Annual breach-cost research has been tracking the financial impact of security incidents for two decades. The 2025 analysis introduces a new category: shadow AI, defined as the use of generative AI tools by employees without organizational approval or oversight.
The headline finding is that breaches involving high levels of unsanctioned AI use cost organizations an average of $4.63 million, compared to $3.96 million for breaches at organizations with low or no shadow AI activity. The $670,000 difference represents a measurable financial impact attributable to a behavioral pattern that most organizations either tolerate or fail to detect.[a]
The average additional cost of a data breach at organizations with high levels of shadow AI. The premium reflects longer detection times, broader data exposure, and higher rates of intellectual property and PII compromise.
The dataset behind the figure analyzed 600 breaches that occurred between March 2024 and February 2025, drawing on interviews with 3,470 security and business leaders across 17 industries and 16 countries. Among the 600 incidents, 20% involved shadow AI as a contributing factor, and 97% of organizations that experienced AI-related breaches lacked basic AI access controls.
Where the Cost Premium Comes From
The $670,000 differential is not a single line item. It's the aggregate of several measurable factors that the underlying methodology isolates.
The longer detection window matters because breach costs scale with time-to-containment. An incident contained within 200 days costs significantly less than one contained beyond 200 days, regardless of the initial vector. Shadow AI incidents land on the wrong side of that threshold because the activity itself is invisible to security tooling. There's no log of what was pasted into a personal ChatGPT session from a personal account on a personal device.
The PII and IP exposure rates compound the problem. When sensitive data flows into a tool the security team doesn't know about, the organization loses the ability to scope the incident, notify affected parties under regulatory deadlines, or estimate downstream risk. Shadow AI breaches more frequently involve data stored across multiple environments (62% of incidents), which extends the forensic timeline further.
Why the Behavior Persists
One body of research describes what shadow AI breaches look like once they happen. A separate body of research describes why employees keep using unsanctioned AI tools in the first place.
Enterprise customer data shows that 71% of office workers admit using AI tools without IT approval, reflecting the broad usage rate that includes both organizations that have banned AI and those that have not.[b]
A separate study of 6,000 knowledge workers found that 46% would continue using AI tools even if their organization explicitly banned them; a parallel analysis arrived at approximately 48%.[c] These two findings measure different things: the 71% figure is current usage without IT approval, while the 46-48% figure is intent to defy an explicit ban. Together they describe an environment in which a significant majority of workers are already using shadow AI, and roughly half would continue if told to stop.
Prohibition at the policy layer does not change the underlying behavior. It just moves the behavior off the network the organization can see.
Browser-layer research adds another dimension. 71.6% of enterprise access to generative AI tools happens through non-corporate accounts, even at organizations with sanctioned alternatives available.[d] The session is invisible to enterprise security stacks like Microsoft Entra or Purview because the user is signed into a personal Gmail account in a separate browser profile. The device may be fully managed. The session is not.
The Enterprise LLM License Question
A reasonable question at this point is whether enterprise licenses for ChatGPT, Claude, or Microsoft Copilot solve the problem. Many security teams have moved exactly this direction in 2025, on the theory that giving employees a sanctioned tool removes the incentive to use a shadow one.
Enterprise tiers do close one specific vector. OpenAI's Enterprise tier, Anthropic's enterprise offerings, and Microsoft Copilot for Microsoft 365 all contractually exclude customer prompt data from training. For the data that flows through the sanctioned tool, the training-data leakage channel is genuinely closed.
The data on what happens next is mixed. An analysis of 22 million enterprise AI prompts found that ChatGPT alone accounts for 71.2% of total sensitive data exposure across the tools tracked, and that the dominant issue is personal account usage rather than the tools themselves.[e] Employees with access to ChatGPT Enterprise often continue to use their personal ChatGPT account in parallel, for reasons that range from habit to faster login to features available on personal accounts that haven't yet shipped in the enterprise tier.
Enterprise licensing also doesn't address the long tail. When one tool is sanctioned, usage shifts toward unsanctioned alternatives. OpenAI commands 53% of enterprise shadow AI activity, with the remaining 47% fragmented across Otter.ai, Anthropic, Perplexity, Gamma, Synthesia, and dozens of specialized tools that most security teams have never inventoried.
The practical reading is that enterprise LLM licenses are necessary but not sufficient. They eliminate one defined vector at one named tool. They don't address the behavioral pattern of employees defaulting to whichever AI tool is fastest in the moment.
What the Data Suggests About Architecture
The pattern across the research is that shadow AI is a behavioral problem expressed through technical channels. Policy controls (bans, training, acceptable use agreements) address the behavioral side imperfectly because they rely on compliance. Tool controls (enterprise licenses, DLP, CASB) address the technical side imperfectly because they only govern the specific channels the security team can see.
Organizations that have measurably reduced their shadow AI exposure in 2025 have tended to combine three things:
- Approved enterprise alternatives that are genuinely competitive in features and latency with the consumer versions, removing the productivity incentive to use personal accounts
- Architectural separation for sensitive development work, where source code and proprietary data live in environments where copy-paste to external destinations is technically prevented rather than policy-prohibited
- Visibility tooling at the browser or endpoint layer that catches AI tool usage the network firewall misses, including paste activity into AI prompts (77% of employees paste data into AI prompts, with 50% of that activity including corporate data[d])
The single most defensible architectural pattern in the research is environmental separation for the work that carries the most risk. Engineering teams working on proprietary codebases, M&A teams handling confidential deal data, and security teams working with sensitive customer information benefit disproportionately from working environments where the shadow AI channel is closed at the system level rather than at the policy level.
That doesn't mean every employee needs to work inside a locked environment. It means that the highest-value, highest-risk work should be done in environments where the behavioral question (would this employee paste sensitive data into a consumer LLM if they were under deadline pressure?) doesn't need to be answered, because the option isn't there.