I’ve just finished reading the latest IBM Cost of a Data Breach Report for 2025, and I’ll be honest—it’s one of the most eye-opening editions I’ve seen in years. Not just because the global average cost of a breach has finally dipped (down to $4.44M), but because of what’s driving that change—and what’s threatening to reverse it.
This year’s report marks a turning point. AI is no longer just a tool for defenders; it’s now a weapon for attackers. And while security teams are starting to harness AI and automation to contain breaches faster, the oversight gap is widening. Shadow AI, lack of governance, and unchecked deployments are quietly becoming the new insider threat.
Let’s unpack what stood out—and what it means for those of us building secure, scalable cloud architectures.
AI Is Saving Us—But Also Sabotaging Us
The headline stat is encouraging: breach containment is improving, and AI is a big part of that. Organizations using AI and automation extensively saw breach costs drop by $1.9M and shaved 80 days off their breach lifecycle. That’s huge.
But here’s the flip side: 16% of breaches involved attackers using AI—mostly for phishing and deepfake impersonation. And 97% of AI-related breaches happened in environments with poor access controls. That’s not just a gap—it’s a chasm.
We’re seeing AI adoption outpace governance. Shadow AI—unsanctioned, unmanaged, and often invisible—is now one of the top three cost amplifiers in the report. It added an average of $670K to breach costs and was responsible for widespread compromise of customer PII and intellectual property.
Shadow AI: The New Insider Threat
This year, 20% of organizations reported a breach involving shadow AI. That’s up significantly, and it’s not just a technical issue—it’s a cultural one. Employees are deploying AI tools without approval, often with good intentions, but without the guardrails.
The result? Data stored across multiple environments—public cloud, private cloud, on-prem—is exposed. And because shadow AI often lacks basic access controls, attackers are exploiting it with alarming ease.
What’s worse, most organizations aren’t even looking for it. Only 34% of those with governance policies perform regular audits for unsanctioned AI. That’s a blind spot we can’t afford.
Governance Is Lagging—And It’s Costing Us
The governance gap is real. 63% of breached organizations had no AI governance policy. Even among those that did, fewer than half had strict approval processes or governance technologies in place.
This isn’t just about compliance—it’s about resilience. Without governance, AI becomes a liability. The report shows that breaches involving shadow AI cost more ($4.63M) than those involving sanctioned AI or even AI-driven attacks.
We need to treat AI governance the same way we treat identity and data security. It’s not optional. It’s foundational.
Security AI Is Delivering ROI—But Adoption Is Uneven
Organizations that embraced AI and automation across the security lifecycle—prevention, detection, investigation, response—saw the biggest gains. Breach costs dropped to $3.62M, and containment times improved dramatically.
But adoption is still uneven. Only 32% of organizations use these tools extensively. That’s up just one percentage point from last year. The rest are missing out on significant cost savings and operational resilience.
This is where Microsoft Cloud has a clear advantage. With Copilot for Security, Defender XDR, Sentinel, and Entra, we’re not just offering tools—we’re offering integrated, intelligent security that scales.
Healthcare, Ransomware, and the US Exception
A few other data points worth noting:
Healthcare remains the most expensive industry for breaches at $7.42M, despite a drop from last year. It also has the longest breach lifecycle—279 days.
Ransomware fatigue is growing: 63% of victims refused to pay, but fewer involved law enforcement, missing out on potential cost savings.
The US is bucking the global trend: breach costs surged to $10.22M, driven by regulatory fines and detection costs.
These trends reinforce the need for proactive, AI-driven security—not just reactive measures.
What We Can Do—Right Now
IBM’s recommendations align closely with what we’ve been advocating in the Microsoft ecosystem:
1. Fortify identities—human and machine
Passkeys, Entra ID, and strong IAM policies are critical. AI agents need the same rigor as human users.
2. Elevate AI data security practices
Data classification, encryption, and key management must extend to AI workloads.
3. Connect security and governance for AI
Break down silos. Use tools like Microsoft Purview and Defender for Cloud to unify visibility and control.
4. Use AI security tools and automation to move faster
Copilot for Security isn’t just a productivity tool—it’s a force multiplier for threat detection and response.
5. Improve resilience
Test your IR plans. Simulate attacks. Train your teams. Assume breach—and be ready.
Final Thoughts
This year’s report isn’t just a snapshot—it’s a warning. AI is changing the game, and we’re not keeping up. Shadow AI is rising, governance is lagging, and attackers are getting smarter.
But we have the tools. We have the frameworks. And we have the opportunity to lead.
Let’s make sure we’re not just adopting AI—we’re securing it, governing it, and using it to build a safer, smarter cloud.
The Microsoft Cloud Blog 
Leave a comment