SACRAMENTO -- As U.S. companies race to embed artificial intelligence (AI) into everyday work, they are discovering a hidden cost: bigger, more expensive data breaches.

The "Cost of a Data Breach 2025" report, published by IBM on Wednesday, revealed that 13 percent of the 600 organizations studied suffered breaches involving their own AI models or applications. Crucially, basic access controls were missing in 97 percent of those cases.

The report also found that attackers are turning the technology against its creators: one in six breaches involved criminals using AI tools, primarily to craft convincing phishing emails and deepfake impersonations.

So-called "shadow AI," systems employees deploy without authorization, proved even costlier. Twenty percent of respondents blamed their breach on unsanctioned AI, which added approximately 670,000 U.S. dollars to the average loss. When "shadow AI" was present, overall breach costs rose to 4.74 million dollars, compared with 4.07 million when it was absent.

Recent incidents illustrate how seemingly minor AI security oversights can spiral. In 2023, a single misconfigured Azure sharing link in a Microsoft AI research repository exposed 38 terabytes of internal files and over 30,000 Teams messages.

That same year, Samsung temporarily banned generative AI tools after engineers pasted confidential chip designs into ChatGPT, risking sensitive leaks.

Even AI providers themselves are vulnerable. A March 2023 bug in OpenAI's ChatGPT service briefly exposed some users' payment addresses and partial card details.

Despite such warnings, 87 percent of companies still lack governance policies or processes to mitigate AI risks, even though supply chain compromises already trigger nearly one-third of AI-related breaches.

To address these gaps, analysts emphasize that security starts with identity: organizations must enforce strict credential management for both staff and algorithms, rotate keys frequently, and encrypt all data used to train or prompt models.

Quarterly "AI health checks" that bring business and security leaders together can identify unauthorized projects, while automated threat-detection platforms help understaffed teams distinguish genuine threats from false alarms.

The report concludes: "Security AI and automation lower costs, while shadow AI raises them." Organizations with mature controls reduced breach costs by nearly 40 percent.

The report noted that with the average U.S. breach now costing 10.22 million dollars and regulators from Brussels to Washington drafting new rules for data-hungry algorithms, boards had a clear financial motive to treat every model, notebook and chat interface as a critical asset protected by multifactor authentication, time-limited sharing links and continuous audits before the next wave of smart machines arrives. 

The World Internet Conference (WIC) was established as an international organization on July 12, 2022, headquartered in Beijing, China. It was jointly initiated by Global System for Mobile Communication Association (GSMA), National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT), China Internet Network Information Center (CNNIC), Alibaba Group, Tencent, and Zhijiang Lab.