The Rising Threat of Shadow AI: A Growing Challenge for Organizations
Organizations are increasingly facing a hidden risk known as Shadow AI, a phenomenon that has been tagged as a staggering $670,000 issue that many aren’t even aware exists. Recent findings from IBM’s 2025 Cost of a Data Breach Report, in collaboration with the Ponemon Institute, reveal alarming insights: breaches arising from unauthorized AI tool usage by employees incur an average cost of $4.63 million. This figure surpasses the global average of $4.44 million by nearly 16%.
The report is derived from interviews with over 3,400 participants across 600 organizations that have experienced security breaches, emphasizing how the rapid adoption of AI technologies is outpacing effective security measures. Although only 13% of organizations reported AI-related security incidents, a staggering 97% of those breached lacked adequate AI access controls. Moreover, 8% remained uncertain if their AI systems had been compromised.
Suja Viswesan, IBM’s Vice President of Security and Runtime Products, highlighted the vulnerabilities exposed due to inadequate oversight. “The data indicates a growing gap between AI adoption and security oversight, which malicious actors are beginning to exploit,” she stated. This critical issue is underscored by a notable lack of governance; 63% of breached organizations either do not have AI governance policies or are still in the process of developing them.
The report further identifies supply chains as a prime target for adversaries, with 60% of AI-related security incidents leading to data breaches and 31% disrupting normal operations. Alarmingly, 65% of shadow AI incidents compromised personally identifiable information (PII), far exceeding the 53% global average. Itamar Golan, CEO of Prompt Security, likened Shadow AI to illicit performance enhancements, warning that the long-term consequences of seeking an edge through risky practices may be underestimated.
As adversaries leverage the growing capabilities of AI tools, including advanced techniques for phishing and deepfake attacks, the report notes that the presence of weaponized AI is escalating rapidly. Sixteen percent of breaches now see attackers using AI technologies to enhance their malicious activities. This urgent issue indicates a critical need for organizations to adapt and fortify their defenses against such evolving threats.
Among the organizations claiming to possess AI governance policies, only a small fraction conducts regular audits for unauthorized AI use. This deficiency in proactive governance not only exposes organizations to risk but also complicates their ability to manage breaches effectively. The findings reveal a troubling trend: most organizations are deprioritizing the significance of AI governance, leaving them vulnerable to attack vectors that exploit their oversight weaknesses.
Remarkably, the report finds a silver lining in the proactive adoption of AI security measures. Organizations fully employing AI and automation save an average of $1.9 million per breach and resolve incidents in significantly shorter timeframes. Those utilizing AI-centric tools identify breaches in 153 days, compared to 212 days for those employing traditional methods.
As businesses face increasing pressure from cyber threats, the report emphasizes the need for collaborative efforts among key stakeholders, including chief information security officers (CISOs) and compliance officers. With attackers becoming more sophisticated and adaptive, organizations must not only embrace AI’s advantages but also prioritize robust governance practices to safeguard against the evolving cybersecurity landscape.
In conclusion, as organizations navigate the complexities of AI and Shadow AI, understanding and combating these risks will be crucial for maintaining operational integrity and protecting sensitive data in a rapidly evolving threat landscape.
