This story was originally published on CIO Dive. To receive daily news and insights, subscribe to our free daily CIO Dive newsletter.
AI applications are emerging as a high-value target for cybercriminals, and enterprise defenses are lagging, according to an IBM survey. The IT provider tapped Ponemon Institute to review data breaches at 600 organizations for its annual Cost of a Data Breach report.
Security incidents involving enterprise AI models or applications are low at just 13% of reported breaches. But of those, 97% of enterprises lacked proper AI access controls, leading to broader data compromise and operational disruption. AI-related incidents mostly occurred due to compromised apps, APIs or plug-ins.
Enterprises are also encountering AI-driven attacks, accounting for about 1 in 6 breaches. Most often, attackers are using the technology to generate phishing attempts or deepfake impersonations.
AI adoption can improve business operations and employee workflows, but it also exacerbates security risks when not governed adequately.
More than 3 in 5 enterprises said they did not have AI governance policies in place or are still in the process of developing them, according to the IBM survey. Plus, less than half of those organizations that have policies also have an approval process for deployments or perform regular audits for unsanctioned AI.
“The data shows that a gap between AI adoption and oversight already exists, and threat actors are starting to exploit it,” Suja Viswesan, VP of security and runtime products at IBM, said in a statement.
Around 1 in 5 enterprises that suffered a breach traced it back to shadow AI. While the global average breach price tag is $4.4 million, high levels of unsanctioned AI use added about $670,000 compared with companies experiencing low levels of shadow AI.
Unsanctioned use was also tied to a higher volume of personally identifiable information and intellectual property data being compromised. Due to its destructive ability, IBM put the rise of shadow AI in the top three most costly breach factors, outpacing security skills shortages.
“The cost of inaction isn’t just financial, it’s the loss of trust, transparency and control,” Viswesan said.