The IT hiring landscape has shifted dramatically. Open requisitions are no longer for generalists or entry-level specialists. Instead, positions that remain unfilled for six to nine months demand a rare combination: an engineer who writes strong code, navigates AI platforms, assesses risk exposure, and aligns technical decisions with business priorities. Three skills, one person, a small pool. This is the core talent challenge organizations face as they head into the second half of this decade.
The 2026 State of the CIO survey from Foundry confirms the shift. AI and machine learning, along with cybersecurity, now share the top position as the hardest IT skills to hire for, with data science and analytics ranked third. What stands out is not the ranking itself but the nature of the shortage. Hiring teams are no longer struggling to find specialists—they are struggling to find professionals who operate across disciplines simultaneously, at speed, and with sound judgment under real constraints.
AI and Machine Learning: From Prompt Engineers to Agentic Builders
The role of the AI professional has evolved significantly over the past two years. Prompt engineering as a standalone function has largely faded. Organizations today need AI product engineers who can deploy agents, build testing frameworks, manage cost-latency-quality trade-offs, and govern model risk. They also need professionals filling governance and red-team roles that did not appear on org charts three years ago. The center of gravity has moved from people who build models to people who wield them. That is a very different resume, and the candidate pool remains thin.
Approximately 50% of US employers report difficulty finding qualified AI candidates, and Gartner research consistently identifies this shortage as the single largest roadblock for data and analytics teams. The challenge compounds with the pace of change: skills acquired at one organization may not transfer to another, and knowledge from six months ago can already be obsolete.
Cybersecurity: A Skills Crisis, Not a Headcount Problem
Six in ten organizations now report that skills gaps outweigh staffing shortages as their primary workforce challenge—a 20-point shift from just a year ago. The consequences are measurable: 27% of cybersecurity leaders report breaches directly tied to capability gaps, while 61% say team stress has increased over the past two years. The shortage is concentrated at the senior architect level. Professionals who can make sound security trade-offs under real constraints, rather than just read a dashboard, are exceptionally difficult to find. Attack surfaces have expanded with every SaaS addition, API, and AI agent deployed. Security teams manage a faster-moving threat landscape with the same AI tools that adversaries now use to build and revise attacks in under an hour.
74% of organizations say AI is already impacting the size of their cybersecurity teams and the roles within them. Entry-level SOC analyst positions—the traditional training ground for future security architects—are among the most likely to be displaced as AI reshapes security operations.
Risk Management and Automation: The Rising Tier
Both risk management and business/IT automation have climbed into the top five hardest-to-fill roles for the first time. The reason is the same for both: AI has expanded the surface area of risk and the complexity of process automation simultaneously. GRC functions built for SOX and PCI compliance are not well positioned to address model risk, prompt injection, or third-party AI exposure. Organizations are now hiring for a discipline that is roughly five years old against a job description that is twenty years old. That gap defines the problem.
On the automation side, there is no need for additional robotic process automation developers—that work has become a commodity. What organizations need are professionals who can assess a workflow and decide what to automate, what to retire, and what to redesign entirely. That combination—business analyst, process engineer, and technologist in a single professional—is rare and commands a significant salary premium.
Software Engineering, DevOps, and the Midlevel Squeeze
AI coding tools have not reduced demand for software engineers; they have changed its shape. A strong engineer with solid AI tooling now produces roughly what three engineers accomplished just a few years ago. Hiring is bifurcating toward experienced leaders who bring judgment and ownership, and toward junior talent that is AI-native from day one. The professionals in the middle—those whose primary value was execution rather than architecture—are finding demand for their profile contracting. For DevOps specifically, platform engineering is emerging as the growth function. The generic DevOps title is being absorbed into platform or site reliability engineering, with consolidation likely to continue over the next two to three years.
Why This Matters
The talent shortage in these roles is not resolving through traditional hiring. The professionals who can bridge AI fluency with domain expertise, risk literacy, and system-level thinking are naming their price, and organizations competing for the same small candidate pool are losing ground. The more productive response, as several technology leaders have confirmed, is internal upskilling. Strong engineers trained deliberately on AI platforms and governance frameworks have outperformed externally hired AI specialists in productivity and retention at multiple large enterprises.
The organizations closing this gap are not doing so primarily through external hiring. They are investing in internal capability development, redesigning job descriptions around skills rather than credentials, and building structured pathways for engineers to grow into hybrid roles. The gap between organizations that act with that kind of intention now and those that continue chasing the same external candidates will only widen from here.