Field Notes · By Stephen Gilfus · May 16, 2026
What R1 University CIOs Worry About in 2026
The operational worry list shaping research IT, security, AI, and cost
A Monday-morning view from the CIO chair: HPC queues, AI guardrails, data enclaves, ransomware, LMS peaks, cloud bills, and faculty autonomy. Here is the systems-grounded 2026 worry list for R1 leaders—and how it ties to research and teaching.

Introduction
At 7:45 a.m. on a Monday in February 2026, an R1 university CIO steps into a standing incident-review call. Overnight GPU queues on the Slurm scheduler doubled as three labs pushed microscopy workloads; the campus research cloud’s object store crossed a soft quota; a controlled unclassified information (CUI) enclave failed a backup immutability check; and the LMS performance team flagged an upcoming assessment window with historic concurrency. Purchasing sent an alert about a vendor adding egress fees to its default renewal template. A dean wants to know whether a postdoc can access a large language model from a hospital network without violating a data-use agreement. None of this is hypothetical; it’s the week.
Those items read like a random stack of tickets until you look at the load-bearing walls — the few structures that hold the others up. Research compute as a utility. Security and research integrity as one operating domain. Data governance as a speed lane, not a brake. Identity as the fabric that holds it together. Classroom reliability as a trust contract with faculty. Cost control as a technical design problem as much as a budget one. When those are stable, risk drops and the institution moves faster. When one is neglected, cycle time lengthens across research and teaching.
I write this as someone who has lived through a prior wave of higher-ed infrastructure formation. Back when the Blackboard team was building some of the first campus-wide platforms, we spent our time not on storytelling but on the operating grid — authentication, gradebook, roster synchronization, SIS integrations, and a framework so campuses could extend what we shipped. The unglamorous work was integration and uptime. The same pattern is present in 2026, only with research compute, AI, and regulated data in the foreground. The names changed; the work rhymes.
What follows is the operational worry list many R1 CIOs are actually holding, with how each item formed, what it touches downstream, and why it matters for institutional governance.
Research compute is a utility
The condition
- Demand for accelerators outpaced supply through 2025. Labs that once budgeted for a few on-prem GPUs now place queues across campus HPC clusters, cloud tenancy, and national resources. Instruments — cryo-EM, single-cell sequencers, two-photon microscopes — spill data at rates that make “upload later” a fiction.
- PI expectations moved from “best effort” to “service level.” If a genomics pipeline sits for 36 hours in a queue, that’s a missed submission window. Grants assume a baseline of compute the way classrooms assume electricity.
The operational consequence
- Scheduler policy is governance. Fair-share algorithms, preemptible queues, and reservation windows are policy objects that decide who gets results first. Publish them, or spend leadership time arbitrating edge cases.
- Data gravity penalizes the wrong architecture. Moving petabytes across clouds to chase a cheaper GPU hour is often a false economy once egress and time-to-answer are priced. That becomes a grant tax.
- You need a “good, better, best” menu: on-prem for steady state; cloud bursts with guardrails; and access pathways to national systems. Without a catalog, everything becomes a one-off exception.
The system implication
- Treat HPC/AI like chilled water or power — capacity planning, reserves, and cost-of-service models that faculty can explain to each other. Report queue times the way utilities report usage.
- Storage tiers are a policy instrument: scratch, active, object, cold (including tape). Without lifecycle automation, archive becomes a room full of hope and invoices.
The governance significance
- The CIO’s job is not to pick a single stack; it’s to standardize the lanes. Publish placement rules (data class, performance, cost) so PIs can self-sort. A lane is faster than a case-by-case exception.
> Grants assume a baseline of compute the way classrooms assume electricity.
Lesson — Treat research compute as a utility by publishing its performance and service levels.
To manage exploding demand from researchers, scheduler policies for fair-share access and reservations must be transparently published. These are policy objects that determine whose work gets done first. Reporting queue times and capacity plans like a utility service helps principal investigators plan their work and builds institutional trust.
GPUs without surprises
- Publish effective price signals. Whether you charge back or not, show the true cost by tier (on-prem, cloud burst, national). Hidden subsidies create future cliffs.
- Design for backpressure. When queues spike, auto-notify PIs with alternative lanes and expected completion windows. Silence erodes trust.
