IBM’s latest Cost of a Data Breach report finds that AI is already an easy and high value target.
A new IBM report finds that artificial intelligence adoption is “greatly” outpacing AI security and governance.
The company has been issuing its annual Cost of a Data Breach report for two decades now. The latest report is the first to study breaches in relation to security, governance and access controls for AI. According to its findings, AI is already an easy and high value target.
However, AI also plays a leading role in cybersecurity, with IBM suggesting in 2023 that the tech had the biggest impact on the speed of breach identification and containment. Although, in the wrong hands, the tech can have drastic consequences on businesses.
The latest report, conducted by Ponemon Institute, analyses data breaches experienced by 600 organisations between March 2024 and February 2025.
It finds that organisations are increasingly bypassing security and governance for AI in favour of faster adoption of the tech. Globally, companies are fast in adopting AI into their business and workflow, with more than two-thirds of European organisations expected to integrate the tech by the end of this year.
Of the organisations studied in this report, 13pc reported breaches of AI models or applications while 8pc of them reported not know if they had been compromised this way.
97pc of those compromised in AI breaches report not having access controls for the tech in place. As a result of the AI-related breaches, 60pc led to compromised data and 31pc led to organisational disruptions.
Interestingly, the cost of data breaches saw the first decline in five years, falling to a global average of nearly $4.5m. However, the costs rose in the US, where the average data breach now costs a record of $10.2m.
Last year, the global average cost of a data breach was around $4.8m – a 10pc hike from the year before.
According to the report, nearly all organisations studied suffered operational disruption following a data breach, and the disruptions took more than 100 days on average to solve and recover from.
Although, the global average on the time it takes to identify, contain and restore services is around 241 days.
Some industries are, however, more susceptible and hard hit from data breaches. Averaging at $7.4m, healthcare breaches remained the most expensive, even as the sector saw a reduction in costs when compared to the previous year.
While breaches across healthcare also took the longest to identify and contain at 279 days.
Globally, organisations are pushing back on ransom demands, with around 63pc opting not to pay. The UK government has also taken a similar route, proposing to ban public sector bodies in the country from paying ransoms demanded by cybercriminals.
However, as more organisations refuse to pay ransoms, the average extortion cost remains high, IBM finds, especially if they are disclosed by an attacker – at more than $5m – as opposed to being detected internally.
While the organisations that do end up detecting the breach internally observed nearly $900,000 in savings.
Lack of governance
As organisations increasingly use AI, so do threat actors. According to the report, 16pc of the studied breaches involved attackers that used AI tools, most often for phishing or deepfake impersonation attacks.
Shadow AI, or the unsanctioned use of AI tools by employees without prior approval or oversight from IT or security teams, is also causing particular issues to organisations, IBM finds.
Organisations that use shadow AI reported an average of $670,000 of added cost when breached as opposed to those that used it at low levels or not at all.
Moreover, security incidents involving shadow AI led to more personally identifiable information and intellectual property being compromised when compared to the global average.
The Cost of a Data Breach report finds that 63pc of breached organisations either don’t have an AI governance policy or are still developing one. And of the organisations that have AI governance policies in place, only 34pc perform regular audits for unsanctioned AI.
Even still, IBM finds a “significant reduction” in the number of organisations that said they plan to invest in security following a breach.
Moreover, less than half of those that plan to invest in security post-breach said they will focus on AI-driven security solutions or services.
“The data shows that a gap between AI adoption and oversight already exists and threat actors are starting to exploit it,” said Suja Viswesan, the vice president of security and runtime products at IBM.
“The report revealed a lack of basic access controls for AI systems, leaving highly sensitive data exposed, and models vulnerable to manipulation. As AI becomes more deeply embedded across business operations, AI security must be treated as foundational. The cost of inaction isn’t just financial, it’s the loss of trust, transparency and control.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.