On this page
TL;DR
The IBM Cost of a Data Breach Report 2025 puts the average US breach at USD 4.88 million, with breaches involving shadow data running 16 percent higher than average. Layer EU AI Act fines (up to 7 percent of global annual turnover for prohibited-use violations), GDPR fines (up to 4 percent), HIPAA Tier 4 penalties (USD 2.1 million per identical violation per year), and AI-extended dwell time, and a single shadow-AI breach in a mid-market regulated organisation realistically clears USD 12 to 18 million. Sources: IBM, Ponemon, EU AI Act, HHS. Updated 2026-05-20.
Why shadow-AI breaches are not normal breaches
A shadow-AI breach has the same starting conditions as any data breach (unauthorised access to sensitive data) but three cost amplifiers that traditional breach models do not capture. First, dwell time is longer: exfiltration through an AI assistant looks like normal employee usage, so the detection signals defenders rely on (large outbound transfers, off-hours access patterns, unusual geographies) do not fire. Second, regulatory exposure is broader: the same incident often violates the data-protection regime (GDPR, HIPAA), the sector-specific regime (FINRA, state insurance), and the AI-specific regime (EU AI Act, Colorado AI Act) simultaneously, each with its own penalty schedule. Third, reputation harm compounds: an AI-coded incident hits the news cycle harder and longer than a comparable traditional breach because the AI angle is itself newsworthy.
For CISOs trying to justify the investment in shadow AI detection and an enterprise AI control plane, the question is not whether the IBM baseline applies (it does) but whether the baseline alone captures the actual exposure. It does not. The model below builds the full picture for a mid-market regulated organisation, with explicit assumptions stated so the reader can adjust to their own context.
At Areebi, we run this model with prospects who are weighing the build-versus-buy decision on AI governance tooling, and the recurring pattern is that the buy-side payback period is less than nine months once the full breach cost is laid out honestly.
Model assumptions: a mid-market regulated organisation
The worked example below is for a hypothetical US-headquartered mid-market organisation with EU customer exposure and a regulated data set. Stating the assumptions explicitly lets the reader adjust the model to their own context rather than treating the number as universal.
- Sector: healthcare payer or financial services, both of which carry the highest IBM Cost of a Data Breach Report 2025 sector multipliers.
- Revenue: USD 500 million annual. EU customers represent 10 percent of revenue (USD 50 million), bringing the organisation into scope for the EU AI Act if deploying AI to EU users and GDPR for processing EU personal data.
- Records exposed: 100,000 sensitive records (PHI for healthcare or PII plus financial for financial services). This is mid-range for a regulated breach.
- Shadow-AI vector: an unauthorised internal use of a public chatbot or coding assistant, with sensitive data pasted into prompts and retained by the vendor under default terms. Detected after the median shadow-AI dwell time observed in industry incident reports, which is materially longer than the IBM 194-day cross-vector average.
- Jurisdictional exposure: US federal (HIPAA, FTC Section 5), state (California CCPA, New York SHIELD Act, Colorado AI Act for healthcare-payer use), and EU (GDPR plus EU AI Act for any system serving EU users).
These assumptions are deliberately conservative. A larger organisation, a higher record count, or a broader jurisdictional footprint will produce a materially higher number.
The seven cost layers
The seven cost layers below are additive rather than alternative. A single shadow-AI breach will typically incur the first five with high probability, the sixth with moderate probability depending on the data type, and the seventh with high probability for any breach that reaches the news cycle.
| Layer | Description | Source baseline | Modelled cost (USD) |
|---|---|---|---|
| 1. Direct response cost | Forensics, legal, breach notification, credit monitoring | IBM Cost of a Data Breach 2025 detection-and-escalation plus notification components | 1,800,000 |
| 2. Lost business and customer churn | Cancellations, lost prospects, downtime | IBM Cost of a Data Breach 2025 lost-business component | 1,470,000 |
| 3. Post-breach response cost | Help desk, account remediation, regulatory communications | IBM Cost of a Data Breach 2025 post-breach response component | 1,610,000 |
| 4. GDPR fine exposure | Up to 4 percent of global annual turnover for processing-related violations | GDPR Article 83 | 2,000,000 (modelled at 0.4 percent of revenue, well below cap) |
| 5. HIPAA Tier 4 penalties | Wilful neglect not corrected: USD 2.134 million per identical violation per year (2025 schedule) | HHS HIPAA penalty schedule | 2,134,000 |
| 6. EU AI Act exposure | Up to 7 percent of global annual turnover for prohibited-use violations; up to 3 percent for other obligations | EU AI Act Article 99 | 1,500,000 (modelled at 0.3 percent of revenue under the lighter category) |
| 7. Reputation and stock harm | Long-tail revenue impact and equity erosion beyond the IBM lost-business component | Ponemon long-term-impact studies; Forrester estimates | 2,500,000 |
| Total | 13,014,000 |
The total of USD 13 million sits inside the 12-to-18 million range cited in the TL;DR, with the range driven by whether the EU AI Act penalty lands at the lighter 3 percent cap or the heavier 7 percent cap, and whether the IBM AI-vector multiplier (the IBM 2025 report flags shadow data as a 16 percent uplift) is applied to all components or just to the response cost.
