Shadow AI is a growing concern for organizations, with IBM’s recent report revealing that breaches involving employees’ unauthorized use of AI tools cost companies an average of $4.63 million. This is a significant increase compared to the global average of $4.44 million. The research, based on interviews with 3,470 organizations, highlights the gap between AI adoption and security oversight. While only 13% of organizations reported AI-related security incidents, 97% of those breached lacked proper AI access controls, and 8% were unsure if they had been compromised through AI systems.
According to Suja Viswesan, Vice President of Security and Runtime Products at IBM, the lack of basic access controls for AI systems leaves sensitive data exposed and models vulnerable to manipulation. This gap in oversight has allowed threat actors to exploit organizations, with 60% of AI-related security incidents resulting in compromised data and 31% causing disruptions to daily operations. Customers’ personally identifiable information (PII) was compromised in 65% of shadow AI incidents, highlighting the need for better governance policies.
Itamar Golan, CEO of Prompt Security, compares shadow AI to doping in the Tour de France, emphasizing the desire for an edge without considering the long-term consequences. Adversaries are leveraging supply chains as the primary attack vector for AI security incidents, with 30% involving compromised apps, APIs, or plug-ins. Weaponized AI is also on the rise, with attackers using AI for AI-generated phishing and deepfake attacks.
The report underscores the importance of governance in addressing these vulnerabilities. Only 37% of organizations have AI governance policies in place, with just 34% conducting regular audits for unsanctioned AI and 22% performing adversarial testing on AI models. DevSecOps has emerged as a cost-reducing factor, saving organizations an average of $227,192 per breach.
Despite the challenges posed by shadow AI and weaponized AI, organizations that leverage AI and automation extensively are saving $1.9 million per breach and resolving incidents 80 days faster. AI-powered organizations spend $3.62 million on breaches, compared to $5.52 million for those without AI. The report emphasizes the need for organizations to embrace AI security tools to detect anomalies and predict potential threats faster and more accurately than human analysts.
The cybersecurity landscape is evolving, with U.S. organizations experiencing record-high breach costs while global costs are declining. Healthcare organizations face the highest burden, with an average cost of $7.42 million per breach and extended resolution timelines. The report highlights the need for organizations to invest in AI-driven solutions for threat detection, incident response planning, and data security tools.
In conclusion, IBM’s report underscores the critical importance of governance in addressing the challenges posed by shadow AI and weaponized AI. Organizations must implement AI governance policies, gain visibility into shadow AI, and accelerate security AI adoption to mitigate risks effectively. By investing in integrated security and governance software and processes, organizations can automatically discover and govern shadow AI, ensuring their survival in the face of evolving cyber threats.
