AI adoption is greatly outpacing AI security and governance – that’s the message being sent by IBM following the release of its latest Cost of Data Breach report.
According to the company, 20% of the 600 organizations it surveyed had suffered a breach “due to security incidents involving shadow AI”.
“For organizations with high levels of shadow AI, those breaches added USD 670,000 to the average breach price tag compared to those that had low levels of shadow IT or none,” it added.
While shadow AI is a problem in its own right according to the IBM report, legitimate AI tools can also cause problems.
“On average, 13% of organizations reported breaches that involved their AI models or applications,” the report reads.
Most commonly, these weren’t direct attacks, but instead took place in the supply chain, for example through compromised apps, APIs, or plug-ins. The knock-on effects include operational disruption (31%) and broad data compromise (60%).
The report goes on to note, however, that once again a lack of governance and oversight was a significant factor in these breaches. Indeed, only 3% of organizations affected had proper AI access controls in place.
Poor internal AI governance and shadow AI aren’t the only risks the technology presents to organizations. Cyber criminals are themselves making use of generative AI as a new tool in their arsenal.
IBM noted that one-in-six breaches in the past year involved AI, with would-be attackers able to polish and scale phishing campaigns and other social engineering attacks.
“IBM previously found gen AI reduced the time needed to craft a convincing phishing email from 16 hours down to only five minutes,” the report noted.
“This year’s report shows the impact: on average, 16% of data breaches involved attackers using AI, most often for AI-generated phishing (37%) and deepfake impersonation attacks (35%).”
Data breach winners and losers
While it’s hard to claim there are any winners when it comes to being the receiving end of a data breach, some find themselves losing more than others.
IBM found that the cost of a data breach in the US had increased by just under $1 million, bringing the average cost from $9.36 million to $10.22 million in 2025.
Organizations in the Middle East, the second most expensive region in which to experience a data breach, faced an average cost of $7.29 million, down from $8.57 million in 2024.
Like the US, Benelux and Canada also experienced a rise in costs, albeit less significant, going from $5.90 million to $6.24 million and $4.66 million to $4.84 million respectively.
The remaining geographies surveyed all sat at $4.14 million or under, with Brazil coming in last at $1.22 million, a fall of $140,000 from $1.36 million in 2024.
Another loser on the data breach scene is hackers themselves. IBM cited what it calls “ransomware fatigue”, with a slight majority (63%) of organizations hit by ransomware attacks in 2025 saying they didn’t pay the ransom, compared to 41% that did in 2024.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
