IBM has released its 2025 Cost of a Data Breach Report, highlighting the growing risks associated with artificial intelligence (AI) in enterprise environments. The study found that while AI adoption is increasing rapidly, many organizations are not implementing adequate security measures to protect their systems.
According to the report, 13% of organizations experienced breaches involving AI models or applications, and an additional 8% were unsure if they had been compromised in this way. Of those affected by such breaches, 97% lacked proper access controls for AI. As a result, 60% of these incidents led to data being compromised and 31% caused operational disruptions.
Suja Viswesan, Vice President of Security and Runtime Products at IBM, commented on the findings: "The data shows that a gap between AI adoption and oversight already exists, and threat actors are starting to exploit it. The report revealed a lack of basic access controls for AI systems, leaving highly sensitive data exposed, and models vulnerable to manipulation. As AI becomes more deeply embedded across business operations, AI security must be treated as foundational. The cost of inaction isn't just financial, it's the loss of trust, transparency and control."
The report also noted that organizations using extensive automation and AI in their security operations saved an average of $1.9 million in breach costs and reduced breach lifecycles by about 80 days.
Findings from the Ponemon Institute-based research—which analyzed data from 600 global organizations between March 2024 and February 2025—showed significant gaps in governance policies for AI. Among breached organizations, 63% either lacked an AI governance policy or were still developing one. Only about one-third conducted regular audits for unauthorized use of AI.
Shadow AI—unregulated or unauthorized use of artificial intelligence—was cited as a cause for breaches by one in five organizations surveyed. Only 37% had policies addressing shadow AI detection or management. Incidents involving shadow AI resulted in higher average breach costs ($670,000 more than those with low or no shadow use), with increased exposure of personal information (65%) and intellectual property (40%).
Attackers are increasingly using their own AI tools; the report found that 16% of breaches involved techniques such as phishing or deepfake impersonation powered by artificial intelligence.
On average globally, the cost per data breach fell slightly to $4.44 million—the first decline reported in five years—but remained high overall. In the United States specifically, average breach costs reached $10.22 million per incident.
Healthcare remains the most costly sector for breaches at $7.42 million per incident on average—even after a reduction compared to last year—and takes longer than other sectors to identify and contain attacks.
There was also a notable shift regarding ransom payments: More organizations refused ransom demands this year (63%) compared to last year (59%). Despite this resistance, extortion-related incidents remain expensive when disclosed by attackers ($5.08 million on average).
Post-breach investments in security have declined: only 49% plan further investment following a breach compared with 63% last year; less than half intend to focus spending on solutions related to artificial intelligence security.
Operational disruption remains widespread after breaches—with recovery often taking over three months—and many companies responded by raising prices on goods or services due to increased costs from these incidents.
Since its inception two decades ago investigating nearly 6,500 cases worldwide—including trends such as physical device loss being dominant causes in early years—the Cost of a Data Breach Report now reflects today’s digital threats like ransomware and cloud misconfiguration alongside emerging risks tied directly to rapid enterprise adoption of artificial intelligence technologies.