Drupal Planet

Drupal AI Initiative: Drupal Is All In on AI. Now Comes the Hard Part

Original article posted by Christoph Breidert on 1xINTERNET website

Over a decade ago, I co-founded 1xINTERNET on the conviction that Drupal was the best platform for ambitious web applications. That bet paid off. But recently, as AI began disrupting our industry, I found myself facing an unfamiliar feeling: uncertainty. For the first time in my career, the path forward wasn't entirely clear.

If you are a decision-maker navigating this shift, you likely feel the same way. We are all trying to figure out how to leverage AI's huge potential without compromising enterprise security, compliance, or content quality.

The good news is that while the broader AI landscape remains turbulent, the direction for content management systems is becoming clear.

Christoph Breidert


Christoph Breidert facilitating a Drupal AI workshop at DrupalCon Chicago 2026.

When the Drupal AI Initiative was founded in June 2025 by 1xINTERNET, Acquia, DropSolid, FreelyGive, and Salsa Digital, our mission was to chart that exact path. Today, alongside Niels Aers, my role is to manage the AI product direction so that organizations can confidently bring AI into production.

Since the founding, over 30 leading companies have joined the initiative. But a defining moment happened recently at DrupalCon Chicago 2026. During his keynote - the "Driesnote" - Drupal founder Dries Buytaert bluntly asked the community regarding the AI shift: Are you in or are you out?

The undeniable energy from the community and the rapidly intensifying momentum proved one thing: Drupal is all in on AI.

But what does "all in" actually mean? We aren't just talking about adding superficial features like chatbots or simple text generators. We have built a powerful agentic infrastructure natively into Drupal. This provides us with a robust foundation, allowing organizations to build complex AI applications and deploy autonomous agents capable of executing multi-step workflows on their behalf.

What an Agentic CMS actually requires

Let’s be clear: Agentic AI delivers incredible velocity, and every organization from SMEs to global enterprises needs that speed. But deploying autonomous agents without control is a liability. You need AI infrastructure that accelerates your workflows while ensuring that this speed doesn't destroy your content quality or violate your compliance rules.

This requires a robust governance foundation to run the infrastructure safely. The Drupal AI Initiative has spent the past months building exactly that. These are the final pieces we have built to complete the production-ready foundation:

  • AI Guardrails: Configurable rules that intercept both outgoing requests and incoming AI responses. Whether it's preventing the exposure of personal data (PII), ensuring prompt safety, or mitigating legal liability, guardrails keep the AI agents within defined boundaries.
  • AI Observability: Complete transparency into what your AI agents are doing. Every prompt, token usage metric, and model response is logged, providing a clear audit trail for compliance and cost optimization.
  • Context Control Center: AI models are useless without context. This system acts as a router, intelligently feeding the right organizational data (and only the right data) to the LLM based on the user's specific task.
Introducing AI Content Reviews

Let’s separate the hype from reality: The core foundation of Drupal AI is production-ready today. With a secure governance infrastructure now in place, we are shifting from building the engine to delivering the applications. We are shipping out-of-the-box features so organizations can immediately benefit without building complex workflows from scratch.

The first major capability rolling out is AI Content Reviews. This is not a future roadmap concept, it is a real, tangible feature designed to close the quality gap for large websites by acting as a continuous, background quality assurance partner.

It provides scalable, AI-assisted content governance that integrates naturally into how editors already work. The system evaluates content against your organization's specific rules, such as brand voice, legal compliance, SEO, and accessibility. It flags issues, explains them in plain language, and proposes concrete fixes. Crucially, human oversight remains the starting point: an editor simply reviews the flagged issues and can apply the suggested fixes with a single click.


AI Review Management Overview

Upcoming features

AI Content Reviews is just the first application of our agentic infrastructure. Following close behind is AI-powered semantic search with synthesized summaries. This allows visitors to find what they need through meaning rather than keywords, enabling the site to surface direct answers instead of just a list of results. 

We are also actively packaging AI assistants embedded natively across editorial workflows, site-building, and end-user interfaces. These capabilities have been thoroughly explored and validated in our innovation workstream and are now being readied for production use.

Want to see the full picture of what we are building? You can explore the complete Drupal AI Roadmap to see exactly where the initiative is heading next.


Overview Drupal AI Roadmap 2026.

Drupal’s architectural advantage

Why build this directly into Drupal instead of relying on external AI services or other CMS platforms? It comes down to a fundamental technological advantage. Many modern CMS platforms, especially closed SaaS products and pure headless systems, force you to rely on disconnected external API wrappers to communicate with AI. This architectural limitation means your developers have to manually rebuild your existing user permissions, workflows, and access rules in a separate middleware layer just to keep the AI secure.

