Costs of Failing to Govern Corporate AI Defenses

Weak oversight of corporate AI-based security systems can have a costly impact on a company’s financial stability. As technology evolves and storing data in the cloud becomes increasingly convenient and cost effective, cyber criminals are constantly seeking opportunities to infiltrate a company’s security footprint from exploiting user weaknesses using social engineering to directly attacking system vulnerabilities, like digital misconfigurations, refining ransomware and malware, and backdoor attacks along with zero-day vulnerabilities/exploits.

Corporate AI defenses are essential to defend against cyber criminals who are always upgrading their methods through social engineering and attacks powered by AI. So techniques like (1) AI-Driven Vulnerability Scanning that makes use of AI to quickly scan networks for unpatched systems or weaknesses; or (2) AI-Generated Malware that basically creates malware which can change its code to avoid detection by commonly used signature-based security tools are just a few potential cyber threats keeping CISOs up at night.

But according to IBM’s annual report titled, “2025 Cost of a Data Breach: The AI Oversight Gap,” it seems the biggest threat to a company’s AI defense systems is not system weakness itself but attributable to a human one, where these systems are not being actively managed through operational oversight by maintaining proper access controls nor in many cases are there governance policies in place for managing these AI security platforms. The most advanced AI-driven corporate security system cannot ensure that a company’s data remains secure if there is a failure to oversee or operationally manage AI-driven corporate security systems and actively follow governance policies. In short, lack of governance of AI-driven corporate security systems is sending breach costs higher.

IBM’s 2025 study underscores the value of corporate AI-powered defenses from faster breach containment to reducing global data breach costs. It also highlights an old problem wrapped in a familiar solution, i.e., the overwhelming finding that for companies AI adoption is outpacing human oversight. This fact is even more stunning when considering the finding that 97% of companies who had an AI-related security incident to its applications likewise lacked proper access controls to its AI defense systems.

Worse yet, most breached organizations reported having no governance policies in place to manage AI, according to the study. Additionally, the impact of such a lack of oversight is acutely felt when companies realize higher regulatory penalties and detection costs. These consequences can be further compounded by the finding that nearly two-thirds of organizations reported having no governance policies for managing AI or detecting shadow AI.

Moreover, implementing security AI and automation has been shown to reduce breach costs. The study points out for comparison that the average cost globally of a data breach for all organizations is $4.44 million. Companies that extensively used security AI and automation had a significant reduction in average costs equal to $3.62 million for a data breach, while companies that failed to use security AI and automation had an average cost of $5.52 million. This average cost increase for failing to use security AI and automation represents a difference of just over 50% and can appreciably affect a company’s expenses.

The costs of a data breach in the United States can be far reaching. According to IBM’s 2025 study, part of the reason for a 9% increase from 2024 is higher detection and escalation costs, along with rising regulatory fines. This contrasts the global average cost of a data breach, which fell because most countries and regions had lower detection and escalation costs.

Using AI security, coupled with being proactively compliant with all legal and regulatory requirements before a breach, is without a doubt cost effective for a company’s bottom line. For example, IBM’s 2025 study points out that one-third of organizations paid a regulatory fine as a result of breaches. Pertaining to the organizations that reported a breach to regulators and other government agencies, 48% of organizations were issued fines above $100,000, and 70% of organizations were issued fines above $50,000. No matter how the data is analyzed, it is clear that data breach costs are compounding with regulatory penalties and go far beyond some of the more commonly reported consequences in the aftermath of an incident, e.g., impacts related to operational disruptions, unauthorized access to sensitive data, and reputational damage which can have long-term effects not easily quantified.

So organizations logically ask how some of these costs can be mitigated. Often solutions and oversight are misassigned or thought to exclusively require IT support when in fact oversight and intervention are best spearheaded by legal. More to the point, the basic problem for organizations during a cyber incident is typically having failed to involve legal months or years pre-breach and then compounding that failure by not involving legal soon enough post-breach to work in concert with IT. Based on the numbers from IBM’s 2025 study, some of the factors that reduced breach costs are commonly associated with, and frankly require in many instances, legal oversight and/or input like: implementing AI governance policies, employee training, and using AI governance technology.

