IBM warns of oversight gap in AI-related data breaches

IBM has warned of a significant “AI oversight gap” after research showed that nearly all organizations suffering AI-related data breaches lacked proper access controls. According to its Cost of a Data Breach Report, 97 percent of breached companies admitted they did not have sufficient protections in place to govern access to AI systems. Additionally, 63 percent said they had no AI governance policies to prevent employees from using unapproved tools, often referred to as “shadow AI.” The lack of oversight carries steep consequences. IBM said that breaches involving shadow AI added an extra $670,000 to the global average cost of an incident. Such breaches not only compromise sensitive data but also disrupt operations, halting sales order processing, customer service, and supply chain management. Despite these risks, the report contained some encouraging news. For the first time in five years, average global data breach costs declined, falling 9 percent from $4.88 million to $4.44 million. IBM attributed this drop to faster detection and containment enabled by AI-powered defenses. The average time to identify and contain a breach fell to 241 days, the lowest in nine years. Industry research supports the shift toward AI in cybersecurity. PYMNTS Intelligence found that 55 percent of chief operating officers reported adopting AI-driven security tools by August last year, compared to just 17 percent in May. These AI systems help detect anomalies, flag fraud, and provide real-time threat assessments, pushing companies toward more proactive security measures. At the same time, the rise of agentic AI introduces new governance challenges. These autonomous systems can make independent decisions, raising questions about accountability if they miss a breach or mistakenly disable critical systems. “This isn’t a technical upgrade; it’s a governance revolution,” said Kathryn McCall, chief legal and compliance officer at Trustly, in an interview with PYMNTS. IBM’s findings highlight both the risks and rewards of AI in cybersecurity. While weak oversight leaves organizations exposed to costly breaches, well-governed AI defenses can significantly lower risks and improve resilience.