Among organizations that suffered an AI-related security incident, 97% reported they lacked proper AI access controls, according to IBM's Cost of a Data Breach Report. The finding points to a governance gap as companies adopt AI faster than they secure it.

The governance shortfall runs deep. Among 600 organizations studied, 63% said they have no AI governance policies to manage AI use or prevent workers from relying on unapproved tools. Only 37% have policies to manage AI or detect shadow AI, the use of unsanctioned internet-based AI services by employees.

Shadow AI carries a measurable cost. A high level of shadow AI added an extra $670,000 to the global average breach cost, and one in five organizations reported a breach tied to it. The report also found that 13% of organizations experienced breaches of AI models or applications.

Overall breach costs moved in two directions. The global average cost fell to $4.44 million in 2025, down 9% from $4.88 million and the first decline in five years, helped by faster AI-powered containment that cut the mean breach lifecycle to 241 days. The U.S. average, by contrast, hit an all-time high of $10.22 million, 2.3 times the global figure, driven by regulatory fines and escalation costs.

Security tools that use AI delivered savings elsewhere. Organizations applying AI and automation extensively across security operations saved an average of $1.9 million and shortened the breach lifecycle by 80 days. The data shows AI cutting costs on defense while widening exposure where controls are absent.

Source: IBM - https://www.ibm.com/reports/data-breach