT leaders who named patching as a specific, unresolved priority
Patching is not a glamorous problem, which is likely why it gets underreported. A newly appointed IT manager at a library district had just discovered how far behind they were:

"This is a huge security hole we have right now. That came up literally last week and hit me in the face pretty hard."

IT/Cybersecurity Manager · Library District
The Oracle Migration That Takes a Decade
28 months in. 18 months to go.
One IT director is migrating 35 years of Oracle applications to PostgreSQL. He is clear about what vendors get wrong when they pitch migration services: they scope the database, not the applications on top of it. The database migration is straightforward. Every custom application built around it is its own project.

"The database is the easy part. The application is the challenge."

IT Director · Oracle Migration, Year 3
10
Single Pane of Glass: Still Unfulfilled
Ten IT leaders named unified visibility as their single biggest unfulfilled wish, across security, networking, backup, and asset management. It came up so often it became the organizing frustration of the entire dataset. "We have different tools for different stuff" was the common version of this.
7
Spreadsheets Are Still the Asset Tracking System
At a library district, the entire IT asset inventory lived in a spreadsheet. When four employees left, nobody knew where their phones were. Leadership refused to approve a hardware refresh because they could not trust the inventory. This is not a budget problem. It is an asset management problem that was never made visible until it became a crisis.
7
Bought But Never Deployed: A Predictable Renewal Risk
Seven organizations reference technology purchased but never fully implemented. Netscope was bought to address data protection, then shelved. At renewal time, the organization could not explain what value it delivered. The path to renewal in this situation is not a pricing conversation. It is helping the customer use what they already paid for.
SD-WAN: The Automation Gap
SD-WAN is largely deployed across organizations in this dataset. The interest in refreshing or replacing it is not about bandwidth or performance. It is about the fact that in most environments, everything is still manual. Failover is manual. Provisioning is manual. When something breaks, teams find out when users call. A senior director running a fully deployed Cisco SD-WAN described how he felt about where things stood:

"Everything we do is manual. How important is it to automate critical network functions? It's very important and I'm not there."

Senior Director of Global Support Services · Cisco SD-WAN Environment
Deprovisioning: The Overlooked IAM Gap
Provisioning employees into systems is well-covered by identity vendors. Deprovisioning them when they leave or change roles is not. A senior director running SailPoint, CyberArk, Beyond Identity, and Okta described deprovisioning as still his biggest challenge. The tooling exists for access control. Cleanly revoking access at scale, automatically, remains thin. That is an entry point for any identity vendor who can solve it well.
Full Category Leaderboard

The Top 10 Categories

AI and security together represent more than half of all active evaluation volume. Ranked by number of organizations actively evaluating, with median budget context for each.

AI / Machine Learning265 orgs · $100K
Zero-Trust Security214 orgs · $100K
AI-Enabled Automation168 orgs · $100K
Storage148 orgs · $100K
Network Security136 orgs · $577K mean
Backup and Recovery124 orgs · $100K
Cloud Security114 orgs · $100K
Laptops / Endpoint Refresh110 orgs · $2.5K/device
Networking103 orgs · $100K
AI Infrastructure82 orgs · $200K
Category Volume — Top 10
Organizations actively evaluating
What's Slowing Down — Done, Not Underinvested
Categories with meaningful drops in H2 2025 and Q1 2026
CategoryQ1 2025NowStatusWhat It Means
UCaaSHighDeclining↓ DonePost-pandemic normalization.
SD-WAN306↓ MatureLargely implemented. Automation refresh is the real need.
AI-Enabled Automation10842↓ EvolvedReplaced by specific agentic use cases.
Cloud Security (standalone)7329↓ EmbeddedAbsorbed into SASE and Zero-Trust platforms.
Data Protection511↓ Sharp DropFocus shifted to identity and detection.
App Performance Monitoring290↓ AbsorbedEmbedded in observability platforms.
Industry Breakdown

Who Is Buying What

Technology buying patterns vary meaningfully by sector. Compliance is the common thread, but priorities diverge sharply by industry. Healthcare and Government lead in volume, driven by the most demanding regulatory environments.

Active Evaluations by Sector
Estimated active evaluations per industry vertical
🏥
Healthcare
509 active evaluations
HIPAAZero-TrustAI ClinicalDocument OCR
🏛
Government / Public
377 active evaluations
NIST/NERCZero-TrustNetwork Sec
🏦
Finance
282 active evaluations
Data ProtectionIAMCloud Sec
🎓
Education / Higher Ed
207 active evaluations
StorageNetworkingAI AdminCloud to On-Prem
🏭
Manufacturing
101 active evaluations
OT/IoT SecurityNetwork VisibilityAI Automation
Utilities / Energy
64 active evaluations
NERC-CIPGrid SecurityZero-Trust
5–12
Solo IT Teams Managing Hundreds of Users
One network admin at a credit union: one other person on his team, about to retire. "Anything we can do that's automated, I'm all for it." Managed services solve a staffing problem for this segment, not a technology one.
12
M&A Is Freezing IT Decisions
Mergers are causing IT purchasing paralysis. A hospital IT manager described being mid-evaluation when a merger was announced: "Kind of like pump the brakes." The tell is when the IT leader starts describing what the parent company already uses.
Purchase Drivers & Decision Patterns

What Actually Triggers a Purchase

Based on direct conversations with IT leaders, these are the real triggers behind active evaluations, ranked by frequency across the dataset.

