I’m three weeks out from a board paper deadline and I’ve been going through the priority list that should be on it. Most CIO priority lists I’ve seen this quarter are some version of the same thing — AI, cloud cost, cybersecurity, talent, technical debt. Fair enough. The order matters and the specifics matter more.

Here’s the priority list I’d actually take to a board in May 2026 if I were running mid-market enterprise IT in Australia.

1. Cloud cost discipline that’s actually disciplined

The cloud cost story is no longer just “pay attention to it”. The economics have shifted. Egress costs are biting harder than they did three years ago. Reserved instance and savings plan management is now a meaningful FTE allocation rather than a side project. The smart operators are running cloud cost forecasting alongside their AWS or Azure spend with real accountability — engineering teams have actual budget, not just visibility into spend.

The CIOs who’ll regret 2026 are the ones still treating cloud cost as a quarterly review item. The CFO is now asking the questions IT used to be able to wave away with “it’s variable spend”. That conversation is over.

2. AI strategy that’s a strategy, not a list of tools

Every CIO has a list of AI pilots. Most of those lists are evidence of activity, not progress. The honest test for whether you have an AI strategy in May 2026 is: can you describe in one paragraph what your business will look like differently in 18 months because of the AI work, and what specific capability the work is building?

If the answer is “we’re using Copilot” or “we’re trialling six tools”, you have a portfolio of pilots, not a strategy. That’s fine for 2024. It’s not enough for 2026.

The board paper question I’d be answering: what are the two or three workflows in our business where AI delivers durable advantage, and what does the roadmap to embed AI into those workflows actually look like? Everything else is a distraction.

3. The cybersecurity foundations no one wants to talk about

Identity. Endpoint. Backup. Detection and response. These four things, done at modern maturity levels, would prevent the majority of breaches Australian organisations are still suffering in 2026.

The reason they’re hard to prioritise on a board paper is that they’re not interesting. Identity rationalisation is a multi-year program with no demo-able output for the first 18 months. Endpoint modernisation requires real change management. Backup architecture refreshes don’t get applause at the IT all-hands.

The CIOs who’ve quietly done this work over the last three years are the ones whose incident reports are unremarkable. The ones who skipped it are featuring in board incident reviews more often than they’d like.

4. Technical debt with a real number on it

How much technical debt do you actually have? Most CIOs can’t answer this cleanly. They have an instinctive sense — “we have a lot” — but no quantified number.

The exercise of putting a number on technical debt is uncomfortable. The methodologies are imperfect, the estimates are debatable, and the size of the number when honestly reported tends to be larger than anyone wants to admit. The CIOs doing this work in 2026 are getting better board engagement on debt remediation than the ones who haven’t.

If you can tell your board “we have $X million in technical debt across these eight systems, here’s our paydown schedule, here are the trade-offs we’re accepting” — that’s a serious conversation. If you can only tell them “we have technical debt and we need to fix it”, you’ll lose to whichever project has a clearer business case.

5. Talent that’s not just retention, it’s capability

The talent conversation has shifted in the last 12 months. Retention is still hard. But the bigger issue for many Australian IT shops is capability shape — having the right skills for what 2027 needs, not what 2023 needed.

The teams I see thriving have done two things. First, they’ve identified the 4-6 capability areas they need to develop internally and they’ve invested in real training, not LinkedIn Learning. Second, they’ve been honest about which capabilities they’re not going to develop in-house and they’ve found durable external partners for those.

That second one matters. The “we’ll do it all internally” posture from 2020 hasn’t aged well. The teams that have meaningful technical partnerships — an Australian AI company for AI build work, a specialist data engineering firm for the platform refresh, a managed security partner for the SOC — are moving faster and making fewer expensive mistakes than the teams trying to staff every capability internally.

What I’d take off the list

A few things that look important but probably aren’t, at least not as priority items.

Generative AI tool sprawl. Yes, your business has 30+ AI tools floating around. Yes, you should rationalise them. No, this isn’t your top-three priority. Spend the airtime on the durable capabilities; the tool sprawl will get easier when the strategy is clearer.

Yet another digital transformation program. The CIOs who got results in 2023-2025 already did the transformation. The ones still trying to launch one in 2026 are usually papering over an absence of strategic clarity with activity.

Citizen developer governance. Important. Not urgent. The low-code platforms have settled into a workable shape; the governance problem is real but solvable with sensible policy rather than a big program.

The honest CIO priority list in May 2026 is shorter than the lists most consultancies are pitching. That’s a feature, not a bug. The teams doing fewer things deliberately are outperforming the teams doing more things performatively. Pick the right four or five. Do them well.