New IBM Cost of Data Breach Report: Costs Down Globally, But Control of AI is Key

The 2025 IBM Cost of Data Breach Report is out, and it leads with something that would usually be a piece of good news: global data breach costs are down for the first time in five years. There are a couple of big asterisks attached to this news, however.

One is that certain markets, most notably the US, are actually way up. The other is that deployment and oversight of AI is becoming a critical factor, likely to determine whether or not an organization experiences that savings for itself.

AI “security debt” already a major issue as tools are integrated recklessly

Surveying 600 organizations that experienced a data breach in the past year, the 2025 Cost of Data Breach Report is the first of its type from a major researcher to incorporate specific questions about AI management policies and both the offensive and defensive role of AI in those breaches.

The takeaway that will likely be of greatest interest in this area is that the organizations reporting “extensive” use of AI-driven automation tools in their cyber defense are already seeing significant savings, with a breach recovery cycle that is 80 days faster (from a global average of 241) and ends up costing $1.9 million USD less.

On the subject of average cost of data breach, globally it has dipped to $4.4 million reversing an upward trend that has persisted for years. That is not the case for the US, however, where it has spiked to an all-time high of $10.22 million. And certain industries are also not feeling much relief, with health care seeing a small drop but still sitting at $7.42 million as the most-impacted industry in this area.

Average cost of data breach substantially impacted by AI controls

Going forward, the Cost of Data Breach report indicates that AI will likely be key to how damaging an attack is. The positive impact of AI defense tools has already been noted both here and elsewhere, but an even bigger problem is a simple lack of policies and controls in workplaces even as AI assistants are rapidly developed and rolled out.

The majority of the Cost of Data Breach respondents, 63%, said that their organization still does not have an AI governance policy in place. Further, of the minority that do only a little over half say that their controls are “strong” at this point. Just under half say that their policy does not include a formal approval process for AI deployments.

Of those 600 organizations breached in the past year, 13% said an AI tool was the cause. For the majority of these respondents this was a supply chain attack that involved an app, API or plug-in. 60% of the victims in this category said that the attackers were able to move beyond the AI tool to access other data, and 31% said that the attack ultimately disrupted operations for some time. 20% said the incident involved some manner of ungoverned “shadow IT” AI platform or app being used by employees.

Attackers have not yet turned AI tools into superweapons that can generate effective code and scan defenses, but the limited roles that AI is good at so far are seeing increasing use. The Cost of Data Breach report finds that 16% of the reported breaches involved the attackers using an AI tool of some kind, usually either to polish a phishing approach or to create a deepfake impersonation.

The bottom line in this area is that those who experienced a breach involving an AI tool paid $670,000 more on average if they also reported shadow IT issues in the workplace as regards AI use, and tended to experience a longer breach recovery cycle. This early piece of evidence paints a picture unfortunately common to the rapid rollout of new tech that promises a competitive advantage; security is taking a backseat to eye-popping productivity and profit promises, but malicious hackers have also already noticed the trend and are actively exploiting it.