AI and Cybersecurity Strategies for Local Governments – Addressing Challenges and Leveraging Opportunities

Blog Co-Author:  Margie Graves, Senior Fellow, IBM Center for The Business of Government

In today's fast-evolving landscape, the rapid adoption of emerging technologies – particularly generative AI – has fueled innovation, enhanced citizen satisfaction, streamlined operations, and driven down costs. However, these same advancements are being exploited by malicious actors, who are using generative AI to expand the attack surface and launch increasingly sophisticated cyberattacks against local governments. To navigate this shifting threat environment, organizations must move beyond traditional defenses. They need to conduct probability and impact analyses to quantify risk, and then translate those insights into effective policy decisions, governance frameworks, and cybersecurity strategies aimed at reducing and mitigating risk.

The most recent Summit, held at the IBM Innovation Studio in Washington, DC, opened with a dynamic discussion on the convergence of AI, cybersecurity, and innovation. These interconnected areas are shaping the emerging human-machine partnership and redefining how organizations approach digital transformation. Throughout the event, speakers highlighted the growing role of AI as a cyber defense tool, particularly for local governments that now have access to a broad and evolving ecosystem of AI-driven tools and services. A key concern that emerged during the discussions was the rise of “shadow AI” – AI systems operating beyond human oversight. Participants emphasized the potential risks and ethical implications of such systems, which could lead to unintended consequences if left unchecked.

Many local governments are actively seeking guidance on how to establish clear policies, governance structures and ethical frameworks for the use of AI. Well-defined guidelines on responsible AI adoption can help counties, cities, and towns deploy emerging technologies in ways that improve program effectiveness and minimize risk. However, in the absence of such roadmaps, well-intentioned staff can act under the mindset, “it's better to seek forgiveness than permission.” This approach, while innovative in spirit, can lead to unintended harm – for example, inadvertent exposure of personally identifiable or confidential information, reliance on biased data that drives inequitable outcomes, legal liabilities, and further erosion of public trust. In addition to developing governance frameworks, event participants emphasized the need for robust AI training, tailored for different roles – ensuring employees, senior managers, and elected leaders alike have the knowledge and tools to make informed, ethical decisions about AI use.

Another concern raised was the uncertainty stemming from nationwide cuts to cybersecurity resources. The Center for Internet Security (CIS), which supports 18,000 state and local government members, has experienced a significant budget reduction – over half its funding – threatening access to essential active and passive threat monitoring services. Despite these cuts, efforts are underway to maintain the CIS network that facilitates the sharing of cyber threat intelligence with state and local entities. Local government leaders voiced concerns that many jurisdictions already struggle with limited staff and financial resources to secure their digital infrastructure. Without adequate external support, these constraints leave public institutions increasingly vulnerable at a time when cyber threats are growing in frequency and sophistication.

While participants agreed that AI-powered cyber tools are becoming essential, they were also reminded that adversaries are equally eager to leverage AI for malicious purposes. In a unique and timely session, two senior editors from national media outlets shared insights on the stories they cover that impact local governments. Their participation underscored the media’s growing interest in the impact of technology, policy and community. Local government technology leaders were encouraged that influential reporters consider themselves allies – actively seeking authentic, human-centered stories, especially from smaller governments whose voices are often underrepresented in the broader conversation. 

The day ended with a forward looking “crystal ball” session focused on what the AI and cyber landscape might look like next year. Participants identified four challenges: 

1. Ongoing uncertainty around staffing, budgets and the politicization of technology.
2. Cyber insecurity driven by less external support from state and federal government.
3. Growing risks of shadow IT and AI, as systems operate beyond official oversight.
4. Citizen frustration stemming from budget cuts are reductions in citizen services.

Despite these looming challenges, the tone remained positive. Participants emphasized that public managers can and do rise to the occasion with creativity and resilience. Potential solutions include pooling resources to jointly purchase cybersecurity services, coordinating group visits to an easy to access cyber planning facility (cyber range) for scenario planning and ongoing training on the latest AI cyber threats and developing or participating in regional cyber resilience initiatives. Throughout the discussions, the deep sense of pride and dedication among state and local government professionals emerged as a powerful force driving continued innovation and progress.