Instruments to pipelines
- Put capture-to-curation under one owner. The handoff from microscope to object store to workflow is where samples and time disappear.
- Co-locate compute near ingest when possible. Moving code is cheaper than moving raw data.
Security and research integrity are one domain
The condition
- Ransomware moved from abstract risk to institutional memory in 2020–2024, with several universities publicly rebuilding identity and storage after outages. Export controls and CUI requirements tightened under existing NIST 800-171 controls and related federal clauses.
- The White House’s NSPM-33 (2021) and subsequent agency policies pushed research security programs — disclosure, risk assessment, and training — into operational scope for central IT, research compliance, and general counsel.
The operational consequence
- You can’t run open science and controlled work on the same lane. Build and maintain enclaves for CUI and export-controlled projects with hardened identity, logging, and encryption — or lose awards that require them.
- MFA fatigue is a real incident vector. Push passkeys (FIDO2/WebAuthn) to reduce prompt frequency and phishing risk. Replace SMS codes where possible.
- Incident response is everyone’s second job until it becomes someone’s first job. Tabletop with PIs and deans, not just IT. The quiet hours after a breach is a governance test.
The system implication
- Security architecture is data architecture. Without clear data classes (public, internal, restricted, regulated), the same dataset will be treated three ways by three teams.
- Research compliance belongs in change management. New SaaS in a lab can create export-control exposure and data retention duties. Intake is not red tape; it’s an early-warning system.
The governance significance
- When the President and Vice President for Research can describe the risk lanes in plain terms, the institution moves faster. Put the model in their words, not yours. Open does not mean uncontrolled.
Lesson — Standardize one reference architecture for controlled research to avoid one-off solutions.
Instead of reinventing security for each project, build and reuse a hardened template for CUI and export-controlled work. This pre-cleared pattern for collaboration, access, and device posture allows researchers to start faster. This approach prevents losing awards that require these specific controls and provides predictable security.
> You can’t run open science and controlled work on the same lane.
Controlled work without friction
- Pre-clear collaboration patterns: who can access a project, from which networks, with what device posture. Publish them before the award starts.
- Build once, reuse often. A hardened compute/storage/reference architecture for CUI and export control should be a template, not a reinvention.
MFA and identity hardening
- Default to phishing-resistant MFA for privileged roles. Expand passkeys to students and staff with clear support paths.
- Kill standing shared accounts; move to named accounts plus break-glass. It is slower once; it is faster always.
Data governance as a speed lane
The condition
- Agencies tightened data expectations. NIH implemented its Data Management and Sharing policy in 2023; NSF and others emphasize data availability, reproducibility, and security. Journals and funders ask for persistent identifiers, provenance, and reuse terms.
- Internally, presidents want dashboards that tie enrollment, student success, research expenditure, and space utilization to strategy. That means stitched data.
The operational consequence
- Data-use agreements (DUAs) and IRB constraints dictate where AI and analytics can run. If the catalog doesn’t label these constraints, service desks become translators of PDF fine print.
- Retention and deletion are not optional. Storage looks cheap until subpoenas, FOIA-equivalent requests, and breach discovery multiply effort across terabytes of unknowns.
The system implication
- A working data catalog with access policy is a throughput tool. When stewards, owners, and terms are visible, projects spend more time on questions and less on scavenger hunts.
- Metadata is a budget instrument. Classifying hot, warm, and cold — and automating movement — cuts storage to fit the research lifecycle.
The governance significance
- Data governors need an escalation lane to the provost and VPR for conflicts. Without that path, the catalog dies in polite emails. Publish the path; use it sparingly.
Lesson — Make a visible, enforced data catalog the primary tool for accelerating projects.
A functional data catalog with access policies acts as a throughput tool for the entire institution. When data stewards, owners, and usage terms are visible, research teams can focus on their questions instead of scavenger hunts for data and permissions. Without this clarity, data-use agreements and IRB constraints create bottlenecks as service desks must translate PDF fine print.
The AI service catalog
- Name the models and endpoints the institution supports (hosted, third-party via approved clouds, or bring-your-own in a sandbox). State data classes allowed, logging retention, and review triggers.
- Price the choices. One model may be 10x the cost per thousand tokens for marginal accuracy gain. Make that visible.
Records you can actually manage
- Tie retention to systems with automation (SIS, LMS, research storage, email). Policy without code is a hope note.
