In India, just 37 per cent of organisations said they had AI access controls in place
The average cost of a data breach in India has climbed to a record Rs 220m in 2025, up 13 per cent from last year, according to IBM’s Cost of a Data Breach Report .
The study found that companies are embracing artificial intelligence at speed but leaving security and governance behind, creating what researchers warn is a new area of vulnerability. For the first time, the report looked at breaches linked to AI. Though still a small proportion of cases, they were described as high-value targets for attackers.
In India, just 37 per cent of organisations said they had AI access controls in place, while nearly 60 per cent either lacked governance policies or were still drafting them. Shadow AI – the use of tools without oversight from IT teams – emerged as one of the three biggest drivers of breach costs, adding an average of Rs 17.9m per incident.
“India’s accelerating AI adoption brings immense opportunity, but it’s also exposing enterprises to new and complex cyber threats,” said Viswanath Ramaswamy, vice-president of technology at IBM India & South Asia. “The absence of access controls and AI governance tools are not just a technical oversight, it’s a strategic vulnerability.”
Phishing remained the most common way breaches began in India, responsible for 18 per cent of incidents, followed by supply chain compromise (17 per cent ) and vulnerability exploitation (13 per cent ). The research sector faced the heaviest costs, with average losses of Rs 289m, ahead of transportation at Rs 288m and the industrial sector at Rs 264m.
Despite the rising costs, India’s breach lifecycle – the time to identify and contain an attack – fell to 263 days, 15 fewer than last year. IBM said organisations using AI and automation cut breach costs by more than half. Even so, 73 per cent of those surveyed reported limited or no adoption of such tools.
The annual report, which has tracked nearly 6,500 breaches over two decades, shows how the threat has shifted from physical risks in 2005 to today’s digital, highly targeted attacks.
