Shadow AI: The Hidden Cyber Threat Businesses Cannot Ignore

The latest IBM Cost of a Data Breach report makes for sobering reading - especially for businesses using AI tools without clear oversight.

According to the research, 63% of breached organisations have no AI governance policy in place, and only a third actively check for authorised AI use. That gap in oversight is creating opportunities for cybercriminals and making breaches more costly when they happen.

One of the biggest culprits is shadow AI - the use of AI tools and models without approval, oversight or security controls. It is not just a ‘tech buzzword’ either; the report found it was responsible for one in five breaches, adding an average of USD 670,000 to the breach costs for companies with high levels of unauthorised AI use.

The new addition to this year’s top three costliest factors is shadow AI. Its presence within an organisation is an added blind spot - another attack surface that is hard to police. As IBM has shown elsewhere in the report, organisations often do not look for shadow AI, so it remains undetected.

Why AI Governance Can’t Wait

At Consilium, we see shadow AI as the new insider threat. As these tools often operate outside of standard governance processes, they can create hidden vulnerabilities and compliance issues.

Customer Personal Identification data, the most frequently compromised data type in the study, was involved in 65% of breaches, making it a prime target for fraud and resale on the dark web. Intellectual Property data was compromised less often - in around 40% of breaches - but proved the costliest, at USD 178 per record.

The real question, when it comes to AI, is how it is being used and whether the risks are being properly managed. Ethan Godlieb, Associate Partner leading Cyber, Tech and Fintech within Consilium’s Professional and Executive Risk Solutions team, said, “Most organisations have adopted AI tools now to some degree, but few are governing it.”

What This Means for Brokers and Businesses

With increasing scrutiny on AI governance, relying on existing, broad cyber wordings is no longer enough. Ethan advised, “Brokers need to urge clients to audit AI usage and implement governance policies to reduce exposure.”

This is a clear signal to bring AI governance into your cyber risk strategy now, not later. For brokers, it is about having informed conversations with clients on:

• Auditing AI usage across the business

• Introducing governance policies for approval, oversight and security

• Reviewing cyber insurance wordings to ensure AI-related exposures are covered

The IBM report also points to a growing AI ‘arms race’, with AI being used both as a weapon and a shield in cyber warfare. While the average cost of a breach has declined for the first time in five years, now at USD 4.44m, the risks are evolving rapidly, with one in six breaches involving AI-driven attacks such as phishing or deepfakes.

How Consilium Can Help

Consilium’s Cyber, Tech and Fintech team is already working with clients to address these governance gaps, ensuring they are protected against today’s cyber realities. We believe AI can be a powerful tool, but without the right guardrails, it is also a growing risk.

We are preparing for tomorrow’s problems before they become today’s headlines. If you are concerned about AI exposure in your business, we can work with you to review your cyber policy wordings, close any governance gaps and secure protection that keeps pace with emerging threats.