The $670,000 problem is Shadow AI. Most organizations don’t know it.
IBM’s Cost of a Data Breach Report for 2025was released today in partnership by the Ponmon Institutefound that breaches involving employees using AI tools without permission cost organizations $4.63 million on average. This is nearly 16% higher than the average global cost of $4.44m.
This research, based upon 3,470 interviews in 600 breached companies, shows how AI adoption is rapidly outpacing security oversight. Only 13% of organizations reported AI security incidents. However, 97% were breached because they lacked the proper AI access controls. Another 8% were not sure if their systems had been compromised by AI.
The data shows that there is a gap in AI adoption and oversight, and threat actors have started to exploit it,” Suja Viswesan said, Vice President for Security and Runtime Products, IBM. The report revealed that AI systems lacked basic access controls, leaving highly sensitive data exposed. Models were also vulnerable to manipulation.
AI Impact Series Returns To San Francisco – 5 August
Are you ready for the next phase of AI? Join leaders from Block GSK and SAP to get an exclusive look at the ways autonomous agents are reshaping workflows in enterprise – from end-to-end automated workflows to real-time decision making.
Shadow AI and supply chains are the preferred attack vectors.
According to the report, 60% of AI-related incidents resulted from compromised data while 31% disrupted an organization’s day-to-day operations. In 65% of shadow AI-related incidents, customers’ personally identifiable information was compromised. This is significantly higher than the global average of 53%. The governance of AI is a major weakness for AI security. 63% of organizations breached either lack AI governance policies or still develop them. Itamar Golan is the CEO of VentureBeat reported that Prompt Securityis a company. His company has catalogued over 12,000 AI applications and detects 50 new ones every day. VentureBeat reports that adversaries’ tactics continue to outpace the current defenses for software and model supply chains. It’s no surprise that the report found supply chains to be the primary attack vector in AI security incidents. 30% of these incidents involved compromised apps, APIs or plug-ins. The report states that supply chain compromise is the most common cause for AI security incidents. The security incidents involving AI models, applications, and other types of AI were varied. However, one type clearly ranked at the top: supply chain compromise (30%). This includes compromised apps and APIs.
Weaponized artificial intelligence is on the rise
All forms of weaponized artificial intelligence, including LLMs that are designed to improve tradecraft continue to accelerate. Sixteen per cent of breaches involve attackers who use AI, primarily to generate phishing (37%), and deepfake attacks (35%). Models, including FraudGPT, GhostGPTis a freeware. DarkGPT retails for as little $75 a month.is designed for attack strategies like phishing and exploit generation.
Governance is one of the weaknesses that adversaries exploit.
Only 34% of the organizations who claim to have AI governance policy perform regular audits of unsanctioned AI. Just 22% of organizations conduct adversarial tests on their AI models. DevSecOps was the most important factor in reducing breach costs. On average, organizations saved $227,192.
This report’s findings show how relegating security to a lower priority can have a negative impact on long-term security. “A majority (63%) of breached organisations either do not have an AI governance plan or are still developing it. Even when they do have a policy in place, less than half of them have an approval process for AI implementations and 62% have no access controls on AI systems.
The majority of organizations lack the essential governance to reduce AI-related risk, with 87% admitting that they do not have policies or processes. Nearly two thirds of companies that have been breached do not audit their AI models on a regular basis, and more than three quarters do no conduct adversarial tests, leaving critical vulnerabilities open.
The pattern of delayed responses to known vulnerabilities extends far beyond AI governance and into fundamental security practices. Chris Goettl is the VP of Product Management for Endpoint Security. Ivantemphasizes the shift in perspectives: “What we call ‘patch-management’ should be more aptly named exposure management — or how long are you willing to expose your organization to a particular vulnerability?”
Why smart security pays off.
Despite weaponized AI’s proliferation, the report offers a way to combat the growing sophistication of adversaries. AI and automation can save organizations $1.9 million for each breach, and they can resolve incidents 80 days quicker. According to the report, “Security Teams using AI and Automation extensively shortened their breaches by 80 days and reduced their average breach costs USD 1.9 Million compared to organizations who didn’t use these tools.”