52
Compliance requirement
HIPAA, NIST, PCI, GDPR, SOX, NERC, most common external trigger
38
Contract / subscription renewal approaching
Most common urgency driver
35
AI interest without approved budget
Evaluating, not buying yet
30
No visibility / limited visibility
Most common operational complaint across all categories
30
Manual processes as active frustration
Tied to networking, patching, and asset management
14
End-of-life or end-of-support technology
Windows 10 EOL driving this significantly
12
Merger or acquisition purchasing freeze
Appears active but completely stalled
12
Budget freeze blocking identified needs
They know what they need. Waiting for budget cycle to reset.
9
Ransomware cited as #1 fear
vs. 4 organizations that actually experienced ransomware
7
Cyber insurance driving specific tool requirements
Insurer functioning as de facto compliance body
Top Purchase Triggers
Cited across IT leader conversations

"We just got through budget planning. A significant number of requests were denied. I'm re-presenting the same tool sets to senior leadership for 2026 approval."

VP of Cyber Security Risk · $1.5B Company
Vendors who stay in front of frozen-budget IT leaders win quickly when the cycle resets. Vendors who lose touch during the freeze lose the deal.
Budget & Spending

Where the Money Is Actually Going

Budget data from 3,739 evaluations. The most common project range is $100K to $250K. But significant outliers, particularly in network security and AI infrastructure, signal where enterprise-scale investment is happening.

$100K
Median (All Categories)
The benchmark for business cases
$200K
AI Infrastructure Median
2× the norm, compute investment
$577K
Network Security Mean
Enterprise-scale overhauls
3,739
Evaluations with Budget Data
Across all categories
Budget Distribution
Evaluations by project budget range
Purchase Timeline
When are IT leaders planning to buy?
15%
0–3 Months
Immediate pipeline
18%
0–6 Months
Active now
27%
3–6 Months
Evaluating now
40%
6–12 Months
Next cycle roadmap
Over 40% of IT leaders are evaluating with a 0 to 6 month purchase window. MDR, IAM, and AI Agents for IT Help Desk cluster disproportionately in this short-window group.
Vendor Reputation Intelligence

What IT Leaders Said About Specific Vendors

Unsolicited vendor sentiment from direct conversations. What came up when IT leaders were simply asked "is there anyone you're opposed to speaking with?" The answers reveal the competitive landscape more clearly than any analyst report.

IBM
4 explicit refusals
Named unprompted. Consistent pattern: IBM acquires technologies then fails to develop or support them long-term.

"IBM contacts me three times a year and they are highly disappointing every single time. They buy technologies and kill them."

VP of Information Security
Oracle
3 negative mentions
Pattern: pricing opacity, licensing complexity, vendor lock-in. One organization is 28 months into migrating off Oracle.

"Once Oracle gets in your pocket, all the cash is gone."

Network Administrator · 25-Year Tenured Role
Microsoft
14 "Microsoft shop"
14 IT leaders describe themselves as fully consolidated on Microsoft. All new purchases are evaluated through the lens of what Microsoft already bundles. The E5 economics question will come up at every renewal.
E5 economics question comes up at every renewal
CrowdStrike — Post-Outage Evaluation Window
0
Organizations re-evaluating endpoint vendor due to July 2024 outage
One IT manager at a $1.3B distribution company: their CrowdStrike contract renews in summer. The outage put a competitive evaluation on the calendar that otherwise wouldn't have happened. The product is well-regarded, but the outage created doubt. Vendors competing here have an open window.
3 running formal competitive evaluations on price alone
Google Workspace — Losing to Bundle Math
An IT director at a TV network: their Google Workspace agreement expiring mid-year. Microsoft restructured 365 licensing to bundle Windows, making M365 financially competitive in a new way. The decision is being driven entirely by licensing economics, not technology preference.

"It's a financial decision at this point. The technology is fine. But the math is changing."

IT Director · TV Network · Google Workspace Customer
2026 Market Signals

What the Data Says About Where This Goes

Trends that took shape in 2025 are now firmly established patterns continuing into 2026. Three categories to watch closely, and seven things every IT leader should know.

🤖
Watch: AI Governance
A distinct, underserved product category forming around AI governance, tools that let security teams see what employees are doing with AI, prevent data misuse, and enforce policy. The tools don't exist yet. The market is open.
🌎
Watch: OT/IoT Security
Smart buildings, HVAC, IoT sensors connecting to corporate networks through vendors who never prioritized security. Organizations know the risk. Vendor coverage remains thin. Significant first-mover opportunity.
☁️
Watch: Cloud Cost Reversal
Some organizations moving workloads back on-premises as cloud pricing exceeds on-prem TCO. A real signal in education and mid-market. On-prem vendors have a counter-narrative opening.
7 Things Every IT Leader Should Know
  • 1
    AI is past the hype phase. Specific agentic AI use cases, IT Help Desk, HR self-service, procurement, are entering active procurement. Organizations still in exploration mode are now in the minority.
  • 2
    Zero-Trust is being implemented by your peers right now. The question is where you are on the maturity curve relative to your sector, not whether to start.
  • 3
    IAM is the fastest-growing security investment. As network perimeters dissolve, identity becomes the control plane. IAM ties together Zero-Trust, cloud, and remote work.
  • 4
    MDR is the most rapidly emerging category. Organizations with prevention tools deployed are now outsourcing 24/7 detection and response. No SOC capability? This is the gap most peers are closing.
  • 5
    Backup and restore testing are not the same thing. Almost every organization has backup. Very few have verified it works under real recovery conditions.
  • 6
    Compliance is the most common purchase driver. HIPAA, NIST, NERC-CIP, and cyber insurance requirements are forcing investment timelines. Regulatory pressure doesn't wait for your next budget cycle.
  • 7
    Slowing categories are largely done, not underinvested. UCaaS, SD-WAN, broad Cloud Security: these decisions have been made. Redirecting budget toward AI agents and identity is where the market is heading.