IBM’s Cost of a Data Breach Report 2025 delivers a surprising headline: for the first time in five years, the global average cost of a data breach has declined, dropping to $4.44M. The reason? Faster detection and containment, driven largely by security automation and AI.
But buried inside the report is a far more concerning trend, one that should be a wake-up call for security teams adopting AI at speed.
According to IBM’s research, 97% of organizations that experienced an AI-related breach lacked proper AI access controls. As enterprises race to deploy LLMs, copilots, plugins, and autonomous agents, governance and identity controls are lagging badly.
This gap shows up in multiple ways:
Shadow AI (unsanctioned AI usage) now contributes an additional $670K per breach
16% of breaches involved attackers using AI, primarily for phishing and deepfake impersonation
AI systems and APIs are becoming high-value targets, especially through supply-chain compromise and unauthorized access
One of the report’s clearest signals is that modern breaches are increasingly driven by misused credentials, not zero-day exploits. Malicious insiders, compromised credentials, phishing, and third-party access dominate the most costly breach vectors.
That reality is even more dangerous in an AI-driven environment, where:
AI agents authenticate using long-lived secrets
APIs and plugins act autonomously across systems
Lateral movement happens at machine speed
If you can’t precisely control who (or what) can access an internal resource (and under what conditions) you don’t really have Zero Trust.
IBM’s recommendations repeatedly return to one foundational idea: identity is the new perimeter. That applies equally to humans and machines.
As the report notes, organizations must apply the same rigor to non-human identities (NHIs), including AI agents, as they do to employees:
Strong authentication
Least-privilege access
Continuous authorization
Visibility into credential use and lifecycle
This is exactly where traditional IAM, VPNs, and static network controls fall short.
Pomerium was built for a world where:
Users are remote
Infrastructure is hybrid
Access decisions must be identity-aware, context-aware, and continuous
That model translates directly to AI.
With Pomerium, organizations can:
Enforce per-request, identity-based access for humans and AI agents
Eliminate static credentials with short-lived, identity-derived access
Apply Zero Trust policies to internal APIs, MCP servers, model endpoints, and admin surfaces
Gain visibility and auditability across both human, machine and agentic access requests
Instead of trusting networks, IPs, or embedded secrets, Pomerium treats every request (human, machine or AI) as untrusted.
IBM’s data shows that organizations using strong identity controls, automation, and AI-assisted security see:
$1.9M lower breach costs
80 fewer days to identify and contain incidents
Reduced blast radius when breaches do occur
Those aren’t theoretical benefits. They’re measurable outcomes tied directly to better access control and faster containment.
AI isn’t just another application. It is a force multiplier for both defenders and attackers. In this new agentic era, the organizations that will win will be the ones that govern agentic access with fine-grained, real-time authorization.
If AI agents can reach your internal systems, they need the same Zero Trust guardrails as your employees. Pomerium exists to make that possible—without VPNs, without shared secrets, and without blind spots.
Stay up to date with Pomerium news and announcements.
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Use Cases
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.