The contrast is striking. AI-powered organizations spent $3.62M on breaches compared to $5.52M for those without AI. This is a 52% difference in cost. These teams are able to identify breaches in just 153 days compared to the 212 days it takes for traditional approaches. They then contain them within 51 days versus 72 days.
AI tools excel at quickly analyzing massive data across endpoints, logs, and network traffic to spot subtle patterns early, noted Vineet arora, CTO of WinWire. This capability transforms the security economics. While the global average breach costs $4.44million, extensive AI users operate at 18% below this benchmark.
But adoption continues to be a problem. Only 32% of organizations use AI extensively for security, 40% in a limited way, and 28% in no capacity. Most mature organizations distribute AI evenly throughout the security lifecycle. This is usually done in the following order: 30% prevention, 29.9% detection, 26.6% investigation, and 27.7% response.
Daren G. Goeson, SVP Product Management, Ivanti, confirms this: “AI powered endpoint security tools are able to analyze vast amounts data in order to detect anomalies faster and predict potential threats more accurately than any analyst.”
While not lagging, 77% of security teams match or exceed the company’s AI adoption. 45% of those investing after a breach choose AI-driven solutions. They focus on threat detection (36%), Incident Response Planning (35%), and Data Security Tools (31%).
DevSecOps increases the benefits, saving an extra $227,192. This makes it the most cost-reducing practice. Combining AI’s impact with security, organizations can reduce breach costs by more than $2 million. This transforms security from a cost centre to a competitive differentiation.
Why U.S. cyber costs are at record highs, while the rest saves millions.
In 2024, the cybersecurity landscape revealed an interesting paradox: global breach costs fell to $4.44mil. This was their first decrease in five years. U.S. organizations saw their exposure to cyber risks skyrocket up to an unprecedented $10.22million per incident. This divergence indicates a fundamental change in the way cyber risks manifest themselves across geographical boundaries. Healthcare organizations continue bearing the most burden, with an estimated average cost of $7.42million per breach and resolution times that can reach 279 days – five weeks more than their peers in other industries.
Operational costs are also high: 86% report significant business disruptions, and three-quarters require more than 100 days for normal operations to be restored. The emergence of investment fatigue is perhaps the most alarming for security leaders. The commitments to spend on security after a breach have fallen from 63% in the previous year to just 49%, suggesting that organizations are questioning their ROI for reactive security investments. Only 2% of those who achieved full recovery were able to regain their operational status in less than 50 days. 26% took more than 150 to regain their operational footing. These metrics highlight a harsh reality: While global organizations are improving the ability to contain breach cost, U.S. businesses face an escalating crises that traditional security spending cannot resolve. The growing gap requires a fundamental rethinking in cyber resilience strategies, especially for healthcare providers who operate at the intersection of maximum risks and extended recovery times.
IBM’s report highlights why governance is critical
“Gen AI has lowered entry barriers for cybercriminals.” … Even low-sophisticated attackers can leverage GenAI in order to write phishing Scripts, analyze vulnerabilities, launch attacks, and do so with minimal effort. Notes George Kurtz, CEO and founder of CrowdStrike (). Mike Riemer offers hope
: “For years, attackers used AI to their advantage. The year 2025 will be a turning point for defenders as they begin to harness AI’s full potential for cybersecurity.
Implement AI Governance now — Only 45% of organizations have approval processes for AI deployments.
Gain transparency into shadow AI (19459062]– Regular audits are necessary when 20% suffer breaches due to unauthorized AI.
Speed up security AI adoption (19459062]– The $1.9 million in savings justifies aggressive deployment.
The report concludes, “Organizations must ensure that chief information security officers The report concludes: “Organizations must ensure that chief information security officers (CISOs), chief revenue officers (CROs) and chief compliances officers (CCOs) and their teams collaborate regularly. In this new world, where machines fight machines at speeds that humans cannot match, governance is not just about compliance. It’s about survival.
VB Daily provides daily insights on business use-cases
Want to impress your boss? VB Daily can help. We provide you with the inside scoop on what companies do with generative AI. From regulatory shifts to practical implementations, we give you the insights you need to maximize ROI.
Read our privacy policy
Thank you for subscribing. Click here to view more VB Newsletters.
