IBM has officially published the results from its latest report i.e. Cost of a Data Breach Report, which revealed AI adoption is greatly outpacing AI security and governance.
Going by the available details, this conclusion was reached upon after 13% of organizations reported breaches of AI models or applications, whereas on the other hand, 8% of organizations reported not knowing if they had been compromised in this way.
Staying on the contingent which was compromised, it had a staggering 97% of respondents reporting not having AI access controls in place. Almost 60% of the AI-related security incidents would cause compromised data, while 31% caused operational disruption.
Making AI security even more important would be a piece of detail which claims that organizations using AI and automation extensively throughout their security operations saved an average $1.9 million in breach costs. Not just that, they also reduced the breach lifecycle by an average of 80 days.
Talk about the whole study on a slightly deeper level, we begin from how an estimated 63% of breached organizations either don’t have an AI governance policy or are still developing a policy. If we focus on the organizations that have AI governance policies in place, no more than 34% perform regular audits for unsanctioned AI.
Next up, we must dig into the fact that one in five organizations reported a breach due to shadow AI, and only 37% have policies to manage AI or detect shadow AI.
As for organizations that used high levels of shadow AI, they would go on to record an average of $670,000 in higher breach costs than those with a low level or no shadow AI.
In fact, security incidents involving shadow AI led to more personally identifiable information (65%) and intellectual property (40%) getting compromised than the global average (53% and 33% respectively).
Another detail worth a mention relates to almost 16% of breaches showing the use of AI tools. These tools were deployed most often for phishing or deepfake impersonation attacks.
Moving on, while the global average cost of a data breach fell to $4.44 million, first decline in five years, the average U.S. cost of a breach actually reached a record $10.22 million.
As for the global average breach lifecycle (the mean time to identify and contain a breach, including restore services), it dropped to 241 days, a 17-day reduction from the year prior. This came on the back of more organizations detecting breaches internally.
Those organizations who detected the breach internally also observed a $900,000 savings on breach costs, compared to those disclosed by an attacker.
Out of all the breaches, attacks on healthcare systems emerged as the most prevalent archetype. We get to say so because such breaches averaged around $7.42 million. In case this wasn’t bad enough, breaches across this sector take the longest to identify and contain at 279 days, more than 5 weeks longer than the global average of 241 days.
Hold on, we still have a couple of bits left to unpack, considering we haven’t yet touched upon how, in the face of burgeoning cyber risk, organizations registered a major pushback during the year of 2024. You see, a majority of organizations opted not to pay (63%) compared to the year prior (59%).
This, in turn, has created a different challenge, as average cost of an extortion or ransomware incident is now understood to be somewhere around $5.08 million.
Rounding up highlights would be piece of detail revealing a significant reduction in the number of organizations planning to invest in security following a breach, settling at 49% in 2025 compared to 63% in 2024.
Markedly enough, less than half of those planning to invest in security post-breach said they will focus on AI-driven security solutions or services.
“The data shows that a gap between AI adoption and oversight already exists, and threat actors are starting to exploit it,” said Suja Viswesan, Vice President, Security and Runtime Products, IBM. “The report revealed a lack of basic access controls for AI systems, leaving highly sensitive data exposed, and models vulnerable to manipulation. As AI becomes more deeply embedded across business operations, AI security must be treated as foundational.”
