IBM has released its 2025 Cost of a Data Breach Report, highlighting that the rapid adoption of artificial intelligence (AI) is outpacing security and governance measures. The report, conducted by Ponemon Institute and sponsored by IBM, examined data breaches experienced by 600 organizations worldwide between March 2024 and February 2025.

According to the findings, 13% of organizations reported breaches involving AI models or applications. An additional 8% were unsure if they had been compromised in this way. Of those that suffered AI-related breaches, 97% did not have access controls for their AI systems. As a result, 60% of these incidents led to compromised data and 31% caused operational disruption.

"The data shows that a gap between AI adoption and oversight already exists, and threat actors are starting to exploit it," said Suja Viswesan, Vice President, Security and Runtime Products, IBM. "The report revealed a lack of basic access controls for AI systems, leaving highly sensitive data exposed, and models vulnerable to manipulation. As AI becomes more deeply embedded across business operations, AI security must be treated as foundational. The cost of inaction isn't just financial, it's the loss of trust, transparency and control."

The report also found that organizations extensively using AI and automation in their security operations saved an average of $1.9 million in breach costs and reduced the breach lifecycle by about 80 days.

Regarding governance policies for AI, the study showed that 63% of breached organizations either lacked an AI governance policy or were still developing one. Among those with policies in place, only about one-third regularly audited for unsanctioned use of AI.

Shadow AI—unregulated or unauthorized use of artificial intelligence—was identified as a significant risk factor. One in five organizations reported a breach due to shadow AI; only 37% had policies to manage or detect such activity. Organizations with high levels of shadow AI saw average breach costs increase by $670,000 compared to those with little or no shadow AI use. Incidents involving shadow AI also resulted in higher rates of personal information (65%) and intellectual property (40%) being compromised than the global averages.

The report noted that attackers are increasingly using AI tools themselves: 16% of studied breaches involved methods such as phishing or deepfake impersonation powered by artificial intelligence.

On financial impact, the global average cost per data breach dropped slightly to $4.44 million—the first decline in five years—while U.S.-based breaches reached a record high at $10.22 million on average. Healthcare remained the most expensive sector for breaches at $7.42 million per incident despite seeing some reduction from previous years; these incidents also took longer than average to resolve.

Ransomware continues to pose challenges: last year saw more organizations refusing ransom payments (63%, up from 59%), but extortion-related incidents still carried high costs when attackers disclosed them ($5.08 million on average).

There was also a notable decrease in planned post-breach security investments: only 49% said they would invest further after experiencing a breach compared to 63% last year; less than half intended to focus on solutions driven by artificial intelligence.

Operationally, nearly all affected organizations faced disruption following a breach—with recovery taking over 100 days on average—and many reported raising prices as a consequence.

Since its inception in 2005, IBM’s Cost of a Data Breach Report has tracked changes in how cyber threats evolve alongside technology shifts—from physical device thefts making up nearly half of all breaches two decades ago to today’s landscape dominated by digital attacks including ransomware and now risks associated with widespread enterprise use of artificial intelligence.

A full copy of the report is available for download through IBM’s website. Registration is open for an upcoming webinar discussing these findings scheduled for August 13, 2025 at 11:00 a.m ET.