There’s a specific kind of exhaustion spreading through IT departments right now, not from overwork, exactly, but from the gap between what’s being promised and what’s actually deliverable. Budgets didn’t shrink, but confidence did. AI is everywhere in the pitch deck, nowhere in the production environment.
Legacy systems keep running because nobody can afford the risk of touching them. This piece looks at what’s actually happening in the IT services sector in 2026, the real pressures, the tools being tested, and the strategic bets paying off.
The market feels busy. Deals are closing. Vendors are launching things. And still, a surprisingly large share of enterprise IT leaders will tell you that they’re not sure the last three years of tech investment actually moved anything important.
Complexity is the culprit. Not complexity as a buzzword, actual, physical complexity. A mid-sized European manufacturer running SAP ECC 6.0 on-premise, patched together over 15 years. A regional US bank whose core platform was modern in 2004. A logistics firm that grabbed three different cloud providers during the pandemic because each business unit made its own decision, and now the CFO wants a consolidated infrastructure bill. Nobody planned this. It just accumulated.
Companies dealing with that kind of inherited mess aren’t looking for a vendor who can talk about AI. They need someone who already understands the vertical, the compliance layer, the legacy stack, the specific partner ecosystem that makes the whole thing run. For reference, what industry-specific IT engagement actually looks like at enterprise scale, across energy, insurance, financial services, healthcare, and manufacturing, is documented at https://dxc.com/industries. Worth a look before assuming generic IT strategy translates.
Agentic AI: Production, Finally. Sort Of.
The conference circuit is done with agentic AI as a concept. The interesting question now is where it’s actually running and where it quietly failed.
Microsoft pushed multi-agent orchestration into Copilot Studio. Salesforce shipped Agentforce in late 2024 and real customers like Wiley started reporting measurable reductions in their customer service queue workload. ServiceNow’s AI agents are handling tier-1 ITSM tickets in some deployments without human touch. GitHub Copilot Workspace, launched in 2025, is doing PR reviews in some engineering teams. These are real things running in production.
But agents fail in ways that are genuinely hard to catch. They hallucinate. Quietly. Without flagging it. An agent summarizing a support ticket slightly wrong, every time, at scale, that’s a real problem that doesn’t announce itself. And every implementation that’s actually working shares one precondition: clean, governed data going in. Which most enterprises don’t have.
What’s getting deployed
- RAG-based agents sitting on top of internal documentation — the practical replacement for legacy intranets nobody uses
- Incident response automation via PagerDuty’s AI layer and Dynatrace Davis AI — alert triage that doesn’t require waking someone at 2am
- Document extraction agents in insurance and banking — the kind of work that used to take a team of analysts two days now runs overnight
- Code review agents — still uneven, but improving enough that some teams trust them on lower-risk PRs
Honest question: is the data infrastructure at your organization actually ready for any of this? Not “could we build a pilot.” Is it ready for production at scale? Most aren’t. That’s the actual starting point.
The Risks People Aren’t Loudly Discussing
Vendor concentration
The market is consolidating fast. AWS, Microsoft, Google, Salesforce, they’re absorbing more of the total IT budget with every renewal cycle. The leverage a procurement team had in 2019 is not what they have now.
The CrowdStrike incident in July 2024 made this tangible in a way no analyst report could. A single faulty sensor update grounded flights, knocked hospital systems offline, took banks down, global outage from one vendor’s botched deployment. Not a targeted attack. A routine software update. The organizations that recovered fastest had deliberate redundancy built in. Most didn’t. That event shifted how resilience architecture gets discussed at board level.
The debt nobody budgeted for
The “ship fast, fix later” thinking that dominated 2020–2022 left an enormous bill. The pattern shows up the same way in every post-mortem: developers spending a disproportionate chunk of their actual working hours not building new features but navigating around old ones. Technical debt isn’t dramatic, it doesn’t cause outages, usually. It just makes everything cost twice as much and take twice as long, indefinitely.
The industries where this hurts most:
- Banking and insurance — core systems running on Cobol that predate the concept of cloud
- Energy and utilities — OT stacks that were never meant to be networked, now networked because smart grid requires it
- Healthcare — EHR systems built on HL7 v2 that simply weren’t designed for FHIR-based interoperability
The compliance pileup
GDPR was supposed to be the hard part. Then came the EU AI Act, staged into force through 2025. Then NIS2. Then DORA for financial services. Then a patchwork of US state-level privacy laws, California, Virginia, Texas, Colorado, all different. India’s DPDP Act. Brazil’s LGPD. China’s PIPL.
Running a global IT services operation across all of that isn’t a compliance exercise anymore. It’s a full-time architectural constraint. Every data flow, every cross-border processing agreement, every model deployment with a decision-making component needs to be mapped against jurisdictional requirements. The legal team can’t do it without the engineering team, and vice versa.
