Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI governance gaps and breach costs: what IAM teams should notice


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: IBM’s 2025 Cost of Data Breach Report says global breach costs fell to $4.4 million and AI-driven defence shortened recovery by 80 days, but 63% of respondents still lacked an AI governance policy and 13% of breaches involved AI tools. The lesson is that AI security debt now influences breach cost, scope, and recovery as much as traditional controls do.

NHIMG editorial — based on content published by Swarmnetics: New IBM Cost of Data Breach Report, Costs Down Globally, But Control of AI is Key

By the numbers:

Questions worth separating out

Q: How should organisations govern AI tools that use enterprise data and APIs?

A: Treat every AI tool as a privileged integration, not a standalone productivity app.

Q: Why do shadow AI tools increase breach risk so quickly?

A: Shadow AI bypasses normal procurement, security review, and entitlement management, so it often arrives with broad data access and weak ownership.

Q: What breaks when AI governance policy is missing?

A: When policy is missing, organisations cannot prove who approved a deployment, what data it can access, or which controls apply to its connectors.

Practitioner guidance

  • Define an AI deployment approval gate Require every AI tool, app, API, or plugin to pass a documented approval step that records owner, business purpose, data scope, and assigned credential path before it reaches production.
  • Map AI connectors to identity privileges Build an inventory of connectors, service accounts, API keys, and delegated tokens used by AI systems, then classify each one by data reach and privilege scope.
  • Bring shadow AI into access governance Detect unsanctioned AI platforms through procurement, CASB, or endpoint signals, then force them into the same lifecycle controls used for other high-risk enterprise software.

What's in the full report

Swarmnetics' full analysis covers the operational detail this post intentionally leaves for the source:

  • How IBM’s survey framed AI governance policy maturity across breached organisations and why that matters for control design.
  • The breakdown of AI-related breach types, including app, API, and plugin-driven incidents that moved beyond the AI tool itself.
  • The reported differences between organisations with AI-driven defence automation and those without it, including recovery and cost impact.
  • The report’s treatment of shadow IT AI use and why unapproved deployment paths complicate incident containment.

👉 Read Swarmnetics’ analysis of IBM’s 2025 Cost of Data Breach Report →

AI governance gaps and breach costs: what IAM teams should notice?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

AI governance debt is now a breach-cost issue, not just a policy issue: when 63% of breached organisations still lack an AI governance policy, the market is already signalling that control design is lagging deployment speed. The consequence is that security teams inherit AI systems that are connected, data-rich, and weakly supervised from day one. Practitioners should treat governance maturity as a measurable risk reduction control, not an administrative checkbox.

A question worth separating out:

Q: Who is accountable when an AI tool causes data exposure or disruption?

A: Accountability should rest with the business owner of the AI use case, the technical owner of the integration, and the security function that approves access boundaries. For regulated environments, those responsibilities should be mapped to risk, audit, and incident response processes so AI systems are treated as governed assets, not informal utilities.

👉 Read our full editorial: AI governance gaps are reshaping breach costs in IBM’s 2025 report



   
ReplyQuote
Share: