NEW DELHI: The rapid rise of artificial intelligence (AI) adoption in India comes with a hidden cost. A new IBM report warns that while Indian organizations are quick to embrace AI, they remain alarmingly lax on security and governance—creating an ideal environment for cybercriminals.
According to the report, the average cost of a data breach in India has hit an all-time high of Rs 22 crore in 2025, up 13% from last year. This sharp increase underscores the country’s growing strategic vulnerability to AI-related threats, which have now become a significant financial liability.
The study highlights a glaring gap between AI adoption and AI security. In the rush to capitalize on AI’s benefits, many companies are bypassing essential safeguards. Sixty percent of breached organizations either have no AI governance policy or are still drafting one. Fewer than 40% have AI access controls in place, and among those with policies, only 34% use technology to enforce them. This “deploy now, secure later” mindset is giving attackers an easy opening.
The threat of ‘shadow AI’
One of the report’s most troubling findings is the rise of “shadow AI”—the unauthorized use of AI tools and applications by employees without IT oversight. Examples include staff using public-facing generative AI like ChatGPT to process sensitive company data or to write code. Such unregulated use creates major security blind spots, making it a lucrative target for cybercriminals.
Shadow AI was among the top three cost drivers for breaches in India, adding an average of Rs 1.8 crore to total breach costs. Yet, only 42% of organizations have policies to detect or manage this stealthy and costly risk.
While AI-related vulnerabilities dominate headlines, traditional attack vectors still wreak havoc. The top initial cause of breaches in India remains phishing (18%), followed by third-party vendor and supply chain compromises (17%) and vulnerability exploitation (13%). These figures show that even as new threats emerge, old tactics remain highly effective.
The report also points to a surprising shift in the sectors hardest hit by breaches. The research sector now faces the highest average cost at Rs 29 crore—edging out transportation and industrial sectors, which previously topped the list. The change reflects the high value of intellectual property and sensitive data held by research institutions, making them attractive targets for attackers.
A silver lining
There is some good news. The average breach lifecycle—the time to identify and contain a breach—fell to a record low of 263 days, down 15 days from 2024. This suggests organisations are improving in incident response, a positive sign for India’s cybersecurity readiness.
However, the report highlights a paradox: while AI and security automation can more than halve breach costs, 73% of surveyed organizations reported limited or no use of these proven technologies. As Viswanath Ramaswamy, Vice President, Technology, IBM India & South Asia, warned, “The absence of access controls and AI governance tools is not just a technical oversight—it’s a strategic vulnerability.”