The cyber landscape has changed dramatically with the rapid adoption of artificial intelligence. In the frenzied race to harness the potential of AI, organizations often find themselves up against the clock, eager to deploy AI without first assessing their foundational cybersecurity measures. This creates a dangerous parallel: while businesses scramble to adopt AI for competitive advantage, cybercriminals are just as rapidly incorporating these technologies into their attack arsenals.
It’s not all bad news. For the first time in five years, global data breach costs have declined. IBM’s newly released 2025 Cost of a Data Breach Report found that average global costs dropped to USD 4.44 million—down from USD 4.88 million, or 9%, in the year prior. The catalyst? Faster breach containment driven by AI-powered defenses. According to the report, organizations were able to identify and contain a breach within a mean time of 241 days, the lowest it’s been in nine years.
Yet this progress comes with a caveat: the very speed of AI and automation deployment that’s helping organizations defend better is also creating new risks. This phenomenon of AI adoption outpacing oversight can lead to significant security debt, posing risk for enterprises determined to maintain a competitive edge. This debt—the cumulative consequences of delayed or inadequate cybersecurity practices—can lead to severe vulnerabilities over time. With AI, organizations are already starting to flash the warning signs.
Consider this: a staggering 97% of breached organizations that experienced an AI-related security incident say they lacked proper AI access controls, according to findings from the Cost of a Data Breach Report. Additionally, among the 600 organizations researched by the independent Ponemon Institute, 63% revealed they have no AI governance policies in place to manage AI or prevent workers from using shadow AI.
This AI oversight gap is carrying heavy financial and operational costs. The report shows that having a high level of shadow AI—where workers download or use unapproved internet-based AI tools—added an extra USD 670,000 to the global average breach cost. AI-related breaches also had a ripple effect: they led to broad data compromise and operational disruption. That disruption can stop organizations from processing sales orders, providing customer service and keeping supply chains running.
By neglecting foundational cybersecurity practices when adopting AI, companies leave themselves vulnerable to operational disruption of AI-based workloads, large-scale data breaches that span multi-cloud and on-premise environments, and the potential exposure of intellectual property used to train or tune their AI implementations.
As business leaders continue to dive into, and drive, the AI hype, they must confront the bloated risk that persists within their overall infrastructures. This is especially true when it comes to cloud security, where AI workloads and data spend most of their time. To ensure these remain within organizational risk appetite levels, security leaders need to help their businesses win at AI by reassessing their cybersecurity frameworks. These leaders must ensure their companies can adapt to the evolving risks that accompany AI technologies.
This includes regular audits of security and data protection policies, adapting controls, evolving response plans and investing in employee training. As newly appointed Chief AI Officers (CAIOs) gradually join the C-suite ranks, security leaders need to be right there next to them. They should strengthen their ties with the governance, risk and compliance (GRC) teams to help break down current or emerging silos with the department overseeing regulatory compliance. This will go a long way toward ensuring alignment and creating a strong crisis-response bond in case of a data breach involving AI assets.
How risky is this situation? Cybercriminals are acutely aware of this situational weakness, positioning AI workloads as high-value targets ripe for compromise. Is the risk materializing in the real world? The answer, as you can see in the data above, is yes. The report reveals that 13% of surveyed organizations have experienced an attack that impacted their AI models or applications. That percentage is small, for now. We are likely to see many more in the coming 12 months, unless security leaders and their business counterparts recognize the risk and pivot to focus more intently on AI security.
Industry newsletter
Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.
Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.
To mitigate these risks and strengthen their security posture, organizations should:
1. Fortify identity & access management: Implement robust identity management and privilege access management for both human and non-human identities (NHIs), particularly in cloud environments. Utilize advanced multifactor authentication (MFA) schemes, staying away from SMS-based codes. Leverage identity management solutions that enhance security while streamlining effective access management.
2. Review and reinforce cloud security: Your AI data is most likely moving through clouds, working in the cloud and requires third-party cloud interactions. Conduct thorough assessments of cloud configurations and permissions. Employ cloud-native security tools to monitor activities and enforce security policies effectively. Shift to AI-enhanced automation to rapidly detect and mitigate risks.
3. Strengthen AI governance, risk and compliance (GRC): Align AI initiatives with organizational objectives by ensuring robust AI governance. That governance should focus on the development and deployment of AI systems, overseeing processes, policies, and controls that address the unique complexities and risks introduced by AI. Support this process by leaning on the existing data governance policies to ensure that both work in lockstep to minimize data and privacy risks.
Employ technologies that enable data lineage tracking that follows the journey of data within your organization, from its origin to its final destination, and all the transformations it undergoes along the way. This can help your organization with visibility, ethical AI practices and responding faster to potential data compromise.
4. Provide continuous education and training: Regularly educate and train staff on emerging AI threats and best practices. Develop robust plans, playbooks and response strategies across relevant risk scenarios. Conduct tabletop exercises and simulations to prepare teams for potential cyber incidents.
Bridging the gap between rapid AI adoption and diligent security practices will better equip teams to face the evolving AI threat landscape. Prioritizing governance, ethical considerations and security today will set the stage for resilience tomorrow.
Register to download the full 2025 Cost of a Data Breach Report, and join security experts from IBM and AllTrue.ai in this webinar to learn top insights, including leading contributors to data breach costs, by industry and geography, the risk profile of shadow AI, and practical recommendations to bolster security defenses.