AI’s Impact on the Changing Technology Landscape
Over the past decade, policymakers have grappled with rapid advances in cloud computing, social media and other consumer applications, and Internet of Things adoption. These shifts have reshaped how organizations operate and how data flows across borders — and created new attack surfaces for adversaries to exploit.
Now AI is accelerating that shift. Despite lingering policy questions surrounding the last generation of technological advancements, AI’s cross-sector impact and potential to amplify both innovation and risk have thrust it to the top of the priority list for many policymakers.
Roughly 1,000 AI-related bills were introduced across the country in 2025, and all 50 states considered AI legislation. However, the momentum of legislation may be impacted by federal actions following Executive Order 14365, which was published in the Federal Register on Dec. 16. The EO initiated multiple follow-on workstreams for federal agencies and offices, with varying timelines, and it will likely significantly impact state laws. This is something we’ll be watching closely.
Policymakers across the United States and worldwide will continue working to balance AI’s benefits with its risks for years to come. Integrating strong cybersecurity expectations into AI governance is essential. National and international efforts can influence state-level policy decisions.
In 2025, we submitted comments on the America AI Action Plan, as well as comparable initiatives in the EU and Canada. Our comments stress the important relationship between AI and cybersecurity. The U.S. plan, with more than 90 assigned actions, will influence not only how the federal government uses AI but how requirements cascade into the private sector, states and international standards.
READ MORE: Explore some AI use cases for cybersecurity.
Regulations Shift to Sector-Specific Policies
Regulators are moving away from broad, one-size-fits-all frameworks and toward sector-specific rules that reflect unique operational needs, threat environments and technology dependencies. This shift is especially visible in critical infrastructure sectors such as defense, healthcare and finance.
CrowdStrike has engaged extensively with regulators in New York and California, where agencies are adopting sector-focused approaches and influencing national trends. Healthcare is an important example: It remains one of the most targeted critical infrastructure sectors, with 9% of tracked intrusions in 2024, according to CrowdStrike’s 2025 Global Threat Report. Both New York and the European Commission are advancing hospital cybersecurity guidelines, and their decisions will shape global approaches in 2026.
Sector-specific rules can offer benefits, but they also carry the risk of fragmentation and overlap with other frameworks. Unless harmonization is prioritized, these rules and regulations can unintentionally hinder innovation and impose new burdens on the very sectors they aim to encourage and protect. CrowdStrike urges policymakers to weigh these trade-offs carefully and avoid the unintended consequences such rules often create.
Modernizing Legacy Standards To Meet Today’s Technologies
Many longstanding security standards were built for an era of on-premises systems and static networks. Today’s cloud-native environments, dynamic threats and complex supply chains require modernization. In 2025, regulators accelerated efforts to refresh these frameworks. The National Institute of Standards and Technology’s Privacy Framework update and FedRAMP’s review of cloud authorization processes are two important examples.
Modernizing legacy standards matters not only to remove outdated controls but to clarify expectations around cloud security, identity management, software supply chain risk and continuous monitoring. When widely used standards lag real-world practices, organizations are forced to navigate requirements that may not improve security and can even create exploitable gaps.
DIVE DEEPER: Here are four steps for centralizing cloud security management.
2026 Policies To Shape Security Landscape for Years To Come
Across all of our engagements, CrowdStrike’s goal remains consistent: advancing effective cybersecurity policy that helps organizations defend themselves amid a rapidly evolving threat landscape.
For years, we have encouraged agencies to incorporate endpoint detection and response, threat hunting and speedier security operations into their cybersecurity requirements — tools and practices that many now treat as foundational. Today, we are similarly urging policymakers to look ahead: toward thoughtful application of cloud security, next-generation security information and event management, identity threat detection and response, AI-enabled cybersecurity, and AI detection and response to secure AI systems themselves.
2026 will be a year of action, and we believe that the pace of policy activity will intensify. With a highly anticipated new National Cybersecurity Strategy pending, potential follow-on executive orders and states moving quickly in parallel, policymakers will be making decisions that shape our security posture for years.
As these efforts accelerate, CrowdStrike will continue bringing real-world expertise to the table. This will help policymakers shape practical, effective measures and ensure that emerging requirements strengthen cybersecurity outcomes, improve resilience and help organizations defend against the adversaries we confront every day.
