7 New Year Checklist To-Dos For Midmarket IT Leaders In 2026

Several IT industry leaders shared their advice for tasks midmarket leaders should undertake as the current year ends, and the new one begins.

AI governance and policies; identifying team skill gaps; and getting firm control over privilege access management are a few of the imperative focus areas for midmarket IT leaders as the year folds and the new one emerges.

That is, according to several IT executives and thought leaders canvassed by MES Computing on what they suggested were on a must-do new year checklist for midmarket IT leaders.

Here are 7 Of The Top New Year To-Dos For Midmarket IT Leaders In 2026

“Organizations are rapidly adopting and developing AI-driven applications, yet the frameworks and technologies required to secure and govern these systems remain immature and inconsistently deployed. This gap is particularly pronounced in the mid-market, where many companies lack formal AI policies and often do not have the resources or tooling necessary to enforce governance standards or safeguard AI utilization,” said Michel Sahyoun, chief technology officer, QuisLex.

“AI will be both an opportunity and a challenge for organizations in the coming year. Internally, companies must educate employees on effective AI use, prompting isn’t like Googling. It requires context, critical thinking, and the ability to spot when AI “hallucinates” false information,” said Dennis Teague, senior security architect, CLA (CliftonLarsonAllen).

“A normal part of year-end activities for a CIO includes validating the performance and delivery of the technology team(s) and aligning with business partners for the coming year. I often remind teams that IT is a finite resource facing nearly infinite demand. Aligning with business partners and the IT team reinforces shared expectations and validates the technology priorities,” said Richard Amos, chief information officer, Blue Mantis.

“Develop the strategic plan for 2026 and skill capacity planning: No surprise, finalizing the strategic plan for IT is essential. As part of this process, assessing skill and capacity requirements helps identify talent gaps and resource constraints that could impact delivery. Proactive planning for workforce capabilities validates the IT organization can meet future demands,” Amos also advised.

“In 2026, CIOs face a unique imperative to align AI and data‑driven initiatives with clear, measurable business use cases. While overall IT budgets for 2026 are projected to remain flat or experience only modest growth, funding for AI and data enablement is expected to increase. As a result, prioritizing investments becomes even more critical, as there will be less discretionary spending available for non-AI initiatives,” Amos added.

“Most midmarket leaders obsess over budgets and roadmaps at year-end — but the truth is, none of that matters if you haven’t audited who actually has access to your data anymore. The real must-do task isn’t strategic planning; it’s a ruthless access and privilege clean-up.

Every breach I’ve investigated in the past few years had one thing in common: someone who still had access they shouldn’t have.
Former employees, contractors, stale service accounts, forgotten VPN credentials — these are the landmines attackers step on first.

Before you worry about next year’s initiatives, make sure you’re not carrying last year’s exposure into January. Disable the accounts, rotate the keys, kill the legacy portals. If a CIO or CISO does just one year-end task, it should be eliminating the silent permissions that could destroy their business faster than any missed budget cycle,” said Yuri Kasan, CISSP, CSM and principal cybersecurity consultant.

“If I could give one piece of advice to fellow security and IT leaders at mid-sized organizations, it would be to stop planning for the environment you think you have and start mapping the one you actually have.

As we approach the end of 2025, the big task on your year-end list should be doing some manner of a visibility stress test. Midsized companies often sit in a place where they have sprawled hybrid clouds and shadow IT but are often lacking the massive surveillance teams or GRC (Governance, Risk, and Compliance) of the Fortune 100.

Use the quiet period at year-end to run the scans you usually skip, send all your authentication logs to a SIEM to find devices that don’t match your inventory. Audit the OAuth tokens and browser extensions connected to your corporate Google or Microsoft environment. The goal is to enter the new year with a list of unknowns that you have finally turned into knowns,” said Mike Toole, director of security and IT, Blumira.