Drupal AI has a distinct head start because of its deep internal architecture:

  • Co-location with the Content Graph: AI models are only as good as the context they can access. By embedding AI orchestration directly within Drupal, the AI has native, zero-latency access to your entire structured content graph. There is no integration friction.
  • Native Permissions & Access Control: Because Drupal's entity system and field-level access controls are so deeply integrated, the AI operates entirely within your existing permissions. It cannot expose, analyze, or modify content the user shouldn't see.
  • Provider-Agnostic Abstraction: Similar to what makes frameworks like LangChain powerful, Drupal AI abstracts the LLM providers (OpenAI, Anthropic, local models, etc.). But unlike external middle-tiers, Drupal enforces strict schema typing before data ever hits your database, ensuring structural integrity.

An Unmatched Ecosystem for AI Agents: Autonomous agents need tools to interact with the outside world. Because Drupal already possesses a massive, deeply established ecosystem of enterprise integrations, your AI agents can directly interact with your CRMs, ERPs, and marketing platforms. You don’t have to build custom API connectors for your AI to take action across your broader tech stack.

Moving forward

The uncertainty of the AI era remains, no one knows exactly what the landscape will look like in three years. I'm being honest about that. But what I do know is that the architecture we are building is solid, the foundation is ready, the community driving it is fully committed and has the resources.

If you are evaluating whether Drupal is the right foundation for AI-powered content management, you don't have to figure that out alone. The Drupal AI Partners network brings together specialized agencies with deep experience deploying exactly these capabilities. If you are ready to move from evaluation to implementation, that is the right place to start.

We are all building in conditions none of us have navigated before.
The difference is what we are building on.

The Drop Times: Erdfisch Expands nerdfisch DevBits into Public Drupal Code Archive

Reusable fixes often remain confined to individual projects, forcing developers to solve the same problems repeatedly. erdfisch has expanded its internal DevBits system into a publicly accessible archive, exposing working Drupal code snippets drawn directly from project work. The collection prioritises immediate implementation over explanation, making internal solutions available without reshaping them into long-form documentation.

Drupal Starshot blog: Differentiating Marketplace Site Templates and Community Site Templates

Site templates are available through two distinct pathways, each serving different needs within the community.

The official Drupal.org Marketplace provides a curated collection of site templates that meet certain quality standards, and are built on top of Drupal CMS as a foundation.

Community templates offer an alternative pathway for innovation and experimentation without the constraints of the curation process, by publishing the template as a general project on Drupal.org.

Official Marketplace Site Templates

The Drupal.org Marketplace are built on top of Drupal CMS, and curated to provide new users with confidence that they're starting with a consistent, solid and professionally built foundation that follows established best practices.

Key characteristics

  • Templates undergo a review processes

  • Must follow Drupal CMS best practices for security, accessibility (WCAG 2.2 AA), performance, and code quality

  • In the beginning, focus is solely on growing Drupal CMS adoption; site templates accelerate adoption of Drupal CMS by providing context relevant demo content and Drupal Canvas-compatible theme

  • Clear documentation, maintenance commitments, and user support expectations

  • Currently open to Drupal Certified Partners (for organizations) and Ripplemakers (for individuals or very small companies). Apply to become a creator here.

Benefits

  • Consistency for users who need reliable, production-ready starting points

  • Quality assurance through professional review processes

  • Support and maintenance commitments for long-term sustainability

  • Revenue opportunities for professional template creators

  • Sustainability for the Drupal Association through revenue sharing

Community Site Templates

Anyone interested in contributing a template can do so now, by publishing it as a general project on Drupal.org. All free site templates, including marketplace templates, are general projects for packaging and distribution purposes. Community site templates will be considered for inclusion in the Drupal.org Marketplace based on their compatibility with the outlined criteria.

Key characteristics

  • Can be published without formal review or approval

  • Not bound by the same standards as Marketplace templates

  • Can be built using Drupal CMS or Drupal Core

  • Available to all community members

  • Can take risks and explore directions that might not fit Marketplace criteria

Benefits:

  • Innovation by removing barriers to experimentation

  • Diversity of approaches and implementations

  • Learning opportunities for the community to explore what's possible

  • Stepping stones that might eventually evolve into Marketplace templates

  • Lower barriers to entry for community contribution

Security advisories: Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003

Project: Drupal coreDate: 2026-April-15Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: >= 11.3.0 < 11.3.7CVE IDs: CVE-2026-6367Description: 

Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.

The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user.

Solution: 

Install the latest version:

  • If you use Drupal 11.3.x, update to Drupal 11.3.7
  • Drupal versions below 11.3 are not affected by this vulnerability
Reported By: Fixed By: Coordinated By: 

Security advisories: Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

Project: Drupal coreDate: 2026-April-15Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Gadget ChainAffected versions: >= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7CVE IDs: CVE-2026-6366Description: 

Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.

