IBM recently released its 20th annual Cost of a Data Breach Report 2025 in partnership with the Ponemon Institute. This year’s research reveals a significant shift in the security landscape: while global breach costs have declined for the first time in five years, a new threat has emerged—shadow AI. Here are the highlights from the 2025 report.
‍
Among the most alarming findings in this year's report is that organizations with high levels of shadow AI – the unauthorized use of AI without employer approval or oversight – faced an average of $670,000 in additional breach costs compared to those with low or no shadow AI. This positions shadow AI as one of the top three costliest breach factors, displacing security skills shortages from previous years.
‍
The report found that 20% of organizations suffered a breach due to security incidents involving shadow AI. These incidents resulted in more personal identifiable information (65%) and intellectual property (40%) being compromised.
‍
While security incidents involving an organization's AI remain limited for now (13% of organizations), the report revealed a shocking statistic: 97% of organizations that reported an AI-related breach lacked proper AI access controls. This demonstrates a critical security gap as organizations race to adopt AI without implementing proper security measures.
‍
The most common AI security incidents occurred in the AI supply chain through compromised apps, APIs, or plug-ins, leading to broad data compromise (60%) and operational disruption (31%).
‍
The report highlights a concerning trend: “AI adoption is significantly outpacing oversight.” A majority of breached organizations (63%) either don't have an AI governance policy or are still developing one. Even among organizations with policies in place:
This governance gap creates substantial risk exposure as AI becomes more deeply integrated into business operations.
‍
The report reveals an escalating AI arms race. On one side, defenders using AI and automation extensively shortened their breach response times by 80 days and lowered their average breach costs by $1.9 million compared to organizations not using these solutions.
‍
On the other side, attackers are weaponizing AI at a concerning rate, with 16% of breaches reportedly involving attackers using AI. These AI-driven attacks most commonly took the form of AI-generated phishing (37%) and deepfake impersonation attacks (35%).
‍
Shadow AI incidents had serious downstream effects beyond security concerns:
These impacts demonstrate that shadow AI isn't just a security concern – it's a business risk that affects operations, finances, and reputation.
‍
Shadow AI incidents disproportionately compromised customer PII (65% vs. 53% global average) and at a higher cost per record ($166 vs. $160 global average). This indicates that shadow AI creates particular exposure for the most sensitive and valuable customer data.
‍
Shadow AI security incidents most commonly affected data stored across multiple environments, revealing how “just one unmonitored AI system can lead to widespread exposure” across an organization's technology stack.
‍
The 2025 IBM Cost of a Data Breach Report makes it clear that shadow AI represents a significant and growing security threat. As organizations race to adopt AI, they must balance innovation with appropriate security and governance controls.
‍
For security teams, this isn't just about preventing unauthorized AI use – it's about creating a framework where AI can be safely leveraged while maintaining visibility, control, and compliance. The organizations that address shadow AI proactively will be better positioned to both benefit from AI's advantages and avoid its emerging risks.
‍
As the report states, "AI adoption is outpacing both security and governance." Closing this gap should be a top priority for security professionals in 2025 and beyond.
‍
Nudge Security provides comprehensive AI security and governance capabilities designed to help organizations safely adopt and manage AI technologies. Here’s how:
Learn more about our approach to AI security governance, and start a free trial today to get started.
