Editor’s note: Only 17 of 663 industry IT certifications made Foote Partners’ “Hot List” of certifications earning well above average cash pay premiums for Q1 of 2026 plus showing strong growth in the prior six months, and three of those certifications – Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) and Certified in the Governance of Enterprise IT (CGEIT) – are from ISACA. Below, Foote Partners Chief Analyst and Research Officer David Foote provides analysis of trending certification pay data across the industry in this Q&A interview with the ISACA Now blog.
ISACA Now: Can you provide our readers a bit of background on your IT certifications hot list and what it represents?
David Foote: Since 1999, Foote Partners has been collecting data for cash pay premium bonuses that employers pay their employees for certified and noncertified IT skills. This data is reported in our IT Skills and Certification Pay IndexTM (ITSCPI) and updated every 90 days. We launched our Hot List Forecast 10 years ago as a forward-looking market intelligence tool that combines both measured cash pay premiums with recent market value growth performance to identify certifications currently earning well-above-average pay premiums that will likely become even more expensive to hire over the next several months. We then check in with executives in our 5,112 employer research partner network that share their pay data with us to see what might be juicing these high-performing certifications. Right now, we’re reporting data for 663 IT certifications and only 17 made the current certification Hot List.
ISACA Now: CISA, CRISC and CGEIT each made the list for the second quarter of 2026. You mentioned this being unprecedented in more than 20 years of closely tracking this data. Can you elaborate on what makes this so striking?
David Foote: These three certifications have been on our ITSCPI radar for years but never appeared on a Hot List at the same time. Looking at our historical data, it should come as no surprise that demand for skills is constantly shifting. The driver behind these mature certifications, and some adjacent to them, is that AI has now shifted from experimental to operational. Once AI enters production, executives immediately ask new questions:
- Which AI systems are allowed and who approves model usage?
- Who owns model decisions?
- Who owns AI risk?
- How do we audit AI decisions?
- What controls exist?
- What data can AI access?
- How do we prove compliance?
- How do we monitor third-party AI vendors, and what happens if they change their model?
- Who is accountable if AI makes a bad recommendation?
Organizations require board-level oversight and formal governance structures around AI risk, and these three certifications sit directly in this space. The CGEIT helps answer the question “Can we govern AI technology at enterprise scale?” For the CISA it’s “Can we audit and verify AI?” For the CRISC it’s “Can we measure and control AI risk?”
These are becoming strategic questions rather than technical questions, they are interconnected more than ever and in a structural way labor demand is shifting toward human control functions. The CISA, CGEIT and CRISC are largely certifications about those issues and ISACA coordinates them skillfully.
But let me also point out that this AI explosion is putting a premium on both noncertified and certified skills aimed at modernizing infrastructure, managing new cyber risks and governing an increasingly complex hybrid environment that basically sits in the cloud. In the noncertified IT skills space—we report 746 of them—there is a much higher degree of segmentation defining trends in AI skills and pay volatility is much higher than with certifications. And although ISACA certifications aren’t the only ones benefiting from this AI shift, there is certainly a very high degree of confidence being placed on these three by employers at this moment.
ISACA Now: Cash premiums for IT certifications climbed while pay for noncertified IT skills dropped. How do you assess that contrast?
David Foote: Noncertified skills are being repriced downward as employers reassess and redistribute value across hundreds of rapidly changing skills that cover a lot of ground. Certifications are mostly concentrated in security, infrastructure, governance and architecture disciplines, and are benefiting from scarcity and stronger signaling value.
Employers now think about jobs more as tasks, not titles: tasks that can be done entirely by an AI agent/robot, tasks that will be done with a human working with an AI agent/robot, and finally, tasks that are uniquely human. This has created a large labor market effect as many standalone skills have suddenly become less differentiated, partially automated, embedded into tools and generally easier to acquire. It’s put downward pressure on pay for individual skills and certifications, but also upward pressure on skills and certifications combinations. It’s really quite extraordinary, this new demand for what we call multidimensional “Swiss Army knife” teams and professionals who can engineer, secure, monitor, optimize and govern AI systems in production environments. We authored an ISACA Now blog about these new Versatilist professionals.
ISACA Now: What are your observations on AI’s impact on new governance and how CGEIT fits into this picture?
David Foote: The value of the CGEIT certification has increased because AI is creating a new problem for enterprises: organizations no longer merely need people who can deploy technology — they need people who can govern technology at enterprise scale.
It’s noteworthy that CGEIT’s gain has occurred while many noncertified skills have been losing value on average. The implication is that employers are paying more for capabilities associated with decision-making, accountability and control rather than only technical implementation. AI is changing governance into a continuous enterprise problem, exposing executives to face questions that previously barely existed. And on top of that, the intensifying challenge comes with AI cutting across almost every function: security, legal, compliance, HR, operations, finance, technology and executive leadership.
Why do we believe the CGEIT will gain more momentum going forward? Because as AI automates more implementation work, the remaining high-value work increasingly becomes setting policies, establishing accountability, balancing risk and opportunity, defining controls and governing tech investments.
And consider this: organizations have deployed generative AI, AI agents and LLM-based workflows so rapidly that, for many, it has exceeded their current governance structure. Now, companies are discovering problems with shadow AI, unclear ownership, data leakage, inconsistent policies, regulatory exposure and overall unclear accountability.
The CGEIT is fundamentally about aligning technology decisions with business objectives while managing risk and performance. Its domains roughly align with areas that are all in increasing demand: governance frameworks, strategic alignment, benefits realization, risk optimization, resource optimization. This has positioned the CGEIT for greater demand.
ISACA Now: You anticipate a surge in AI-related certifications, an area ISACA has made a focal point over the past year with AAIA, AAISM and AAIR. How do you see layering AI expertise into existing areas of knowledge most benefiting IT professionals going forward?
David Foote: It’s true that, rather than replacing established knowledge domains, AI increasingly appears to be a force multiplier for existing expertise. AI is likely to follow the same adoption path as cloud computing, data management and project management – for example, where “AI + domain experience” is highly prized, similar to “cloud + security,” “data + business analytics,” and “PM + transformation expertise.” The new ISACA AI certifications are being layered onto existing governance and risk domains, which aligns closely with the above path.
AI may not create the largest long-term gains for pure technical implementation roles. Professionals with CGEIT + AI governance, CRISC + AI risk or CISA + AI auditing will likely achieve stronger market differentiation than those with only broad AI knowledge.
The professionals most likely to benefit will not be those who simply accumulate AI certifications, but rather those who integrate AI into their existing expertise and serve as translators between technology and business outcomes. Certifications can help with that but only if they’re designed to do so.
Forecasting the timeline for how this may unfold, we see the following:
2023 – 2026: Learn AI
2026 – 2030: Apply AI inside a discipline
2030+: Lead organizations using AI
