Shadow AI poses a significant threat to organizations, with IBM’s latest report revealing that breaches involving unauthorized employee use of AI tools cost an average of $4.63 million, which is 16% higher than the global average. The rapid adoption of AI is outpacing security oversight, as shown by the research based on interviews with 3,470 organizations that suffered breaches.
The report highlights the lack of proper AI access controls, with 97% of breached organizations lacking these controls. Additionally, 8% of organizations were unsure if they had been compromised through AI systems. This gap between AI adoption and oversight is being exploited by threat actors, as stated by Suja Viswesan, Vice President of Security and Runtime Products at IBM.
Shadow AI incidents primarily result in compromised data and disruptions to daily operations, with customers’ personally identifiable information being compromised in 65% of cases. Governance is a significant weakness in AI security, with 63% of breached organizations lacking AI governance policies.
Itamar Golan, CEO of Prompt Security, likens Shadow AI to doping in the Tour de France, emphasizing the desire for an edge without understanding the long-term consequences. Supply chains are the preferred attack vectors for AI security incidents, with compromised apps, APIs, and plug-ins being common causes.
The proliferation of weaponized AI poses a growing threat, with attackers using AI for phishing and deepfake attacks. Fine-tuned language models like FraudGPT and GhostGPT are purpose-built for attack strategies, with attackers using AI to blend into normal network traffic, making detection challenging.
Governance is a weakness that adversaries exploit, with many organizations lacking essential policies and processes to reduce AI-related risks. DevSecOps emerges as a top factor in reducing breach costs, saving organizations an average of $227,192.
Despite the challenges posed by weaponized AI, organizations leveraging AI and automation are saving $1.9 million per breach and resolving incidents 80 days faster. Security teams using AI extensively are able to detect breaches earlier and contain them more efficiently.
The U.S. cybersecurity landscape faces record-high costs compared to global averages, highlighting the need for a fundamental rethinking of cyber resilience strategies. IBM’s report underscores the critical importance of governance in managing AI-related risks and emphasizes the need for organizations to accelerate security AI adoption.
In conclusion, organizations must prioritize implementing AI governance, gaining visibility into shadow AI, and accelerating security AI adoption to mitigate the risks posed by Shadow AI. As attackers continue to weaponize AI, organizations that effectively manage AI risks will thrive in this new landscape where machines battle machines.