Two-thirds of organizations still have no AI governance policy — and breach data shows the cost.
IBM’s 2025 breach study found 63% of breached organizations had no AI governance policy in place. Shadow AI added roughly $670K per breach, and 97% of organizations that suffered an AI-related breach lacked basic AI access controls.
The gap between how fast teams adopt AI and how fast governance catches up is now measurable in dollars. In IBM’s 2025 Cost of a Data Breach report (Ponemon Institute, 600 organizations), 63% of breached organizations either had no AI governance policy or were still drafting one. Of the organizations that did have a policy, only about a third audited for unsanctioned AI use.
The cost signal is the part worth acting on. One in five breaches was linked to shadow AI — employees using unsanctioned tools — and those organizations paid roughly $670,000 more per breach than peers with low shadow-AI exposure. Among the 13% of organizations that reported a breach of an AI model or application directly, 97% lacked proper AI access controls.
Why this is a drift problem, not a tooling problem
None of these organizations decided to run AI without governance. The policy simply never caught up to where AI actually entered the workflow: a vendor feature turned on by default, a team that adopted a tool ahead of IT, a model granted access it never formally needed. The breach is where the drift becomes visible — and expensive.
Sources