Cybersecurity: The Perimeter Is Gone
Zero Trust Architecture was a slogan for years. In 2026 it’s a procurement requirement, CISA mandates it for US federal contractors, which flows down to every IT firm touching public sector work. “Trust but verify” is now just “verify, every time, for everything.”
The attack surface keeps widening. Every new SaaS integration, every remote device, every API endpoint, more exposure. And the threat actors aren’t slowing down.
Current tooling landscape:
- XDR platforms — CrowdStrike Falcon, Palo Alto Cortex XDR, SentinelOne dominate post-2024. Point solutions are being consolidated out
- AI-assisted threat detection — using LLMs to parse logs at scale, surface anomalies that rule-based SIEM systems would miss
- Supply chain security — SBOMs (software bill of materials) are now a standard procurement ask, partly because of SolarWinds, partly because of the XZ Utils backdoor discovered in 2024 that slipped into a compressed version of a core Linux utility and almost no one noticed
The XZ Utils situation is worth pausing on. A social engineering attack, run over two years, targeting a single open-source maintainer, nearly resulted in a backdoor in SSH daemons across major Linux distributions. It wasn’t caught by any automated tooling. It was caught by a Microsoft engineer who noticed something slightly off about CPU usage. That’s the current threat environment.
Cloud: From Excitement to Accounting
Nearly every major enterprise is running multicloud. AWS, Azure, GCP, sometimes all three, plus Salesforce, Workday, and a dozen other SaaS layers on top. The original argument was flexibility and leverage. The current reality is that most organizations have more cloud infrastructure than they understand.
Idle compute instances. Orphaned storage from projects that ended eight months ago but whose resources were never cleaned up. Dev environments that became production. The waste is structural, not careless, it emerges from the gap between how fast teams spin resources up and how rarely anyone audits what’s still running.
FinOps is the discipline that grew up to address this. The Cloud FinOps Foundation has certified practitioners across the industry, and the tooling (Apptio Cloudability, CloudHealth, AWS Cost Explorer) actually works. The catch is that it requires someone with dedicated authority to act on what the dashboards show. That person often doesn’t exist or is buried under 20 other responsibilities.
Sovereign cloud is a harder problem. AWS European Sovereign Cloud, Google’s Sovereign Controls, Microsoft’s EU Data Boundary, hyperscalers built the infrastructure. But IT services firms that designed delivery models before data residency was a hard requirement now have to restructure, not just configure.
Industry Pressure Points, Quickly
- Financial services — ISO 20022 payment infrastructure migration is dragging on. Core banking modernization is the bigger issue: Cobol-based systems that run the overnight settlement processes for major institutions aren’t easy to replace. The Hogan platform is one example, decades old, still mission-critical, requiring migration paths that take years and carry real operational risk.
- Energy and utilities — SCADA systems on outdated operating systems, now connected to networks they weren’t designed for. Siemens, ABB, and GE Vernova are running digital twin-based asset performance management at scale, but the data pipelines feeding those models require significant OT/IT integration work. Security is the harder issue. A compromised industrial control system isn’t a data breach, it’s a physical safety event.
- Healthcare — FHIR API mandates under USCDI v3 are pushing healthcare IT into interoperability work it mostly wasn’t ready for. Epic is adapting. The integration work on the provider side is slower. Drug discovery is the other story: AI-assisted research pipelines are compressing timelines in ways that create upstream infrastructure demand the sector hasn’t fully planned for.
The Pattern in Organizations Moving Well
No formula here, but a few observable tendencies among IT organizations that seem to be gaining ground rather than treading water:
- Data governance treated as infrastructure investment, not as a compliance task — because without clean data, none of the AI work functions
- Vendor consolidation that’s deliberate, not reactive — not abandoning best-of-breed entirely, but accepting that integration overhead has a real cost
- Security posture that’s been formally tested — tabletop exercises for breach scenarios, not just documented policies
- Industry-specific framing for every major initiative — because generic cloud strategy fails differently in insurance than in oil and gas, and treating them the same is how projects run 18 months over schedule
Actually, that last point is where the most avoidable failures happen. Technology decision-makers who understand the sector, the compliance layer, the legacy dependencies, the specific ways the business actually runs, are genuinely rare. And that gap between generic IT capability and industry-contextual IT judgment is where most large transformation programs fall apart.
The Bottom Line
No single trend defines 2026. It’s more like a pile-up, accumulated technical debt, a compliance environment that got harder every year for five years, agentic AI that’s real but narrower than marketed, and cloud infrastructure that got complex faster than anyone’s governance kept up.
The organizations that seem to be navigating it best aren’t the ones with the flashiest tech stack. They’re the ones that made hard architectural decisions before they were forced to. Cleaned up the data. Consolidated the vendor relationships. Built security posture before the incident, not after.
Sounds straightforward. It isn’t. But the gap between knowing what to do and actually doing it, that’s the whole problem, isn’t it.