Three components in this table deserve a closer look because they are the ones most commonly understated in internal cost models. The direct response cost (layer 1) is conservative at USD 1.8 million because mid-market regulated organisations rarely have the in-house forensic capacity to triage a shadow-AI incident and end up retaining a specialist external firm at a premium daily rate. The post-breach response cost (layer 3) is conservative because regulated organisations face overlapping notification regimes (HHS Office for Civil Rights, state attorneys general, EU data protection authorities, sector regulators) that each have their own format, timeline, and follow-up process. The reputation and stock harm component (layer 7) is conservative because Ponemon long-term impact research finds a two-to-three-year tail on customer churn after an AI-coded incident, well beyond the IBM lost-business window.
Two additional cost categories sit outside the table but are real. First, civil litigation: the Illinois Biometric Information Privacy Act (BIPA) and a growing list of state biometric and data-privacy laws produce class-action exposure that lands twelve to twenty-four months after the breach and routinely exceeds the regulatory penalty in headline value. Second, contract penalties: enterprise customers and channel partners increasingly carry AI-specific indemnification clauses that trigger on a confirmed breach of an AI system, and these are settled outside any regulator's view. A defensible internal cost model carries a separate provision line for both categories with the size set by the organisation's specific contractual and jurisdictional exposure.
Get your free AI Risk Score
Take our 2-minute assessment and get a personalised AI governance readiness report with specific recommendations for your organisation.
Start Free AssessmentWhy dwell time is the cost multiplier
The single most controllable variable in the cost model is dwell time, and shadow-AI breaches consistently produce dwell times above the cross-vector average. IBM Cost of a Data Breach Report 2025 puts the cross-vector average at 194 days from breach to detection. Industry reporting on shadow-AI incidents suggests the actual dwell time runs materially longer because the exfiltration channel mimics normal employee usage and does not trigger the DLP and exfiltration alerts defenders have tuned over the last decade.
The cost-of-dwell relationship is approximately linear above 100 days, with each additional 30 days of dwell adding 5 to 8 percent to total breach cost. A shadow-AI breach that takes an extra 90 days to detect therefore adds 15 to 24 percent on top of the modelled total, or roughly USD 2 to 3 million in this worked example. That dwell-time premium is the most direct return on AI-specific detection (a control plane that logs and inspects AI interactions in line) versus generic DLP.
For deeper coverage of the controls that compress dwell time on shadow-AI specifically, the cost of ungoverned AI article walks through the operational playbook, and the building an enterprise AI control plane piece covers the architectural pattern.
The buy-side math: payback in under nine months
The buy-side argument for an AI control plane and governance programme is the ratio of programme spend to expected breach cost, adjusted for breach probability. A defensible expected-value model for a mid-market regulated organisation goes as follows. The IBM 2025 report puts the probability of a material breach in a 24-month window at 28 percent for organisations of this profile. Apply a shadow-AI uplift of 1.3x because shadow-AI use is widespread and inadequately controlled in most organisations of this size, and the 24-month probability of a shadow-AI-implicated breach is approximately 36 percent.
Expected cost in the no-control case: 36 percent times USD 13 million equals USD 4.7 million over 24 months. An AI control plane and governance programme that brings this probability down to 12 percent (achievable based on the IBM 2025 finding that organisations with deployed AI governance see a 27 percent average breach-cost reduction, applied to both probability and dwell-time components) produces an expected cost of USD 1.6 million over the same window. Net expected saving: USD 3.1 million over 24 months, against an annual programme spend that for a mid-market organisation is typically in the USD 400,000 to 800,000 range. The payback period sits comfortably under nine months.
The AI governance ROI business case walks through the CFO-facing version of this math with sensitivity analysis on the key inputs.
Common pitfalls when modelling shadow-AI cost
Three pitfalls show up repeatedly when teams build their own shadow-AI cost models, and each one materially understates the exposure.
Pitfall 1: Anchoring on the IBM headline number. The IBM 2025 USD 4.88 million figure is the US average across all breach types and sectors. Mid-market regulated organisations with EU exposure routinely clear USD 8 to 10 million on the data-protection layers alone, before any AI-specific penalties are added. Anchoring on the headline number undersells the buy-side argument by a factor of two or more.
Pitfall 2: Ignoring the EU AI Act ceiling. Several US organisations have built breach cost models that exclude the EU AI Act on the grounds that the organisation is not "an AI company". The EU AI Act applies to any organisation placing an AI system on the EU market or whose AI system affects EU users, regardless of the organisation's primary line of business. A shadow-AI incident that produces outputs reaching EU users brings the EU AI Act penalty schedule into the model, and the lighter 3 percent cap alone is meaningful at the mid-market revenue scale.
