This year's IBM Cost of a Data Breach Report provides a sobering look at how the latest technological shifts are impacting enterprise security. The 20th anniversary edition of the report, conducted by the Ponemon Institute and sponsored by IBM, studied 600 organizations and reveals a crucial new threat: the "AI Oversight Gap." For cybersecurity professionals, the report is a clear call to action to govern AI adoption before it becomes an unmanageable security risk.
For the first time in five years, the global average cost of a data breach has decreased, dropping 9% to $4.44 million. The decline is attributed to faster breach identification and containment, largely driven by the use of AI-powered defenses and automation.
However, the United States bucks this trend entirely. The report highlights that "breach costs there have surged past USD 10 million, driven by steeper regulatory penalties and rising detection costs." The average cost of a breach in the U.S. hit a record high of $10.22 million, a 9% increase over the previous year.
The report positions AI as both a powerful defensive tool and a potent weapon for attackers.
There is a defensive advantage. Security teams that extensively use AI and automation saw significant benefits. They "shortened their breach times by 80 days and lowered their average breach costs by USD 1.9 million" compared to organizations that did not.
The flipside is the bad actors using it as offensive weaponry. Attackers are not far behind. According to the report, 16% of data breaches involved attackers using AI. The most common uses were AI-generated phishing (37%) and deepfake impersonation attacks (35%), according to the report.
"As business leaders continue to dive into, and drive, the AI hype, they must confront the bloated risk that persists within their overall infrastructures. This is especially true when it comes to cloud security, where AI workloads and data spend most of their time," Limor Kessem, X-Force Cyber Crisis Management Global Lead at IBM, wrote in a July 30 blog post. "To ensure these remain within organizational risk appetite levels, security leaders need to help their businesses win at AI by reassessing their cybersecurity frameworks. These leaders must ensure their companies can adapt to the evolving risks that accompany AI technologies."
Perhaps the most concerning finding is the widespread lack of governance around AI. The report found that AI adoption is outpacing oversight:
-
Shadow AI: A significant percentage of organizations (20%) suffered a breach due to security incidents involving "shadow AI." The report defines shadow AI as "the use of AI without employer approval or oversight." For organizations with high levels of shadow AI, these breaches added an additional $670,000 to the average breach cost.
-
Lack of controls: Among the organizations that reported an AI-related breach, a staggering 97% lacked proper AI access controls.
-
Governance vacuum: A majority of breached organizations (63%) either do not have an AI governance policy or are still in the process of developing one.
Kessem cites one recommendation in the report to "strengthen AI governance, risk and compliance (GRC): Align AI initiatives with organizational objectives by ensuring robust AI governance. That governance should focus on the development and deployment of AI systems, overseeing processes, policies, and controls that address the unique complexities and risks introduced by AI. Support this process by leaning on the existing data governance policies to ensure that both work in lockstep to minimize data and privacy risks."
Other key findings
-
Top attack vectors: Malicious insider attacks and third-party vendor compromise were the costliest initial threat vectors, at an average of $4.92 million and $4.91 million respectively. The most frequent attack vector was phishing, accounting for 16% of all breaches.
-
Healthcare is still the top target: For the 14th consecutive year, the healthcare industry experienced the highest average breach costs at $7.42 million. These breaches also took the longest to identify and contain, at 279 days.
-
Security teams are improving: Security teams and their tools are getting better at breach detection. They detected 50% of breaches this year, a significant jump from 42% last year. Breaches identified by internal teams also cost less, at an average of $4.18 million, compared to $5.08 million when the attacker disclosed the breach.
The 2025 IBM report serves as a powerful reminder that while AI offers immense potential for defenders, its unguarded adoption creates a new and costly attack surface. For cybersecurity professionals, the message is clear: it's time to build a robust framework for AI governance and oversight to prevent the next wave of costly breaches.
