By Steve Liss, Fulton May Solutions
IT Budgeting for 2026: What to Plan For (and Why It’s Rising)
Organizations heading into 2026 are seeing a meaningful shift in how (and how much) they’ll need to invest in IT. Based on what I’m seeing across teams of different sizes and maturity levels, here’s practical guidance on what’s changing, where hidden costs creep in, and how to build a realistic, defensible budget without hype.
Why IT budgeting matters more in 2026
Budgets are trending up. Many organizations historically set IT at ~5–7% of total spend; in 2026, I expect this to inch higher for a lot of teams—often to 8–9%—as AI and security needs grow. Smaller firms that once earmarked ~3% may see that double to ~6% as baseline security matures. Larger enterprises implementing AI in core operations may allocate 10–20%. (Your actual range will vary by industry, risk posture, and headcount.)
Hybrid work isn’t going away. The persistent mix of remote and on-site work keeps access control, identity, device posture, and monitoring front-and-center—moving security from “nice to have” to table stakes. My take: if you’re trying to responsibly secure your environment and give your team peace of mind, expect a bump.
The big shifts shaping next year’s numbers
1) AI adoption (and governance)
AI is both a catalyst and a cost center. Before buying tools, codify governance: who can use what, with which data, under which policies. Once rules and use cases are clear, then budget for licenses, implementation, and support. Two hidden drivers I see repeatedly: (1) cloud utilization spikes as models pull from multiple internal sources, and (2) the deployment model you choose—SaaS vs. “bring the model to your data”—moves costs between enterprise licensing and infrastructure (compute, GPUs, networking). Model both paths before you commit.
Key points
- Policy first; purchases second.
- Forecast cloud consumption (storage, bandwidth, inference).
- Decide where the model lives and budget accordingly.
Security as a bigger slice of the pie
Security spending is rising not because of a single must-buy product but because our risk surface is broader and more interconnected than it was even a year ago. Hybrid work has normalized access from everywhere; SaaS has multiplied entry points; and insurers, auditors, and customers increasingly expect demonstrable controls. In practical terms, I see organizations maturing along a path: first, they harden identity and endpoints; next, they add visibility and guardrails for cloud and SaaS; finally, they automate detection and response and tighten recovery. The price tag reflects that journey—tools are only part of it. Implementation, tuning, data retention, and people time add up, particularly for logging and response where ingest and retention fees scale with success.
If you’re planning 2026, think less about a “shopping list” and more about a control map: which risks matter most for your business and which capabilities cover them. For a baseline, enforce MFA and device health everywhere users authenticate; keep operating systems and browsers current; and prove you can recover quickly with immutable backups and rehearsed runbooks. As you advance, posture-aware access (often via ZTNA/SASE), SaaS and cloud posture management, and curated detection with measured response times will move the needle without overwhelming your team. The most important decision is sequencing—schedule quick wins early (identity, patching, email defense), then phase the heavier lifts (zero trust access, SIEM/SOAR) with enough time for pilots, training, and change fatigue.
Key points
- Treat security as a program, not a product. Build a simple control map before you buy.
- Budget for the “invisible costs.” Implementation, tuning, data retention, and people time.
- Sequence for momentum. Quick wins first; complex rollouts later with pilots and training.
- Measure what matters. Coverage (MFA, patch), containment time, and recovery drills.
Platform roadmaps and mandatory upgrades
Vendors quietly set your calendar. Operating systems, productivity suites, identity platforms, browsers, and line-of-business apps all carry lifecycle milestones, and those dates ripple into testing, training, and temporary productivity dips. The cleanest budgets I see start by mapping vendor roadmaps to the environment: which versions you run today, what’s expiring, what hardware those versions require, and where integrations (SSO, plugins, macros, drivers) are brittle. From there, plan a rhythm—pilot with a small cohort, stage deployments department by department, and reserve a modest contingency for the things you only discover at scale.
The goal isn’t to chase every new feature; it’s to avoid surprise end-of-life events and align upgrades to your asset lifecycle so you aren’t pushing a major OS onto end-of-life hardware. Communicate early and often. Short training assets and predictable change windows preserve goodwill and keep support tickets contained to a brief, manageable spike. Finally, document a rollback path before you start—pre-stage the previous versions and driver packages—so you can move forward confidently.
Key points
- Roadmap first. Align versions, EOL dates, and hardware needs before estimating cost.
- Pilot, then phase. Small cohort testing → staged rollouts with planned support surge.
- Budget beyond licenses. Include testing, training, downtime, and a contingency line.
- Tie to hardware lifecycle. Don’t upgrade software on devices at end of life.
Who feels the increase (and how much)?
Small teams (<20 employees) can often get by with a mix of low-cost tools and a few targeted subscriptions; minimal infrastructure lift, but plan for stronger identity and endpoint hygiene. Core SMBs (20–100 employees) are the most likely to double from ~3% to ~6% of total budget as they formalize security, governance, and device/network lifecycle. Upper mid-market and enterprise organizations implementing private or semi-private AI with strong security controls sometimes allocate 10–20%, especially when AI touches core operations.
A practical framework for a realistic 2026 IT budget
Step 1: Start with your end users. Interview teams about daily workflows, friction points, and “shadow AI” usage. This surfaces must-fix issues before you price anything.
Step 2: Establish AI governance first. Define approved tools, data boundaries, roles/permissions, and monitoring—then map the licenses, implementations, and compute you’ll need.
Step 3: Validate with vendors. Ask about roadmaps and pricing cadence to time feature uplifts, security add-ons, and end-of-life migrations.
Step 4: Refresh the asset lifecycle plan. Inventory endpoints, servers, network gear, and peripherals. Align replacement timelines with vendor milestones and spread spend across quarters.
Step 5: Stress-test cloud consumption. Model best/expected/worst-case scenarios for AI-driven data movement and inference volume, including egress, bandwidth, storage, and accelerator costs.
A budget checklist you can copy
- Document AI governance (tools, data classes, access, audit).
- Confirm OS and core app upgrade impacts and timing.
- Right-size identity, MFA, device posture, and cloud/SaaS security.
- Map vendor roadmaps to quarters (features, price changes, EOLs).
- Refresh hardware lifecycle (endpoints, network, servers).
- Model cloud consumption with AI scenarios (including bandwidth).
- Account for global/remote hires (policy, tooling, logistics).
- Socialize the plan with end-user interviews and iterate.
Closing thought
For most organizations, 2026 IT budgeting isn’t about chasing the newest shiny thing. It’s about formalizing governance, tightening security for hybrid realities, and anticipating AI’s operational footprint. Start with people and policy, stay close to platform roadmaps, and model consumption before committing—you’ll end up with a budget that reflects reality, not surprises.
If you’d like a second set of eyes on your 2026 plan, I’m happy to pressure-test assumptions and highlight blind spots from end-user interviews and vendor roadmap reviews.