- Build small, high-value reference datasets (de-identified) for institutional AI projects. Avoid scraping your own systems ad hoc.
Cloud, SaaS sprawl, and FinOps are design questions
The condition
- By 2025, many campuses had three active clouds, hundreds of SaaS vendors, and a rising baseline of security tooling. At the same time, major vendors adjusted pricing and terms — from Java licensing shifts in 2023 to identity, collaboration, and storage bundles that moved thresholds.
- Procurement matured, but shadow IT didn’t vanish. PIs swipe a card to meet a grant deadline; colleges sign for integrations they think are local.
The operational consequence
- Egress and exit terms now decide architecture. A system that is cheap to enter and expensive to leave is not a service; it is a liability.
- Budget variance tracks technical variance. Without Terraform or similar infrastructure-as-code, cloud cost is a function of human memory.
The system implication
- FinOps is not just chargeback. It is: golden patterns, budgets as code, alerts before spend spikes, and reserved capacity planning. The good dashboard is the one that triggers action.
- Contracts are technical documents. Incident notification windows, audit rights, data return formats, and sandbox allowances change your ability to respond.
The governance significance
- Publish a placement guide: when to use campus, public cloud, national resources, or vendor SaaS — with exit and egress plainly stated. Faculty will self-sort when the lanes are clear.
> A system that is cheap to enter and expensive to leave is not a service; it is a liability.
Lesson — Design every service adoption around a documented and tested exit strategy.
Egress fees and exit terms are now critical architectural considerations, not just contractual fine print. For any critical SaaS, require an annual documented export and re-hydration test to prove the exit plan is real. Pre-calculating the cost and time for a major data exit prevents future surprises and budget cliffs.
Exit plans that are real
- For critical SaaS, require documented export and rehydrate tests annually. You don’t have a backup until you’ve restored it.
- Avoid the 2 a.m. egress surprise. Precompute what a 10 TB exit costs and how long it takes.
Baselines you can trust
- Build cost guardrails into templates. Default tags, budget alerts, and pause policies are part of the template, not a later improvement.
- Treat observability and logging as first-class. Without it, you cannot meet incident, IRB, or grant reporting duties.
Identity is the fabric
The condition
- R1 campuses federate with thousands of services via InCommon and eduGAIN. Students and staff move in cohorts — admits, deferrals, visiting scholars, hospital affiliates — and every status change hits access.
- Research groups need fine-grained roles that track to grants and projects, not just HR titles. Service accounts still creep in through the edges.
The operational consequence
- Attribute release becomes change management. If your IdP releases too much by default, your privacy posture lags the policy. If it releases too little, integrations stall.
- Group definitions drift without owners. A “Bioinformatics” group from 2018 still grants access to a storage bucket no one remembers.
The system implication
- Lifecycle automation reduces risk. SCIM to SaaS where possible, authoritative systems for identity proofing, and role models that map to projects.
- Passkeys cut phish risk and help desk calls. Adoption requires thoughtful fallback paths and clear device guidance.
The governance significance
- Identity is where academic autonomy meets institutional risk. The best pattern: central patterns, delegated control — publish how to get exceptions and when they end.
Privileged access without chaos
- Require named accounts and just-in-time elevation for admin functions. Log and review. The first week feels slower; month two feels safer and faster.
- Put service accounts on a leash. Inventory, rotate, and tie each to an owner and a use case.
Federation that scales
- Publish an attribute-release policy with examples. Make it easy to request what’s needed and hard to overshare.
- Use groups that map to grants and classes, not job titles. Projects end; grants close; access should, too.
People, capacity, and the operating model
The condition
- Salary compression with industry widened from 2021 onward. Security analysts, cloud architects, and research software engineers (RSEs) can earn 30–60% more in the private sector; campuses compete on mission and stability.
- The work widened. Between research compliance, AI, and incident expectations, the same teams now hold more surface area.
The operational consequence
- Under-resourced central IT becomes a coordination tax on colleges and labs. Over-centralization without partnership creates a black market for shadow IT.
- The PMO and business relationship managers (BRMs) become throughput tools, not paperwork engines. Clarity reduces cycle time.
The system implication
- Shared services work when they are treated like utilities with service levels and steering groups. Ad hoc favors don’t scale; clear menus do.
