Listen to the article
About one in eight organizations has already experienced an AI-related data breach, according to an IBM-commissioned research report released on July 30.
While the 13% of organizations that reported breaches of AI models or applications might seem like a relatively modest proportion, consider that among those compromised, 97% said they did not have AI access controls in place.
As a result, according to IBM, 60% of the AI-related security incidents led to compromised data and 31% led to operational disruption. About a quarter (23%) suffered financial losses.
The research, which studied data breaches experienced by 600 organizations globally from March 2024 through February 2025, was conducted by Ponemon Institute.
“The data shows that a gap between AI adoption and oversight already exists, and threat actors are starting to exploit it,” said Suja Viswesan, vice president of security and runtime products for IBM.
The average cost among all types of data breaches during the study period was $4.44 million, representing a 9% decrease from the prior 12-month period and a return to 2023 cost levels. Breach costs rose in the United States, though, to an average of $10.22 million from an average of $9.36 million.
According to the report, driving the overall global cost decrease was faster identification and containment of breaches, “much of it from organizations’ own security and security service teams, with help from AI and automation.”
However, a majority (63%) of organizations that suffered an AI breach said they either didn’t have an AI governance policy or were still developing one. Even where there was a policy, less than half (45%) had an approval process for AI deployments, and 61% lacked AI governance technologies, according to the report.
The threat posed by AI is not, of course, entirely related to lax internal governance and controls. The reported noted that one in six data breaches, or 16%, involved attackers using AI themselves, most often for AI-generated phishing (37%) and deepfake impersonation attacks (35%).
Almost a third (29%) of organizations that experienced a security incident involving an AI model or application reported that the source was a software-as-a-service product provided by a third-party vendor.
Additionally, 30% of such security incidents involved supply chains, including compromised apps, APIs and plug-ins.
One in five surveyed organizations said they experienced a security incident involving unsanctioned, “shadow” AI. The average global cost of a shadow AI breach, at $4.63 million, was about 4% higher than the overall average data breach cost.