Pitfall 3: Pricing reputation harm at zero. Direct response costs are easier to model and easier to defend in front of a finance team, so reputation harm often ends up as a vague footnote rather than a line item. NIST AI RMF (NIST AI 100-1) explicitly contemplates reputation as a category of harm that must be characterised under MAP 4 and MAP 5, and the Ponemon long-term impact research consistently finds that the equity erosion after an AI-coded incident outlasts the direct response cost by two to three years. Modelling reputation at zero is a methodological choice, not a conservative one.
What to read next
To extend the cost model into operational controls, work through this cluster.
- What is shadow AI - the foundational definition and a fuller picture of the attack surface this cost model is built on.
- Cost of ungoverned AI - the broader cost taxonomy beyond a single breach event.
- Building an enterprise AI control plane - the architectural pattern that compresses dwell time and reduces breach probability.
- AI governance ROI business case - the CFO-facing argument that uses this cost model as input.
- EU AI Act compliance - the canonical reference for the penalty schedule used in this model.
- HIPAA compliance - the canonical reference for the HHS penalty tiers used in this model.
Frequently Asked Questions
What is the IBM Cost of a Data Breach 2025 baseline figure?
The IBM Cost of a Data Breach Report 2025 puts the global average cost of a data breach at USD 4.88 million and the US average higher than the global. The report also flags that breaches involving shadow data (data the organisation did not know it had) run approximately 16 percent above the average, and that organisations with deployed AI governance see a 27 percent average breach-cost reduction. These figures are the starting baseline for any shadow-AI cost model and should be combined with sector and regulatory multipliers, not used in isolation.
Are EU AI Act fines actually being levied?
The EU AI Act entered into force on August 1, 2024, with prohibited-use provisions applying from February 2, 2025, and the broader high-risk obligations phased in through August 2, 2026. The penalty ceilings (up to 7 percent of global annual turnover for prohibited-use violations, up to 3 percent for other obligation breaches) are in the text of the Act under Article 99. Member state market surveillance authorities have begun to issue notices in 2025, with the first material enforcement actions expected in 2026 as the high-risk obligations bind.
How does HIPAA Tier 4 work for an AI breach?
HHS HIPAA penalty tiers run from Tier 1 (no knowledge) to Tier 4 (wilful neglect not corrected). Tier 4 carries the statutory maximum of USD 2.134 million per identical violation per year under the 2025 schedule. An organisation that deploys an AI system without HIPAA controls, suffers a breach, and is found to have known about the gap will typically be assessed at Tier 3 or Tier 4 depending on remediation behaviour. The cost model uses Tier 4 because the shadow-AI fact pattern (data pasted into a public model without a BAA) characterises wilful neglect under the standard enforcement test.
Why is dwell time longer for shadow AI than for normal breaches?
Exfiltration via an AI assistant looks like normal employee usage in the network and endpoint telemetry. There is no large outbound transfer, no off-hours access pattern, and no unusual geography to trigger DLP and SIEM rules. Detection therefore relies on AI-specific telemetry: a control plane that logs and inspects AI interactions in line, with policies that flag sensitive data in prompts. Without that layer, shadow-AI exfiltration can persist for months past the cross-vector average of 194 days, materially extending the cost-of-dwell.
What is a realistic payback period for an AI control plane?
For a mid-market regulated organisation with the assumptions in the worked example (USD 500 million revenue, healthcare or financial services sector, EU exposure, 100,000 sensitive records), an AI control plane and governance programme with annual run-rate of USD 400,000 to 800,000 typically pays back in under nine months on expected-value math. The payback period is driven by the combination of reduced breach probability (the IBM 2025 finding of 27 percent average cost reduction applies to both probability and dwell-time) and avoided regulatory penalty exposure under EU AI Act, GDPR, and HIPAA.
Is reputation harm really worth USD 2.5 million in the model?
Yes, and the Ponemon long-term impact research consistently finds the figure is higher for AI-coded incidents than for comparable traditional breaches. The mechanism is that AI incidents stay in the news cycle longer because the AI angle is itself newsworthy, which extends the customer churn and lost-prospect curve well beyond the IBM lost-business window. NIST AI RMF (NIST AI 100-1) explicitly contemplates reputation as a category of harm to be characterised under MAP 4 and MAP 5, and pricing it at zero in the cost model is a methodological choice rather than a conservative one.
Related Resources
Stay ahead of AI governance
Weekly insights on enterprise AI security, compliance updates, and governance best practices.
Stay ahead of AI governance
Weekly insights on enterprise AI security, compliance updates, and best practices.
About the Author
Areebi Research
The Areebi research team combines hands-on enterprise security work with deep AI governance research. Our analysis is informed by primary sources (NIST, ISO, OECD, federal registers, IAPP) and the operational realities of CISOs running AI programs in regulated industries today.
Ready to govern your AI?
See how Areebi can help your organization adopt AI securely and compliantly.