Phishing has surged 1,265%. The average AI-enabled breach now costs $5.72 million. Somewhere between the sales pitches and the fear campaigns, that 2025 IBM Cost of a Data Breach Report delivers a simple message Australian organisations should stop ignoring: adopting AI without governance is not innovation, it is a financial and operational liability.
That $5.72 million figure is 13% higher than the previous year. IBM ties the rise directly to organisations pushing AI into customer, employee, and supplier workflows without access controls, data classification, or incident response planning. The gap between AI rollout and AI oversight is not just a technical problem. Finance, risk, and legal should also care because breach costs compound across regulatory exposure, customer churn, and remediation time.
What the Numbers Actually Mean
The same reporting period showed AI-enabled cyber attacks rose 47%. Microsoft Cyber Signals tracked a 46% increase in AI-generated phishing content. DeepStrike’s tally found 82.6% of phishing emails now use AI in some form. That is not a distant threat. It is the current email threat landscape.
On the defensive side, IBM reports organisations with mature AI security tools see average breach costs $1.8 million lower than those without. The difference is not magic. It is automated threat detection, rapid containment, and endpoint visibility.
Shadow AI Is Eating Your Budget
Shadow AI is one of the most underdiscussed cost drivers. IBM found many organisations lacked AI governance frameworks, leaving employee-deployed tools operating outside security review. A finance team pasting customer data into a third-party AI assistant, or a developer connecting internal docs to an unvetted LLM, creates exposure no perimeter firewall can stop.
Trend Micro and other researchers documented thousands of unprotected AI services online, including Chroma servers and vector databases, open to anyone who knows how to query them. Once an AI tool is integrated into workflows, it is rarely decommissioned cleanly. Governance needs to start before deployment, not after a breach team arrives.
Practical Steps That Do Not Require a Budget Increase
Start with identity. Strong authentication, passkeys where possible, and a formal process for removing access when someone leaves. Then map your AI footprint. Every connected LLM, every third-party chatbot, every internal tool with access to email or files should be logged and reviewed. Third, assume breaches will include AI-powered reconnaissance and test your response accordingly. Red-teaming and tabletop exercises should include synthetic media and prompt-injection scenarios now, not next year.
The organisations controlling AI costs are not the ones waiting for perfect governance. They are the ones enforcing minimum controls before another employee signs up for the next AI du jour.