A detailed new report, the Cost of a Data Breach Report 2025: The AI Oversight Gap from IBM shows that businesses are losing millions on average when data breaches occur. The use of shadow artificial intelligence (AI) meanwhile, that is AI usage which is not sanctioned or governed by employers, drives up the cost of the average data breach by $308,000. (Figures in Canadian dollars.) 

“Canadian businesses are losing $6.98-million on average to data breaches,” IBM states in an announcement about the publication’s release. The number is a 10.4 per cent increase over 2024 figures.

For those invested in AI and automation, outcomes are better: “Adopting security AI and automation extensively reduced breach costs to $5.19-million, compared to $8.53-million for those organizations not using these technologies,” they add.

Security automation also accelerated response times and reduced the impact of the breaches being studied. Organizations using these tools say their mean time to identify was reduced to 118 days, compared to the 162 days reported by organizations not using these technologies. 

Shadow AI 

The report in particular notes the use of shadow AI by employees as a factor which amplifies risks and escalates costs. “Often introduced by employees using unapproved AI systems, shadow AI creates vulnerabilities and compliance issues for business,” they write.

“Organizations using AI and automation (meanwhile), are saving millions and detecting breaches much faster, but gaps in AI security and governance, like the use of shadow AI, are leaving businesses exposed to unnecessary risks.”

Recommendations 

The report goes on to recommend companies invest in AI tools, build clear AI policies – govern and secure AI systems, they note – connect security and governance systems to automatically discover and govern the use of shadow AI and expand employee training.

Facts uncovered by the research include that one in three Canadian businesses reported not having access controls on AI systems. Phishing scams were the most common means of initial attack. They say phishing scams cost Canadian organizations an average of $7.91-million per breach, a 24 per cent increase from $6.38 million reported in 2024.

They also add that the financial sector leads breach costs, with the average cost coming in at $9.97-million, a 7.4 per cent increase when compared to the $9.28-million reported in 2024.

“What we’ve found is concerning,” the report states. “Organizations are skipping over security and governance for AI in favour of do-it-now AI adoption. These ungoverned systems are more likely to be breached and more costly when they are.”