IBM’s latest Cost of a Data Breach Report delivers insights about artificial intelligence (AI) security that extend beyond traditional cybersecurity concerns. While the global average cost of data breaches decreased for the first time in five years to $4.44 million (attributed to faster breach containment driven by Al-powered defenses), the report reveals organizations are losing control over AI systems they don’t know exist, creating vulnerabilities that traditional security frameworks can’t address.
The most striking finding is that 97% of organizations experiencing AI-related security incidents lacked proper AI access controls, while 63% of breached organizations had no governance policies for managing AI or detecting unauthorized use. These are systematic organizational blind spots that can fundamentally compromise institutional decision-making capacity.
Shadow AI Crisis
The report documents “shadow AI” — AI tools that employees use without organizational knowledge or approval. One in five organizations reported a breach due to security incidents involving shadow AI, with breaches involving high levels of shadow AI adding $670,000 to the average breach cost compared to those with low or no shadow AI. This higher cost results from longer detection and containment times for these incidents, which took a week longer than the global average.
Shadow AI represents more than a security risk; it reveals how AI adoption can outpace organizational awareness and control. Breaches involving shadow AI were more likely to result in compromise of personally identifiable information (65%) and intellectual property (40%). This issue has displaced the security skills shortage as one of the top three most costly breach factors.
Governance Vacuum
The finding that nearly two-thirds of organizations (63%) lack AI governance policies reveals systematic underinvestment in oversight capabilities. This gap becomes particularly dangerous when combined with AI’s tendency to become essential infrastructure faster than organizations recognize.
Traditional IT governance assumes organizations can inventory technical assets and control their deployment. However, the study found that even among organizations with governance policies, less than half have approval processes for AI deployments, and only 34% perform regular audits for unsanctioned AI.
The governance gap creates cascading risks:
Invisible Dependencies: Organizations can’t manage risks they don’t know exist, and AI systems may become critical to operations without appearing on official inventories.
Compliance Blindness: Regulatory requirements for AI governance, risk assessment, and system impacts become impossible to satisfy without visibility into actual AI usage.
Liability Accumulation: Legal exposure from AI decisions, bias, errors, and security incidents may be accumulating without adequate insurance coverage or risk mitigation strategies.
Access Control Challenges
The finding that 97% of organizations with AI security incidents lacked proper access controls highlights a fundamental challenge: AI systems often require broad data access to function effectively, creating tension between AI capability and security requirements.
The most common AI-related security incidents occurred in the AI supply chain, through compromised apps, APIs, or plug-ins. These incidents had ripple effects, leading to broad data compromise (60%) and operational disruption (31%), suggesting AI is emerging as a high-value target for attackers.
International Regulatory Implications
The report’s global scope reveals lack of AI governance maturity across jurisdictions. While the US saw average breach costs surge to $10.22 million (an all-time high for any region), driven by steeper regulatory fines, most other countries experienced decreases. This suggests organizations operating internationally face challenges maintaining consistent AI oversight while complying with divergent regulatory requirements.
Building Effective AI Oversight
The report’s findings suggest several critical steps for addressing the AI oversight gap:
AI Discovery and Inventory: Systematically identify existing AI usage across the organization, including informal tools and integrations.
Shadow AI Detection: Implement monitoring systems and policies to identify unauthorized AI usage before it creates security or compliance exposure.
Governance Framework Development: Create comprehensive policies addressing both sanctioned and unauthorized AI, with the most common policy being strict approval processes for AI deployments.
Risk Assessment Integration: Incorporate AI-specific risks into existing enterprise risk management frameworks rather than treating AI as separate security concern.
Human Oversight Preservation: Ensure AI governance includes mechanisms for maintaining human decision-making capacity.
Strategic Implications
The IBM report’s findings indicate that effective AI security requires more than traditional cybersecurity approaches. Organizations need frameworks addressing not just AI system security, but the broader challenge of maintaining institutional awareness and control over AI-influenced decision-making processes.
This means developing governance capabilities that can keep pace with AI adoption, creating oversight mechanisms that preserve human judgment alongside AI efficiency, and building organizational culture that values transparency and accountability in AI usage.
The alternative — continuing to operate with invisible AI dependencies and ungoverned shadow systems — creates security, compliance, and liability exposures extending beyond the data breach costs IBM measures. Organizations that address the AI oversight gap proactively will be better positioned to leverage AI capabilities while maintaining institutional control that effective governance requires.