IBM's 2025 Cost of a Data Breach Report, conducted with the Ponemon Institute across 600 breached organizations worldwide, quantifies how ungoverned AI adoption is compounding security losses. Thirteen percent of organizations reported breaches of AI models or applications, and 97 percent of those compromised said they lacked proper AI access controls.

Unsanctioned "shadow AI" emerged as a measurable cost driver. One in five organizations reported a breach caused by security incidents involving shadow AI, and companies with high levels of shadow AI saw breach costs averaging $670,000 higher than peers with little or none. Shadow AI incidents also disproportionately exposed sensitive material, compromising personally identifiable information in 65 percent of cases and intellectual property in 40 percent.

Governance lags far behind deployment. Sixty-three percent of breached organizations either had no AI governance policy or were still developing one, and among companies with policies in place, only 34 percent performed regular audits for unsanctioned AI use. Just 37 percent of organizations had policies to manage AI or detect shadow AI at all.

The headline cost figures diverged by geography. The global average cost of a data breach fell to $4.44 million, the first decline in five years, which IBM attributed partly to faster, AI-assisted detection and containment. United States organizations moved in the opposite direction, hitting a record average of $10.22 million per breach. Attackers are also adopting the technology: 16 percent of breaches involved attackers using AI, most commonly for phishing emails and deepfake impersonation.

Source: IBM Newsroom -- https://newsroom.ibm.com/2025-07-30-ibm-report-13-of-organizations-reported-breaches-of-ai-models-or-applications,-97-of-which-reported-lacking-proper-ai-access-controls