AI adoption is greatly outpacing AI security and governance – that’s the message being sent by IBM following the release of its latest Cost of Data Breach report.
According to the company, 20% of the 600 organizations it surveyed had suffered a breach “due to security incidents involving shadow AI”.
“For organizations with high levels of shadow AI, those breaches added USD 670,000 to the average breach price tag compared to those that had low levels of shadow IT or none,” it added.
While shadow AI is a problem in its own right according to the IBM report, legitimate AI tools can also cause problems.
“On average, 13% of organizations reported breaches that involved their AI models or applications,” the report reads.
Most commonly, these weren’t direct attacks, but instead took place in the supply chain, for example through compromised apps, APIs, or plug-ins. The knock-on effects include operational disruption (31%) and broad data compromise (60%).
The report goes on to note, however, that once again a lack of governance and oversight was a significant factor in these breaches. Indeed, only 3% of organizations affected had proper AI access controls in place.
Generative AI is being used as an attack tool
Poor internal AI governance and shadow AI aren’t the only risks the technology presents to organizations. Cyber criminals are themselves making use of generative AI as a new tool in their arsenal.
IBM noted that one-in-six breaches in the past year involved AI, with would-be attackers able to polish and scale phishing campaigns and other social engineering attacks.
“IBM previously found gen AI reduced the time needed to craft a convincing phishing email from 16 hours down to only five minutes,” the report noted.
“This year’s report shows the impact: on average, 16% of data breaches involved attackers using AI, most often for AI-generated phishing (37%) and deepfake impersonation attacks (35%).”
Data breach winners and losers
While it’s hard to claim there are any winners when it comes to being the receiving end of a data breach, some find themselves losing more than others.
IBM found that the cost of a data breach in the US had increased by just under $1 million, bringing the average cost from $9.36 million to $10.22 million in 2025.
Organizations in the Middle East, the second most expensive region in which to experience a data breach, faced an average cost of $7.29 million, down from $8.57 million in 2024.
Like the US, Benelux and Canada also experienced a rise in costs, albeit less significant, going from $5.90 million to $6.24 million and $4.66 million to $4.84 million respectively.
The remaining geographies surveyed all sat at $4.14 million or under, with Brazil coming in last at $1.22 million, a fall of $140,000 from $1.36 million in 2024.
Another loser on the data breach scene is hackers themselves. IBM cited what it calls “ransomware fatigue”, with a slight majority (63%) of organizations hit by ransomware attacks in 2025 saying they didn’t pay the ransom, compared to 41% that did in 2024.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
US telco confirms hackers breached systems in stealthy state-backed cyber campaign – and remained undetected for nearly a yearNews The hackers remained undetected in the Ribbon Communications’ systems for months
-
Google says reports of a 'huge' Gmail breach affecting millions of users are false, againNews Reports of a major Gmail affecting millions of users have been flooding the web this week – Google says they're "false" and you've nothing to worry about.
-
Enterprises can’t keep a lid on surging cyber incident costsNews With increasing threats and continuing skills shortages, AI tools are becoming a necessity for some
-
Cyber researchers have already identified several big security vulnerabilities on OpenAI’s Atlas browserNews Security researchers have uncovered a Cross-Site Request Forgery (CSRF) attack and a prompt injection technique
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
-
Former NCSC head says the Jaguar Land Rover attack was the 'single most financially damaging cyber event ever to hit the UK' as impact laid bareNews Researchers said they place the UK financial impact of the attack on Jaguar Land Rover at around £1.9 billion.
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
