IBM Report Warns of Shadow AI and Identity Gaps as Breach Costs Hit $10M in U.S.

Artificial intelligence is now a double-edged sword in cybersecurity. IBM’s Cost of a Data Breach Report 2025 reveals that while AI and automation are shortening breach lifecycles and reducing costs globally, they’re also introducing new vulnerabilities especially in organizations without proper governance. In the U.S., where breaches are costliest, the gap between innovation and oversight is proving especially expensive.

The global average cost of a data breach dropped for the first time in five years to $4.44 million. But in the U.S., that number surged to an all-time high of $10.22 million. The factors driving this discrepancy go far beyond regulatory penalties. According to IBM, breaches involving AI systems now account for 13% of incidents, and nearly all of them (97 percent) occurred in environments lacking proper access controls.

“The data shows that a gap between AI adoption and oversight already exists, and threat actors are starting to exploit it,” said Suja Viswesan, VP of security and runtime products at IBM. “The report revealed a lack of basic access controls for AI systems, leaving highly sensitive data exposed, and models vulnerable to manipulation.”

The report also confirms a trend long observed by industry experts: despite increased spending, breach frequency and severity remain stubborn. Nimrod Partush, VP of AI & Innovation at CYE, contextualized IBM’s findings within a broader failure of cybersecurity strategy.

“We see a direct correlation between the finding that cybersecurity maturity has improved globally on average over the past 18 months, which is manifested in an overall reduction in the average cost of a data breach, whether it's by the ability to identify exposure, detect a breach or respond and recover faster,” Partush said. “That said, a global average is misleading, as it sends an optimistic message that doesn't reflect reality.”

Pointing to IBM’s record-high U.S. breach costs, Partush warned that larger budgets alone are no silver bullet. “It once again supports the conclusion that bigger cybersecurity budgets cannot reduce the number of breaches or their financial impact...The approach must fundamentally change, top down and from the ground up.”

IBM’s findings echo CYE’s own 2025 Global Maturity Report, which flagged inadequate governance as a persistent issue, particularly in AI and third-party risk. “The IBM report strengthens the need for governance, powered by pre-emptive cyber exposure management,” Partush added. “This will directly translate into reducing the impact of data breaches and cyberattacks altogether, especially in light of the continued exponential growth in the number of cyberattacks.”

IBM's study now in its 20th year surveyed over 3,000 executives across 600 breached organizations between March 2024 and February 2025. Among the most alarming trends: 16% of breaches were tied to attacker use of AI, most commonly for generative phishing (37%) and deepfake impersonation (35%).

Yet AI isn’t just fueling attacks. Security teams with extensive AI and automation capabilities saved an average of $1.9 million per breach and resolved incidents 80 days faster than those without. Still, this performance plateaued compared to 2024, raising questions about whether AI-enabled defense investment is slowing or hitting diminishing returns.

Phishing has now surpassed stolen credentials as the top attack vector, accounting for 16% of breaches, while supply chain compromise surged to the second most common and equally costly vector. Malicious insiders remain the most expensive breach type, at $4.91 million per incident.

Healthcare held its title as the costliest sector for the 14th consecutive year, with average breach costs of $7.42 million and an average response time of 279 days, over five weeks longer than the global mean.

Shadow AI also emerged as a high-risk liability. One in five respondents suffered breaches involving unsanctioned AI systems. These incidents tacked on $670,000 in additional costs on average, often compromising both personal and proprietary data, especially when systems spanned multiple environments.

That complexity plays out in the numbers. While breaches involving multi-environment data cost an average of $5.05 million, those affecting only on-prem systems averaged $4.01 million.

Time to detect and contain breaches has improved, falling to 241 days, the lowest in nine years. IBM attributes this progress to the increasing deployment of AI-powered security tools, even as the technology itself creates new gaps in oversight.

IBM's final message centers on identity and access management, especially for non-human actors like AI agents. The report urges organizations to apply the same rigor in credential control and audit visibility for AI systems as they do for employees.

In the age of distributed data, hybrid environments and shadow AI, the lesson is clear: innovation without governance isn’t just risky, it’s expensive.