This issue is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

Solution: 

Install the latest version:

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: Fixed By: Coordinated By: 

Security advisories: Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001

Project: Drupal coreDate: 2026-April-15Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingAffected versions: >= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7CVE IDs: CVE-2026-6365Description: 

Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability.

Solution: 

Install the latest version:

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: Fixed By: Coordinated By: 

Drupal Association blog: DrupalCon Chicago 2026: Where Innovation Meets the Open Web

Written by members of the DrupalCon Chicago Steering Committee.

Contributors: Stephen Mustgrave, Avi Schwab, Nikki Flores, and Rosie Gladden.

DrupalCon Chicago 2026 brought together leading experts in digital experience development, open source innovation, and enterprise technology.

The event provided a unique opportunity to connect with decision-makers, technical leaders, and innovators shaping the future of digital experiences.  More than 1,300 tech leaders, CEOs, developers, marketing executives, agencies, and enterprise decision-makers gathered to help define the future of the Open Web.


Image: Group photo in Chicago (Photo by Curt Rochon, CC BY-NC 4.0)

​A Diverse and Multilingual Global Community

Participants from 26 separate countries brought with them an estimated 15+ languages, reflecting the rich linguistic and cultural diversity of the Drupal ecosystem.  The United States (82.4%), Canada (6%), India (2%), Germany (1.2%) and Costa Rica (1.1%) were topping the list in terms of attendee numbers, with Brazil (1%), Colombia (0.8%) and the United Kingdom (0.8%) close behind.

This global span not only highlights Drupal’s widespread adoption, but also underscores the strength of a community shaped by varied perspectives, experiences, and ideas from around the world. Next year we’d love to add more blue!​

​Event Attendance

A total of 1,316 participants attended in Chicago, an increase from 1,288 for Atlanta 2025.  Of these we saw 394 first-time attendees, marking a 10.67% increase from those new to the event in 2025.  

539 of 1,316 also chose to extend their learning at the Summits & Trainings, with the AI Summit seeing the largest turnout in its first year, with 104 attendees joining to learn about the latest insights connected to Drupal AI.

Welcoming the Next Generation: Drupal in a Day

Outside of the main conference, and following the successful Drupal in a Day organized ahead of DrupalCon Vienna by Hilmar Kári Hallbjörnsson, DrupalCon Chicago saw the North America inaugural program take place alongside the contribution day. 

The training session, organized and staffed by ten volunteers, welcomed 55 learners of high school and college age to interact with Drupal CMS for the first time, helping to expand the reach of the community to new users of all ages. We thank the mentors and supporters who made this event a welcoming place for students, and particularly thank all the individual donors who made this happen, as well as Acquia for sponsoring, and Martin Anderson-Clutz and Jordan Thompson for instructing.


Image: Drupal in a day in Chicago (Photo by Paul Johnson, CC BY-NC 4.0)

Grassroots to Global 

Building on the momentum of 2025, the local community ticket-sharing initiative (1 complimentary ticket for every 5th sold through participating organizations) resulted in an increase of 77.5% of ticket purchases which were affiliated with a local group at registration.  This initiative continued to grow in both reach and impact, what began as a strong show of grassroots participation has evolved into a more connected and collaborative global network of local camps and meetups celebrating together at DrupalCon. 

Participation has expanded beyond the initial groups, with 61 communities engaging through shared resources, cross-promotion, and increased visibility at the 2026 conference. This growth reflects not just higher numbers, but a deeper alignment across the community, where local leaders feel empowered, recognized, and increasingly integrated into the broader Drupal ecosystem.​

A Community Spanning All Skill Levels

DrupalCon Chicago 2026 showcased a well-balanced and highly skilled community, with attendees representing every stage of the Drupal journey. Experienced professionals made up the majority, including 348 advanced practitioners (32%) and 301 self-identified Drupal experts (27.7%), creating a strong foundation for in-depth technical exchange and innovation.

Intermediate attendees accounted for 297 participants (27.3%), playing a key role in connecting emerging talent with seasoned leaders. At the same time, the event remained welcoming to newcomers, with 117 beginners (10.8%) and 25 individuals completely new to Drupal (2.3%) joining the community.​

Special Luncheons 

The Drupal Association formerly required sponsors, who provided programming support for community interest luncheons. These were folded into general programming this year, and we’d like to acknowledge that not all programs had an assigned, designated host. In the next year, our focus is on strengthening local, regional, topical, and community interest groups, so please reach out to us on how to get connected.

Breakfast & Luncheons Registered Black in Drupal Luncheon 68 Ripple Makers Breakfast 200 Women in Drupal Luncheon 200 Total 468 See You in Orlando

DrupalCon Orlando will see vision meet execution. Whether you're architecting enterprise platforms, launching your next big project, or scaling what you've already built in Drupal, this is the event that meets you where you are and pushes you further. 

Save the date!

Pages