The rise of Shadow AI is becoming a significant problem for organizations worldwide, with many unaware of the risks they face. According to IBM’s 2025 Cost of a Data Breach Report, breaches involving unauthorized employee use of AI tools cost companies an average of $4.63 million, 16% more than the global average of $4.44 million.
The report, based on interviews with 3,470 organizations, highlights the gap between AI adoption and security oversight. While only 13% of organizations reported AI-related security incidents, 97% of those breached lacked proper AI access controls, leaving sensitive data exposed. Another 8% were unsure if they had been compromised through AI systems.
Shadow AI incidents often result in compromised data and disruptions to daily operations, with customers’ personally identifiable information being compromised in 65% of cases. The lack of governance is a key weakness, with 63% of breached organizations either lacking AI governance policies or still developing them.
Supply chains are the favorite attack vectors for AI security incidents, with 30% involving compromised apps, APIs, or plug-ins. Weaponized AI is proliferating, with attackers using AI for phishing and deepfake attacks. Fine-tuned AI models are increasingly being used for malicious purposes, with models like FraudGPT and GhostGPT retailing for as little as $75 a month.
Governance is a critical weakness that adversaries exploit, with many organizations lacking essential policies and processes to reduce AI-related risks. Only 37% of organizations have AI governance policies, and even fewer conduct regular audits and adversarial testing on their AI models.
Despite the growing threat of weaponized AI, organizations that extensively use AI and automation are saving $1.9 million per breach and resolving incidents 80 days faster. AI-powered organizations spend $3.62 million on breaches, compared to $5.52 million for those without AI, resulting in a 52% cost differential.
The report emphasizes the importance of governance, visibility into shadow AI, and accelerating security AI adoption. Organizations must ensure that CISOs, CROs, and CCOs collaborate regularly to invest in integrated security and governance software and processes to manage the risks associated with AI.
In a landscape where machines battle machines at speeds humans can’t match, governance is crucial for survival. By embracing AI’s benefits while rigorously managing its risks, organizations can navigate the challenges posed by Shadow AI and protect their sensitive data from malicious actors.
