Reduction in Global Data Breach Expenses Registered for First Time in Five Years due to AI and Automation
In the rapidly evolving digital landscape, the 2025 Cost of a Data Breach Report sheds light on the trends and challenges shaping AI security governance.
The report reveals that the global average cost of a data breach has declined by 9%, to USD 4.44 million. However, this figure does not reflect the experience of all countries, particularly the United States, where the average cost has risen by 9% to a new record of USD 10.22 million.
One of the primary reasons for the decline in the global average cost is the quicker containment of breaches, linked to the increased use of AI and automation in security. Yet, this progress is tempered by new concerns such as the AI Oversight Gap, where organisations are adopting AI without implementing proper security and governance policies.
Phishing remains the most frequent attack vector, accounting for 16% of all breaches and costing an average of USD 4.8 million. Shockingly, 97% of organisations that suffered an AI-related security breach lacked adequate AI access controls.
As AI systems become more autonomous, establishing clear policies, oversight frameworks, and human-AI collaboration protocols becomes crucial. This is particularly relevant in the context of emerging AI systems capable of autonomous decision-making, often referred to as agentic AI.
The report also highlights the risks posed by shadow AI, AI used by employees outside formal controls, leading to data leakage, privacy breaches, and widened cyberattack surfaces due to unvetted AI app use.
To mitigate these risks, security teams are shifting to proactive threat detection and response, emphasising integrated AI platforms rather than fragmented tools, and prioritising keeping sensitive data in-house to preserve privacy.
Despite surging AI investments, only 2% of enterprises are fully ready due to inadequate data governance, missing AI-specific firewalls, and security infrastructure that can scale with autonomous AI systems.
The report also finds that fewer organisations are involving law enforcement, with a drop from 53% to 40% over the same period. However, it does not discuss any potential solutions to address the AI Oversight Gap or the rising cost of data breaches in the United States.
Malicious insider attacks were the most expensive initial threat vector for the second year in a row, with an average cost of USD 4.92 million. Customer PII was the most commonly compromised data.
The report does not provide information about the data breach costs in other countries besides the United States. The rise in the average cost of a data breach in the United States is driven by higher regulatory fines and the rising costs of detection.
For the 14th consecutive year, the healthcare industry faced the highest average breach costs at USD 7.42 million. A majority of breached organisations (63%) either do not have an AI governance policy in place or are still in the process of developing one.
The report does not mention any specific organisations that have experienced a data breach. However, the findings underscore the urgent need for organisations to prioritise AI security governance to reduce the escalating cost and risk of data breaches in an AI-driven environment.
[1] Source: Various 2025 industry analyses [2] Source: Various 2025 industry analyses [3] Source: Various 2025 industry analyses [4] Source: Various 2025 industry analyses [5] Source: Various 2025 industry analyses
- As AI systems become more autonomous in the healthcare sector, implementing clear policies, oversight frameworks, and human-AI collaboration protocols will be vital to address the escalating cost and risk of data breaches.
- The recognizable lack of proper security and governance policies in adopting AI, referred to as the AI Oversight Gap, poses significant threats to various industries, particularly in the context of emerging agentic AI.
- The 2025 Cost of a Data Breach Report highlights the surge in malicious insider attacks, with an average cost of USD 4.92 million, making it the most expensive initial threat vector for the second year in a row, and underscores the urgency for cybersecurity efforts across multiple sectors, including healthcare.
