Shadow AI is driving up breach costs and creating a new class of insider threat, according to IBM’s latest global cyber report, which has prompted fresh warnings over governance gaps in AI use.

The IBM Cost of a Data Breach Report, released Friday, found that 63% of breached organisations globally have no AI governance policy, while only 34% audit for unsanctioned AI use. The findings come from 600 data breaches across 17 industries and 16 countries between March 2024 and February 2025, supported by interviews with over 3,000 C-suite executives.

So-called shadow AI – where AI tools or models are used without formal oversight, security controls or approval – was linked to 20% of all breaches, adding an average £523,000 in additional costs for organisations with high levels of ungoverned AI.

Personal identification data was the most frequently compromised (65%) due to its value in fraud and resale, but intellectual property, though targeted in just 40% of breaches, was the costliest, at an average £139 per record.

Ethan Godlieb, associate partner at global speciality re/insurance broker Consilium, said the report should serve as a wake-up call to brokers and their clients.

“Most organisations have adopted AI tools now to some degree in the workplace, but few are governing it, as this latest report from IBM confirms,” Godlieb said. “The question now isn’t whether clients use AI, but how they use it. Simply relying on existing broad cyber wordings might not be enough with increasing scrutiny on AI governance. Brokers need to urge clients to audit AI usage and implement governance policies to reduce exposure, and they should consider ensuring affirmative AI coverage is included within their clients’ cyber policy wordings. Governance gaps are widening, and shadow AI is the new insider threat.”

The IBM study also revealed that while breach costs have declined globally for the first time in five years – falling to an average £3.47m – this has largely been driven by the use of AI in defence, detection and containment. However, AI is now being used in one in six attacks, including phishing and deepfake campaigns, highlighting an intensifying AI arms race in cyber warfare.

---