For the first time in five years, data breach costs are on the decline. This represents faster containment, largely powered by AI. Cybersecurity at large deserves a great pat on the back.
But attackers hate being outpaced, and their AI attack rates show it.
Despite GenAI only being publicly released (unleashed?) less than 3 years ago, AI-powered attacks now account for 16% of all cyber strikes. To make matters worse, it seems that those using AI for good are failing to protect it. A full 97% of all AI-related breaches on AI happen due to insufficient access controls.
If it isn’t obvious, AI is the main story of this year’s IBM Cost of a Data Breach 2025 report. While the immediate breach decline is worth celebrating, a light unpacking of the main themes will reveal some larger trends at play.
And these are trends any security team would find worth noting.
Global Average Drops. US Average Skyrockets.
This year, the average cost of a data breach dropped from $4.88M to $4.44M. This significant 9% decline was credited to “faster identification and containment of breaches,” largely thanks to in-house teams, AI, and automation.
There was one notable exception: The US actually witnessed a 9% increase in average data breach costs. With the figure now set at $10.22 million (the highest anywhere), it is possible that higher regulatory fines and an increased cost of detection contributed to the rise.
Companies Saved $1.9M by Using AI in Security
Thanks to the growing use of AI to power security tools, companies that invested in AI security were reported to have saved $1.9M compared with their non-adopter counterparts. Additionally, they managed to shorten their containment times by 80 days.
Where was AI used? In prevention, detection, and response.
The truth, however, is still that most are failing to meaningfully adopt AI into their security flows, and therefore to see the benefit.
The Rise of Shadow AI in the AI Wild West
A full 63% of breached organizations do not have an AI governance policy in place, or are still in the process of creating one. This supports the report’s assumption that “AI adoption is outpacing oversight.”
Lack of AI governance presents a real problem, as there are no guardrails to prevent users from using random AI tools without IT intervention—or even oversight. A growth in shadow IT is one thing; a growth in shadow AI is another. And one that is likely to have big-time implications when it comes to data breaches.
Not surprisingly, one in five reported experiencing a breach caused by shadow AI. This tacked on an additional $670,000 to the cost of an average data breach for those with high levels of AI (compared with those who had low levels or none).
As called out by IBM, “the swift rise of shadow AI has displaced security skills shortages as one of the top three costly breach factors tracked by this report.”
Lack of AI Access Controls Affects 97% of AI Breaches
Among all those who reported attacks on their organization’s AI, 97% attributed the breach to a lack of proper access controls within their AI models and applications. This lends credence to the claim that AI adoption is running faster than security or governance can keep up.
That said, this is still a rising field (something to be thankful for) as only 13% of organizations overall reported attacks on their internal AI. Nevertheless, the figure is still telling as improper access controls led to compromises within the AI supply chain, via APIs, plug-ins, and apps.
The interesting trend here is that AI is, in itself, becoming a target. With so much data at its disposal, it’s no surprise.
Conclusion
The data is in the details in this one. Costs are down, but risks are up. Attackers are still pushing forward with AI-powered attacks, and organizations are starting to plateau with their AI adoption, or are failing to invest in security and governance altogether.
While this year’s reduced-rate win is worth celebrating, it comes with a note of caution. If companies fail to read the writing on the wall and harden AI security defenses, next year’s data breach costs may not look so rosy.
Cybersecurity for Your Industry
Your industry is unique. Your cybersecurity stack should be, too. Fortra® offers cybersecurity solutions to meet the challenges and compliance requirements of industries around the world.
