By Sarah Hospelhorn, CMO at BigID. BigID were finalists in the ‘Best Use of AI in Cybersecurity’ category at The 2025 A.I. Awards.

The latest IBM Cost of a Data Breach Report is here.

It paints a clear picture of where the risks are, what is driving costs up, and which investments actually pay off.

For security leaders, it is a benchmark, a warning, and a playbook all in one – with highlights on where to focus, what to fix, and how to avoid becoming the next headline.

PII is still the crown jewel for attackers

Customer personal data remains the most targeted and most costly asset in a breach. More than half of all breaches involved customer PII, and in incidents involving shadow AI the number jumped to sixty five percent.  The cost per compromised customer PII record is $160 worldwide, and $166 in shadow AI incidents. That means a 50,000-record exposure can easily exceed $8 million in direct losses before factoring in fines, churn, and reputational damage. For any organization, a single exposed data set can translate into millions in losses, fines, and reputational damage.

The lesson is simple. If you cannot see where all your sensitive data is, you cannot secure it. That is where identity-aware discovery, classification, and access controls become non-negotiable.

Shadow AI is not just a security problem, it is a cost problem

One in five organizations experienced a breach tied to shadow AI this year. These incidents add an average of $200,000 to breach costs, and in high-usage environments the figure jumps to $670,000. They take longer to detect, involve more personal and intellectual property data, and create downstream operational disruption.

In many cases, employees were using unsanctioned AI tools that handled sensitive data without the knowledge or approval of security teams.

Shadow AI incidents also had a longer detection window and were more likely to involve both personal and intellectual property data. Treating shadow AI as just a policy violation is not enough. Shadow AI is not simply a compliance headache. It is an unmonitored attack surface with a price tag. Detection, governance, and automated controls are essential.

  • 20% of organizations had a breach involving shadow AI
  • $200K added to global average breach cost for shadow AI incidents
  • $670K for organizations with high shadow AI usage
  • 65% of shadow AI breaches involved customer PII
  • 40% involved intellectual property
  • Detection and containment times are a week longer than the global average

AI adoption is outpacing AI governance

Sixty three percent of breached organizations had no AI governance policy in place. Among those that did, less than half had a formal approval process for AI deployments, and only a third conducted regular audits for unsanctioned AI. Ninety seven percent of AI-related breaches involved systems without proper access controls.

This governance gap is one of the most fixable risks in the report. Security and compliance teams need to work together to create a unified inventory of AI systems, enforce access policies, and continuously monitor for rogue deployments.

AI access controls are the weak link

Ninety-seven percent of AI-related breaches involved systems without proper access controls. Nearly a third of authorized AI security incidents led to unauthorized access to sensitive data, while 29 percent caused a loss of data integrity and 23 percent resulted in direct financial loss. These numbers show that access control is not just a gap, it is the core vulnerability in AI adoption today.

AI models are now embedded in workflows that handle regulated and business-critical information. Without strong controls, those models can expose the very data they were meant to protect. Traditional identity and access tools were never designed for AI workloads, where models consume massive datasets and make decisions at machine speed. That creates new risks: who has access to the model, who can feed it data, and who can see its outputs.

Every instance of poor control is a potential breach cost waiting to happen. Closing this gap means treating AI systems like any other high-value asset. That requires guardrails for data ingestion, tighter restrictions on model access, continuous monitoring for misuse, and governance that keeps pace with how AI is actually used in the business. Organizations that fail to put those controls in place are not just courting regulatory exposure, they are inviting real financial and reputational damage.

AI in security is a proven cost reducer

Organizations that use AI and automation extensively across the security lifecycle reduced their breach costs by 1.9 million dollars on average and cut incident response times by eighty days. Yet only 32 percent report extensive use, and adoption rates have barely moved from last year.

AI in security is not just a force multiplier for overextended teams, it is a direct cost saver. From automated classification to faster investigation and remediation, the return on investment is proven.

Multi-environment breaches carry higher costs. Thirty percent of breaches involved data spread across multiple environments. These cost an average of $5.05 million and took 276 days to contain – the longest of any breach type. Without unified visibility and controls, hybrid environments become a liability.

Security visibility that stops at a single environment is no longer enough. Modern data lives across public cloud, private cloud, and on-premises systems, and breaches cross those boundaries without friction. Security controls and discovery tools must be able to do the same.

Industry trends – where the stakes are highest

Healthcare remains the most expensive sector for breaches at 7.42 million dollars on average. Financial and industrial organizations also sit well above the global average. For these industries, the combination of regulatory exposure, sensitive customer data, and complex infrastructure means higher stakes and higher costs.

What security leaders can take away

The data is clear on where to focus. You need to find and protect PII everywhere it lives, since customer data carries the highest cost and risk. You need to get shadow AI under control by detecting it, governing it, and shutting it down before it turns into an expensive breach. You need to build AI governance into your security program and treat AI assets like any other high-value system. You also need to use AI and automation extensively in security, because the cost and speed benefits are proven. And you need to secure across environments, not in silos, because breaches will cross boundaries if your tools cannot.

The organizations that win will be those that combine visibility, governance, and automation across their entire data landscape – and that treat AI as both a business opportunity and a business risk that demands control.

About the Author: Sarah Hospelhorn

Based in Brooklyn, NY, Sarah focuses on the strategy behind solving problems in data security - and the storytelling that drives innovation in the market. She’s been in tech for over 20 years, with experience in enterprise software, hardware, and cryptography.

Related Posts

Why Security Strategy Breaks Down Between Detection and Decision

Why Security Strategy Breaks Down Between Detection and Decision

May 14th, 2026|0 Comments
Email Governance is the Missing Layer in Cloud Strategy

Email Governance is the Missing Layer in Cloud Strategy

May 7th, 2026|0 Comments
Banks are Winning Over SMBs with Better Digital Banking and Cloud Payments

Banks are Winning Over SMBs with Better Digital Banking and Cloud Payments

April 30th, 2026|0 Comments
From Tool to Teammate: The 2026 Transformation of the Front Office

From Tool to Teammate: The 2026 Transformation of the Front Office

April 16th, 2026|0 Comments
Why Cybersecurity Leaders Are Rethinking the Role of AI in Decision-Making

Why Cybersecurity Leaders Are Rethinking the Role of AI in Decision-Making

April 9th, 2026|0 Comments
The Power of Two: How Combining Agentic AI and RAG Drives Enterprise Success

The Power of Two: How Combining Agentic AI and RAG Drives Enterprise Success

April 2nd, 2026|0 Comments
Why Market Leaders are Moving to the Cloud in 2026

Why Market Leaders are Moving to the Cloud in 2026

March 17th, 2026|0 Comments
Cloud, AI, and ERP: Driving Enterprise Agility and Innovation in 2026

Cloud, AI, and ERP: Driving Enterprise Agility and Innovation in 2026

February 19th, 2026|0 Comments
The Cybersecurity Blind Spots Putting PropTech at Risk—And How to Address Them

The Cybersecurity Blind Spots Putting PropTech at Risk—And How to Address Them

February 10th, 2026|0 Comments