Data breaches become more costly with the advent of 'Shadow AI', according to a new study.
In a recent report, IBM has raised alarm bells about the increasing threat of unmonitored artificial intelligence (AI) tools, also known as "shadow AI," in the context of data breaches. The report suggests that these ungoverned AI systems could be contributing to more expensive breaches, with an average additional cost of $670,000.
The report, based on 470 interviews with individuals at 600 organizations that suffered a data breach between March 2024 and February 2025, found that 97% of AI-related breaches occurred in systems lacking proper AI access controls. Moreover, 87% of organizations have no policies to mitigate AI risks, making them particularly vulnerable.
The report also revealed that the most common origin point for hacks of businesses' AI platforms is a supply-chain intrusion, with hackers accessing the AI tool through compromised apps, APIs, or plug-ins. Hackers continue to find generative AI valuable for launching attacks, with AI-generated phishing (37%) and deepfake impersonation attacks (35%) being the most common uses.
Interestingly, while AI-powered security tools have helped reduce the global average breach cost from $4.88 million in 2024 to $4.44 million in 2025 by enabling faster breach detection and containment, this benefit is offset by attackers increasingly weaponizing AI. Around 16% of breaches involved attackers using AI.
The evolving role of Chief Information Security Officers (CISOs) involves overseeing their companies' new AI platforms, with the report highlighting the potential consequences of not taking AI security seriously enough. As technology stacks evolve and include AI platforms, the question of whether an organization is a target becomes more relevant.
Corporate stakeholders are increasingly interested in understanding the risk calculus of their technology stacks, addressing the question: Are we a target? The report underscores the importance of developing robust AI governance policies and implementing proper access controls to mitigate these risks.
In summary, the IBM report delivers a clear warning: enterprises adopting AI rapidly but without strong governance and unified security strategies expose themselves to higher breach risks and costs due to shadow AI and AI-driven attacks. This growing AI oversight gap is a critical cybersecurity challenge in 2025.
- The IBM report suggests that the lack of proper AI access controls can lead to costly data breaches, with 97% of AI-related breaches occurring in systems without them.
- Hackers are using generative AI to launch attacks, with AI-generated phishing (37%) and deepfake impersonation attacks (35%) being the most common uses.
- Corporations must develop robust AI governance policies and implement proper access controls to mitigate the risks associated with shadow AI and AI-driven attacks, as enterprises adopting AI rapidly but without strong governance and unified security strategies expose themselves to higher breach risks and costs.
