What data leaders need to know from the Cost of a Data Breach Report 2025

Data leaders are navigating a new dual reality: they’re under pressure to deliver data for AI initiatives, yet they need to assure their data remains secure and kept out of the hands of hackers. Unfortunately, the gap between AI governance and oversight is potentially leaving that data exposed.

IBM’s annual Cost of a Data Breach Report, which analyzed 600 breached organizations in 17 industries around the world, makes it clear this gap can be costly in terms of stolen data, operational disruption and hefty fines paid to regulators. Data breaches can also expose companies to reputational damage, erosion of trust among customers and customer churn.

For chief data officers and other data leaders—or anyone else responsible for data strategy, governance and value creation—this research is a wakeup call. With operational disruption affecting 31% of the studied breached organizations, and 60% experiencing direct data compromise due to AI supply chain and model attacks, the findings are more than headlines. They’re a blueprint for action for CDOs.

The importance of these findings stretches beyond a security issue: they present a strategic leadership challenge. The CDO sits at the intersection of data innovation and data governance, responsible for ensuring the transformative power of AI and making sure that transformation doesn’t come at the expense of trust, compliance or resilience.

“In the age of AI, the CDO isn’t just a steward of data: they’re the architect of trust.”
 

Tony Giordano
Senior Partner and Vice President, Data Transformation Services
IBM Consulting
 

Below are five things CDOs need to know about data security in the age of AI, and three things they need to do to make sure their data remains secure.

The Cost of a Data Breach report revealed 63% of breached organizations studied lacked AI governance policies, and only 37% had approval processes or oversight mechanisms in place. While these are direct challenges for the team leading AI governance (typically, the legal and compliance team) and their security leader counterparts, CDOs must be aware of the issue and, before their data is used to train models or build applications, ask about them.

This means they need to help shape those governance and oversight policies, balancing innovation with compliance and risk management, creating a unified strategy where AI governance, data governance and security complement each other.

One in five studied organizations (20%) experienced breaches linked to shadow AI—unsanctioned AI tools adopted by employees without IT or security oversight. These incidents added as much as USD 670K to the average breach cost and disproportionately exposed customer personally identifiable information (PII) and intellectual property.

To be clear, shadow AI isn’t just a technical problem, it’s also a cultural one. Employees are under pressure adopt AI tools that make their jobs easier, boost productivity and gain valuable insights into customers, supply chains and rapidly changing market conditions. But without guidance, employees can inadvertently bypass security protocols by uploading customer PII or company intellectual property.

Among the organizations that reported AI-related breaches, a staggering 97% said they lacked proper access controls. While CDOs don’t manage those controls, they need to be aware of this potential lapse and ask their security and AI leader counterparts, whether these controls are in place, and if not, why? Since data fuels AI, weak access controls increase the risk of sensitive data compromise.

Among the breached organizations studied, more than half (53%) reported compromised customer PII. In the breaches involving shadow AI, that figure jumped to nearly two-thirds (65%). While intellectual property was exposed less frequently, it carried the highest cost per record (USD 178 per record) in shadow AI-related breaches.

While the reality is data can be vulnerable wherever it’s stored, the Cost of a Data Breach report found most breaches involved data distributed across multiple environments, such as public clouds, private clouds and on premises. These hybrid cloud systems might be convenient, but they can also introduce complexity and invite risk, which translates to cost. Data breaches involving multiple environments cost an average USD 5.05 million, while data breached on premises cost an average USD 4.01 million.

Treat AI datasets as high‑value assets, on par with financial or healthcare records.

Securing AI data is essential not just for privacy and compliance, but also to protect data integrity, maintain organizational trust and avoid data compromise. This means CDOs should take active steps towards classifying and protecting sensitive data across cloud, on‑premises, and hybrid environments. Additionally, they should ensure all PII is encrypted, both at rest and in transit.

This approach means going beyond surface-level controls and implementing strong data security fundamentals: data discovery and classification, as well as data protections, such as access control, encryption and key management.

It can also include the use of data and AI security services. These measures aren’t unique to securing AI, but the rise of AI as both a threat vector and security helper means they’re more important than ever before.

Security for AI and governance for AI are complementary disciplines. When organizations keep them in silos, they increase risk, complexity and cost.

Organizations must ensure the CDO, CISO and compliance teams collaborate regularly. Investing in integrated security and governance software and processes to bring these cross-functional stakeholders together can help organizations automatically discover and govern shadow AI.

It’s vital CDOs play a pivotal role in establishing secure data pipelines for AI as well as clear AI usage guidelines. It’s also imperative they manage the full lifecycle of AI models with governance embedded at every stage.

Recognize that AI models and agents function as identities with access privileges.

It’s important for CDOs to treat AI agents and humans equally from a data governance perspective. Both require operational controls to access systems, but it’s vital AI agents are only granted access to the specific task or workflow they’re designed for.

By taking a unified, collaborative approach to security and governance, CDOs play a crucial role in fortifying identity security. Just like human users, AI agents increasingly rely on credentials to access systems and perform tasks. So, it’s essential to implement strong operational controls, or services that can help you do so, and maintain visibility into all non-human identity (NHI) activity. Organizations must be able to distinguish between NHIs using managed (vaulted) credentials and those using unmanaged credentials.

The CDO role has never been more critical. AI is rewriting the rules of data leadership, and those who embrace responsible innovation will define the next era of trusted, resilient enterprises.

As CDO, you can embed governance into every stage of the AI lifecycle, secure the data that powers AI, and lead cross‑functional collaboration to protect the organization’s most valuable assets.

The Cost of a Data Breach Report makes it clear that the real risk isn’t AI itself, it’s AI without governance.

Shadow AI, poor access controls, and fragmented responsibilities are eroding trust and driving costs higher.

If they take the right steps, CDOs can not only reduce breach risk and cost, but also strengthen their organization’s ability to innovate with confidence.