- Partnerships with national centers and regional networks add surge capacity. So do vendor relationships that respect research timelines and data duties.
The governance significance
- Invest in RSE pools and cyber apprenticeship pipelines. Tie advancement to impact on funded projects. People are the constraint; fund the constraint.
Hiring and retention you can defend
- Pay bands that reflect market data for scarce roles. Where you can’t match, adjust scope: fewer things done better.
- Recognize after-hours load formally. Incident rotations, comp time, and on-call stipends are not perks; they’re fairness.
Operating model that reduces friction
- A single intake for research IT: consultation, security review, data governance, and funding options routed as one workflow.
- Publish an edtech intake with clear accessibility and privacy checks. Faster yeses come from better prepared requests.
Classrooms, accessibility, and the trust contract
The condition
- LMS and assessment traffic now clusters into predictable peaks. Video platforms, proctoring services, and LTI integrations create complex load paths. Accessibility expectations rose with WCAG 2.2 and renewed attention to captioning.
- Faculty rightly expect the core teaching stack to work every time, even when the network or an upstream vendor wobbles.
The operational consequence
- Load testing is part of academic readiness. Simulate peak weeks and publish expected headroom. Run failovers to a known state.
- Accessibility is a capacity question. Captioning on demand breaks budgets; scheduled pipelines with priority lanes make it predictable.
The system implication
- The LMS is part of identity, data, and assessment governance. A broken roster or grade passback becomes a governance issue, not just a ticket.
- Edtech consolidation increased vendor concentration risk. Exit plans matter here, too.
The governance significance
- Academic trust lives or dies in lived reliability. Publish uptime and incidents in plain language. Own the narrative before rumor fills it.
Peak weeks without drama
- Pre-stage capacity and vendor contact trees ahead of exams. Include escalation paths and maintenance freezes.
- Shadow the path from LMS to proctoring to gradebook. Breaks hide in the seams.
Accessibility you can budget
- Build captioning pipelines with SLAs and exception paths. Align funding with course prioritization.
- Audit LTI tools for accessibility and privacy before they go live. Fixing it later costs more trust than money.
Budgets, politics, and the cost of speed
The condition
- State support and tuition pressure keep CIOs in a squeeze. Meanwhile, agency and foundation rules push new duties (security controls, data sharing) into awards and operations.
- Vendor pricing changes and cloud variance created multi-year cliffs for unplanned renewals.
The operational consequence
- Without cost-of-service clarity, every central bill looks arbitrary. With it, chairs can plan and PIs can budget.
- Tactical savings (turning things off) create strategic costs if they hit the load-bearing walls.
The system implication
- Align F&A recovery, central budgets, and service levels. When research growth funds the shared infrastructure that enables it, the incentives line up.
- FinOps maturity is a planning input. Cost variance is a governance problem, not just a spreadsheet one.
The governance significance
- Publish the budget model and stick to it. Change it rarely and with notice. Predictability is a service.
Contracts with teeth
- Require breach notification windows, audit rights, data portability, and sandbox allowances. These protect research schedules as much as they protect data.
- Avoid per-user traps in platforms used by whole classes. Price per course or per department where possible.
Cost signals that shape demand
- Show faculty the marginal cost of choices (GPU type, storage tier, model selection) at decision time. People make good decisions with good information.
- Offer right-sized defaults. Most users don’t want to tune; they want the “works most of the time” lane.
Sustainability and resilience are now IT topics
The condition
- Weather events and grid instability created real outage risk for campus data centers. Sustainability reporting (Scopes 2 and 3) pulled IT into energy metering and vendor assessments.
- GPU power and cooling requirements turned small rooms into constraints; some campuses moved HPC to locations with better power economics.
The operational consequence
- Backup power, fuel contracts, and microgrid tie-ins are part of IT’s risk register. So are cloud region choices and cross-region replication.
- Energy usage is now a budget and PR topic. A megawatt of GPUs is not a rounding error.
The system implication
- Treat resilience as a placement attribute. Disaster recovery, region tiers, and failover tests must make it off the slide and onto the calendar.
- Sustainability choices can create grants. Green compute and data practices are a differentiator in proposals and partnerships.
The governance significance
- Add facilities and sustainability leaders to IT steering groups. The conversation is shared now.
Power and cooling without surprises
- Capacity plans that include power, not just racks. Publish constraints and timelines before the purchase order.
