IBM Warns of AI Security Gaps in Latest Data Breach Report

AI adoption is rapidly outstripping AI security and governance, according to the latest findings from IBM’s 2025 Cost of a Data Breach Report.

While organisations are enthusiastically integrating AI to transform their operations, this surge is simultaneously exposing new and significant avenues for cyber risk — areas where traditional security measures are quickly falling behind.

IBM’s latest research, based on the analysis of thousands of data breach incidents, reveals a fundamental shift in the nature of cyberattacks.

No longer limited to physical or even traditional digital assets, today’s threats increasingly target AI systems and their data, ushering in complexities and vulnerabilities unique to the AI-driven era.

Cost of a Data Breach Report 2025: In brief

The 2025 report, for the first time, examines the specific threats and vulnerabilities associated with AI adoption, scrutinising the types of data targeted, the financial toll of AI-centric breaches and the growing prevalence of “shadow AI”— unsanctioned, unmonitored use of AI tools and models by employees. 

IBM’s 2025 Cost of a Data Breach Report shines a light on a few striking stats, including:

Notably, breaches involving ungoverned “shadow AI” environments were responsible for one in five incidents, pushing up the average cost per incident by US$670,000 —significantly higher than those with properly managed AI environments.

“The data shows that a gap between AI adoption and oversight already exists and threat actors are starting to exploit it,” says Suja Viswesan, Vice President, Security and Runtime Products at IBM.

“The report revealed a lack of basic access controls for AI systems, leaving highly sensitive data exposed and models vulnerable to manipulation."

"As AI becomes more deeply embedded across business operations, AI security must be treated as foundational. The cost of inaction isn’t just financial, it’s the loss of trust, transparency and control.”

Diving into shadow AI

Shadow AI emerges as a particularly insidious risk.

Employees leveraging powerful Gen AI tools — often without IT’s knowledge — frequently share sensitive data in these unsanctioned environments.

This practice not only increases the direct risk of personal and proprietary information leaks, but can also trigger significant regulatory noncompliance issues.

The report highlights that only about a third of organisations have formal policies in place to manage or even detect shadow AI.

As a result, breaches involving shadow AI compromised personally identifiable information in 65% of cases and intellectual property in 40% — well above global averages.

Is AI empowering attackers?

Adversaries are weaponising AI, making attacks more sophisticated and difficult to detect.

The report notes that AI tools are now used in 16% of breaches, particularly for phishing campaigns and deepfake impersonation.

The result is operational disruption across nearly all organisations affected, with average recovery stretching beyond 100 days.

Moreover, the business impact extends further: many organisations reported raising prices for goods and services following a breach, with nearly a third implementing price hikes of 15% or greater.

The cost of inaction

The cost of data breaches continues to climb.

The global average now stands at US$4.4m while US organisations face an average cost of US$10.2m — the highest ever recorded.

Healthcare remains the most expensive sector for breaches, with costs averaging US$7.42m. 

The breach lifecycle — how long it takes to identify and contain incidents — has reached a global record low of 241 days, yet the penalty for detection delays remains steep.

Those that detected the breach internally also observed a US$900,000 savings on breach costs compared to those disclosed by an attacker.