A new report from IBM, titled the "Cost of a Data Breach Report 2025," reveals a troubling trend in the cybersecurity landscape: 13% of organizations reported breaches involving their artificial intelligence (AI) models or applications. The report, which analyzed data breaches across 600 organizations globally, underscores that AI adoption is significantly outpacing its governance and security.
One of the most striking findings is that among the organizations that suffered an AI-related breach, a staggering 97% admitted to not having proper AI access controls in place. This lack of basic security led to significant consequences, with 60% of AI-related security incidents leading to compromised data and 31% resulting in operational disruption. Suja Viswesan, Vice President of Security and Runtime Products at IBM, stated, “The data shows that a gap between AI adoption and oversight already exists, and threat actors are starting to exploit it.”
The report also highlighted the problem of "Shadow AI"—the unsanctioned use of AI tools by employees. Breaches involving ungoverned “shadow AI” environments were responsible for one in five incidents, pushing up the average cost per incident by $670,000. Furthermore, 16% of breaches studied involved attackers using AI tools, most often for phishing campaigns and deepfake impersonation attacks.
Despite the risks associated with AI, the technology also plays a crucial role in mitigating breaches. Organizations using AI and automation extensively throughout their security operations saved an average of $1.9 million in breach costs and reduced the breach lifecycle by an average of 80 days. This contributed to a global decline in the average cost of a data breach, which fell to $4.44 million, the first decrease observed in five years. In the United States, however, the trend was reversed, with the average breach cost rising 9% to an all-time high of $10.22 million.
The report also found that the global average breach lifecycle (the mean time to identify and contain a breach) dropped to 241 days, a nine-year low. Nevertheless, the healthcare sector continues to face the most expensive breaches, averaging $7.42 million and taking the longest to identify and contain at 279 days. These findings underscore the critical need for organizations to prioritize AI security and governance alongside its adoption to safeguard against evolving cyber threats.