In addition, all the aforementioned factors require a degree of legal supervision and coordination, primarily to anticipate or narrow culpability questions and liability issues related to potential, albeit certain in some instances, class action lawsuits and regulatory enforcement actions. An effective legal pre-defense against liability issues or class action litigation requires cybersecurity and data privacy counsel who is both experienced in these matters but also equally involved from the beginning. Cyber counsel should also be familiar with an organization’s data security measures and breach protocols to anticipate oncoming legal obstacles and work collaboratively with corporate counsel to minimize post-breach fallout.

One of the biggest mistakes an organization can make post-breach from a legal standpoint is trying to assemble a legal defense while the organization is in free fall and frantically dealing with the initial moments of the fallout. Pre-defense preparation can go a long way to mitigating the financial and legal impacts resulting from a data breach or cyber incident, plus systematically building a legal defense pre-breach will pay dividends in the long run should: (1) regulators bring an enforcement action against the organization, or (2) if decision makers are called to testify to resolve complex litigation issues like negligence, breach of contract, and/or violations of privacy laws.

When using AI, and engaging legal to help govern its operational oversight, the conversation really centers around generative AI. Most technology already has some kind of AI incorporated into it, and many organizations fail to use legal counsel to consult on issues like AI, which can be costly. Legal counsel can play a critical role in strengthening AI oversight and increasing adoption rates in many ways, while proactively identifying and by extension mitigating potential legal liabilities for the organization. In sum, legal can play both a pivotal and determinative role in filling the AI oversight gap and therefore meaningfully reduce the costs associated with a data breach.

For example, legal should be providing clear governance frameworks. New laws pertaining to the use of AI are being passed at the state level, meaning there are variations to consider as well as applicability questions to the organization’s unique operational structure. It is therefore crucial that legal is involved from the beginning in reviewing and interpreting the impact these often nuanced laws and statutes have on the use of AI in an organization.

Furthermore, organizations need to establish a governance structure to reduce legal liability and ensure compliance. Organizations should have well-defined consequences for non-compliance with guidelines and policies established, so there is meaningful accountability and not rote enforcement and penalties. More importantly, HR departments, for example, cannot establish these ramifications alone. Companies should support the efforts of its departments with cyber attorneys who are familiar with the company’s operational framework and can effectively collaborate with corporate counsel to build effective strategies when it comes to oversight, as well as compliance, of AI-powered defenses.

In addition, legal should define policies around the nature and type of AI that will be used, the type of data that can be put into AI, and then ensure that IT sets the AI technology in accordance with the organization’s legal obligations. Those legal obligations need to align with the organization’s data privacy and cybersecurity posture specific to its organizational needs and framework. To be clear, an organization needs to initially establish “how” and “what” AI it will use before actually deploying these security applications. After it determines the type of AI platform in operation, legal should immediately set guidelines around its implementation. In other words, what type of data can be used or fed into the AI model and understand what applications will be performed and with what results.

Legal should also be contemporaneously drafting internal standards for risk classification, requiring higher scrutiny for systems that handle sensitive data or make high-stakes decisions and likewise employees who might use shadow AI to increase their productivity or shortcut to solutions. Finally, legal should draft contracts around the use of AI by its vendors and/or third-party external entities. Contract language should carefully consider and include explicit security, audit, and incident response obligations in order to reduce exposure across the AI supply chain.

It is important to remember that cybersecurity incidents should not by default force IT to work in a vacuum. There are serious regulatory violations and potential enforcement actions within the exclusive province of legal to immediately think about that may have resulted from a lack of oversight of AI-related security applications and controls being used by an organization. In sum, costs from a data breach can spiral quickly and post-breach obligations under the law can escalate just as fast, but there are ways to mitigate any fallout beforehand and for legal to work collaboratively with IT in making post-breach assessments.

Organizations must therefore ensure that governance policies with regular oversight are in place to properly implement and deploy its AI security applications before an incident occurs. Furthermore, it must ensure that legal gauges risk functions from the outset which are fully integrated into an organization’s incident response and AI-related security oversight protocols. This, along with pre-defense preparation and proactive risk mitigation, could go a long way to reigning in the costly after effects of a data breach and potential exposure to liability. Put simply, companies need to understand one simple message when it comes to overseeing AI-based security – the lock used to protect a company’s data secures nothing if the door attached remains open.

Reprinted with permission from the April 21, 2026, issue of the New York Law Journal. Further duplication without permission is prohibited. All rights reserved. © 2026 ALM Media Properties, LLC.

This article does not constitute legal advice or create an attorney-client relationship. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.