This year’s edition of the IBM Cost of Data Breach Report is out, and unsurprisingly AI is a central theme. But what may surprise readers is the degree to which AI “security debt” is already accumulating due to rapid development and rollout of automation tools.
Among other key stats, the report notes that nearly every organization that experienced an AI-related security incident in the past year did not have proper AI access controls in place. And over half report still not having any AI governance policies in place, essentially allowing employees to deploy whatever risky “shadow IT” options in this area they might care to.
Cost of data breach report finds “bloated” AI risk, particularly in cloud environments
There is at least one piece of good news delivered by the Cost of Data Breach Report: the average global cost of data breach is actually down overall. The bad news is that unmonitored AI and automation tools are now greatly contributing to that average cost, and are likely to send it spiking again in the near future.
Lack of access control is a central and very common issue. 63% of the 600 organizations surveyed for the Cost of Data Breach Report said that they still have no formal AI governance policy. Some of these reported that their policy is in development, but at the moment it appears that the majority of workplaces are being relatively lax with allowing employee use of unmonitored AI tools. Additionally, those organizations that have implemented AI governance have not necessarily fine-tuned it to an acceptable degree yet. A little under half of these respondents said that the policy does not include an approval process for AI deployments, and a little over half said that they would not describe their AI tool access controls as “strong.”
13% of the responding organizations in the Cost of Data Breach Report reported a security breach related to an AI tool, but 97% of these respondents also said that they did not have proper AI access controls in place. About 20% reported some sort of security issue related to “shadow IT” use of AI tools in the workplace. Of those that experienced a data breach, the reported average cost was $670,000 higher than it was for respondents reporting that they have not had shadow IT issues relating to AI tools.
When AI tools are targeted by attackers, the Cost of Data Breach Report respondents say that they most commonly get in via the supply chain. The most common points of attack are compromised apps, APIs or plug-ins. Of those organizations that were successfully breached via an AI tool, 60% said that the attackers moved on to compromise other sources of data in the network and 31% experienced operational disruption to important infrastructure.
And while the threat of hackers wielding AI as a weapon has largely been a dud up until this year, there are signs that attackers are at least becoming more comfortable with it and are more commonly including it in the limited areas where it has proven effective: 16% of the reported data breaches in the Cost of Data Breach Report involved attackers using some sort of AI tool, most often as part of a phishing approach or deepfake impersonation.
First real bead on AI access control issues
The 2025 Cost of Data Breach Report is the first major study to survey a large sampling of data breach victims about their AI access controls, so the overall security picture in this area is only just starting to come into focus. Thus far it seems fair to say that control and security are not at all keeping pace with the feverish pace of deployment of AI tools that promise huge competitive advantages.
AI itself does provide something of an answer to this situation. Of the breached organizations that were surveyed, those that reported “extensive” deployment of their own automation tools for defensive purposes also report a substantially shorter breach life cycle (80 fewer days) and a cost savings per incident of $1.9 million on average.
The Cost of Data Breach Report indicates that the average global cost for all data breaches is down to $4.44 million, the first time that number has gone down in five years. However, the average cost for US companies continued to rise and is now up to an all-time high of $10.22 million per incident. The health care industry actually saw a substantial drop in average cost, but is still experiencing an average bill of $7.42 million per incident and is also taking over a month longer than the global average to contain data breaches.
Data breach costs are also something that will reach out to have some impact on the average consumer. Just short of half of all of the Cost of Data Breach Report respondents said that their organization raised prices in response to a breach, and about one-third said that cost increase could be as high as 15% for consumers.