IBMâs Cost of a Data Breach Report on Risks of AI Breaches
AI adoption is greatly outpacing AI security and governance, according to the latest data from IBM.
The latest iteration of its Cost of a Data Breach Report finds that, while the rapid adoption of AI is reshaping how organisations operate, it’s also opening vast new frontiers for cyber risk.
The alarming rate in which this is happening is exposing businesses to threats that traditional defenses are not equipped to handle.
The Cost of Data Breach report has been investigating data breaches for two decades, with 6,500 incidents analysed as part of its work.
In the time since its inception, attacks have evolved in nature, shifting from physical consequences to digital assets being the focus of malicious activity.
Cost of a Data Breach Report 2025: In brief
As enterprise AI adoption accelerates rapidly, the Cost of a Data Breach research has, for the first time, examined AI security and governance, the specific types of data targeted in AI-related incidents, the financial impact of AI-driven breaches and the prominence and risks posed by shadow AI.
IBM’s 2025 Cost of a Data Breach Report shines a light on a few striking stats, including:
- 13% of organisations reported breaches of AI models or applications
- 8% of organisations reported not knowing if they had been compromised via AI models or applications
- Of those compromised, 97% report not having AI access controls in place
- This resulted in 60% of the AI-related security incidents led to compromised data and 31% led to operational disruption.
On top of this, ungoverned âshadow AIâ â where employees use unapproved AI tools or models â caused one in five breaches. These shadow activities are hard to detect and manage, pushing up the average cost per incident by US$670,000 compared to organisations with controlled AI environments.
âThe data shows that a gap between AI adoption and oversight already exists and threat actors are starting to exploit it,â says Suja Viswesan, Vice President, Security and Runtime Products at IBM.
âThe report revealed a lack of basic access controls for AI systems, leaving highly sensitive data exposed and models vulnerable to manipulation.
âAs AI becomes more deeply embedded across business operations, AI security must be treated as foundational.
âThe cost of inaction isnât just financial, itâs the loss of trust, transparency and control.â
Diving into shadow AI
The unregulated, unauthorised use of AI poses significant risks.
The consequences? Leaks of personal information, exposure of intellectual property and compliance failures that not only incur direct costs but can lead to regulatory fines.
IBMâs study says that employees now frequently use powerful Gen AI tools for tasks like code debugging or report drafting, but this often involves sharing sensitive data with external services without ITâs oversight.
The tech giant finds that only 37% of those surveyed have policies to manage AI or detect shadow AI, with security incidents involving shadow AI leading to more personally identifiable information being compromised in 65% of cases and 40% for intellectual property. The global average is 53% and 33% respectively.
Is AI empowering attackers?
AI is helping attacks become smarter, too.
IBMâs research reveals that 16% of breaches studied involved attackers using AI tools â mainly for phishing or deepfake impersonation attacks.
This also means the impact is profound.
The 2025 report found that nearly all organisations studied suffered operational disruption following a data breach, with it taking more than 100 days on average to recover.
And it goes beyond containment.
âWhile down compared to the year prior, nearly half of all organisations reported that they planned to raise the price of goods or services because of the breach and nearly one-third reported price increases of 15% or more,â IBM says.
The cost of inaction
The price to pay following an attack is not just monetary.
Although the global average cost of a data breach declined to US$4.4m, US breaches hit US$10.2m â the highest ever recorded.
Healthcare, as highlighted in previous reports, still faces the most expensive breaches, averaging US$7.42m — even though the sector saw a US$2.35m reduction in costs compared to last year.
The breach lifecycle — the time it takes to identify and contain an incident — stands at a global record low of 241 days. This 17-day reduction from 2024 comes with education, as organisations that had studied breaches detected them internally.
Those that detected the breach internally also observed a US$900,000 savings on breach costs compared to those disclosed by an attacker.