- Move burst workloads to regions with better energy economics when data and governance allow.
Reporting that helps, not hurts
- Meter where it matters: HPC, storage, and major SaaS usage. Estimate the rest conservatively and improve over time.
- Align sustainability reporting with FinOps. One set of numbers; two views.
The mid-course pivot: rebuild the house around the walls
Midway through 2026, many R1 CIOs have converged on the same metaphor: the institution’s digital house only stands when its load-bearing walls are funded and kept simple. The walls are research compute and AI, security/integrity, data governance, and identity. Rooms — classroom tech, departmental platforms, analytics projects — are easier to renovate when the walls are strong. Creep happens when we forget which is which.
The practical move is not another master plan; it’s a cadence:
- Quarterly capacity and risk reviews on the walls — queue times, incident metrics, catalog completeness, identity exceptions.
- Transparent budgets tied to those reviews — reserve levels, contract cliffs, and exit tests.
- Steering with the VPR, provost, and deans on the same page — one model, plain language, published lanes.
Do that, and the rooms get easier to change. Skip it, and each new need becomes a structural refactor.
The bet I’d make today
If you are the CIO of an R1 in 2026, the agenda is not a mystery. It sits in your morning queue and your contract calendar: GPU partitions, data-use terms, identity exceptions, storage tiers, incident playbooks, captioning backlogs, and a renewal that hides an egress clause. The worry list feels wide because it is. But it narrows when you treat a few functions as the load-bearing walls and fund them like utilities.
Two bets to write into the operating plan:
- Treat research compute/AI, security/integrity, data governance, and identity as the walls. Publish their service levels, risks, budgets, and exit plans. Review them on a cadence with the VPR and provost.
- Make the catalog — of data, AI services, and placement lanes — the institutional speed lane. Without it, every team becomes a translator of exceptions. With it, you earn predictable speed.
From my time building some of the earliest large-scale learning platforms, I learned that progress sticks when you reduce the number of moving parts that matter and communicate the ones that remain in terms people can act on. The same craft applies here. When the walls are clear and strong, deans stop escalating tickets as governance problems, faculty stop hedging with shadow tools, and research projects ship on time. The rooms can be repainted. The walls must hold.
That is what R1 university CIOs are worried about in 2026 — not as an abstract fear, but as a day-to-day practice that, done well, gives their institutions something tangible: speed with integrity.
Share
Preview LinkedIn copy
Monday at 7:45 a.m., the R1 CIO’s inbox isn’t theory. It’s: GPU queues spiking, a controlled data enclave audit, a grant PI asking for export-control guidance, a procurement memo about new SaaS clauses, and a note from teaching & learning about next week’s LMS load tests. That’s the operational reality in 2026. Research velocity, compliance, and student experience now share the same infrastructure. Miss one link and the rest slows down. Here’s the systems-grounded worry list many R1 university CIOs are working against: • Research compute as a utility: fair-share GPUs, predictable queues, and instrument-to-cloud pipelines. Egress without a plan becomes a grant tax. • Security and research integrity: NIST 800-171 enclaves for CUI, export-control workflows, and FIDO2 to reduce MFA fatigue. Open science and sensitive work can’t share a lane. • AI as an operating question: service catalogs, budgeted API/model costs, and human-in-the-loop reviews for restricted data. Decide where each workload should live. • Data governance that speeds work: data-use agreements, retention, catalogs, and NSPM-33 disclosures. Good metadata is a speed lane for grants. • Cloud/SaaS sprawl with real exit plans: egress, audit, incident notice, and FinOps baselines. Contracts must align with research obligations. • Identity at scale: InCommon, eduGAIN, passkeys, and fine-grained roles. Student lifecycle changes are where risk hides; automation reduces it. • People and capacity: research software engineers, cyber analysts, and PMs. Salary compression vs industry is real. Grow talent and partner for surge demand. • Classrooms and accessibility: LMS reliability in peak weeks, WCAG 2.2, proctoring policy, and captioning budgets. Reliability builds academic trust. My thesis: treat HPC/AI, data, identity, and security as the load-bearing walls of the institution’s digital house—and fund them like utilities. Everything else gets easier. If you’re comparing roadmaps or want a neutral sounding board, I’m happy to compare notes. #HigherEd #CIO #ResearchIT #DataGovernance