97% of Companies Breached Through AI Had Zero Access Controls.
The IBM Cost of a Data Breach Report 2025 found that 13% of all organizations studied had experienced a breach of an AI model or AI application. Of those, 97% reported having no proper AI access controls in place. A $10 billion AI startup named Mercor was compromised in March 2026 through a poisoned open-source library used by millions of developers. Microsoft’s 365 Copilot was shown to exfiltrate corporate data with zero user interaction required.
Enterprises are deploying large language models into the heart of their most sensitive operations — email, documents, code, HR data — while the regulatory and security infrastructure to govern those deployments remains largely unbuilt. The attack surface is new. The defenses are not there yet.
On May 22, 2025, the NSA, CISA, FBI, and allied agencies from Australia, the UK, and New Zealand issued a joint warning: organizations are deploying AI faster than they can secure it. On May 1, 2026, a Six Eyes coalition expanded that warning to autonomous AI agents. This is the threat landscape as it stands.
- 97%of AI-breach victimshad no proper AI access controls — IBM / Ponemon 2025
- $10.22MUS avg breach cost 2025all-time national high — IBM Cost of a Data Breach Report
- 4 TBstolen from MercorAI training data supplier to OpenAI, Anthropic, Meta — March 2026
The IBM Cost of a Data Breach Report 2025 — conducted annually by the Ponemon Institute across 600 organizations globally, covering breaches that occurred between March 2024 and February 2025 — documented an AI governance crisis hiding inside the broader data security numbers. The headline figure: the global average breach cost fell to $4.44 million, down 9% from the prior year’s $4.88 million. The first decline in five years, driven by AI-powered defensive tools that let organizations identify and contain breaches 80 days faster.
But the same report surfaced a structural vulnerability in how companies are deploying AI. Among the organizations that experienced a breach of an AI model or AI application — 13% of the full study sample — 97% lacked proper AI access controls. And of the 600 organizations studied, 63% had no AI governance policies at all to manage AI deployments or prevent workers from using shadow AI tools.
“Shadow AI” — the use of unapproved AI tools by employees, downloading or using consumer-grade AI applications on corporate networks — added an average of $670,000 to the cost of a breach for organizations with high levels of it. One in five organizations reported a breach that was directly attributable to shadow AI. Only 37% had any policies in place to detect or manage it.
AI is simultaneously the most powerful defensive tool in enterprise security and the most under-governed new attack surface. Organizations deploying AI security tools extensively saved $1.9 million per breach and contained incidents 80 days faster than those without. The US average breach cost hit an all-time national high of $10.22 million — more than double the global average of $4.44 million. The gap between organizations with mature AI security programs and those without has never been larger.
In June 2025, researchers at Aim Security disclosed EchoLeak, tracked as CVE-2025-32711 with a CVSS score of 9.3 (critical). The vulnerability affected Microsoft 365 Copilot and allowed a remote attacker to steal confidential corporate data by sending a single email — with no click, no phishing link, no malware download required from the target. It is the first documented case of a prompt injection attack being weaponized to cause concrete data exfiltration in a production AI system.
The mechanism exploits what Aim Security termed an “LLM scope violation.” Copilot’s deep integration with Microsoft 365 — its ability to read email, OneDrive files, SharePoint content, Teams messages, and preloaded organizational data — is the product’s core value proposition. EchoLeak showed it is also a structural attack surface: an attacker who could manipulate the AI’s context window could cause it to retrieve and exfiltrate any data within Copilot’s access scope. The exploit required no credentials, no interaction from the victim, and left no conventional forensic trace that existing SIEM or DLP platforms were designed to detect.
“EchoLeak reveals a structural attack surface that applies to any LLM-based assistant with access to multiple internal data sources — not just Copilot.”
Aim Security researchers · EchoLeak disclosure · arXiv 2509.10540 · June 2025
Microsoft confirmed the vulnerability and issued emergency patches, noting in its advisory that “no further action is required from customers” following remediation. The U.S. House of Representatives had separately banned congressional staff from using Microsoft Copilot in March 2025, citing concerns about data leakage to unauthorized cloud services. A separate bug disclosed in January 2026 showed that a flaw in Microsoft 365 Copilot had granted the AI assistant access to confidential emails in violation of data loss prevention policies.
On March 27, 2026, a threat actor group known as TeamPCP published two malicious versions of LiteLLM— packages 1.82.7 and 1.82.8 — directly to PyPI, the Python package repository. LiteLLM is an open-source Python library used to connect applications to AI services. It has 97 million monthly downloads and a presence in an estimated 36% of cloud environments. The attackers had compromised LiteLLM’s CI/CD pipeline to obtain the credentials needed to publish directly to the repository.
Mercor — a startup that provides AI training data to OpenAI, Anthropic, Meta, and other frontier labs, valued at $10 billion and serving as a critical link in the AI training supply chain — ran LiteLLM as a dependency. On March 31, 2026, Mercor confirmed it had been breached through the poisoned LiteLLM packages. The hacker group Lapsus$ later claimed responsibility. The stolen data: an estimated 4 terabytes, including candidate profiles and personally identifiable information on more than 40,000 contractors, proprietary source code, video interviews, employer data, and API keys that potentially exposed the AI training methodologies of multiple frontier labs.
For Mercor: At least seven class-action lawsuits filed. Meta paused its Mercor contracts indefinitely. OpenAI began investigating its exposure. Five contractors filed individual suits over personal data exposure.
For the AI industry: The breach demonstrated that the AI supply chain is as vulnerable as any software supply chain — and that a single compromised open-source dependency used by millions of developers can become an entry point into the proprietary training data of the most valuable AI companies on earth.
For security teams: Traditional software composition analysis (SCA) tools check dependencies for known CVEs. They do not detect the window between a malicious package’s PyPI publication and its CVE assignment — which can be hours or days. Mercor was breached within that window.
The most visible early case of corporate AI data leakage did not involve any external attacker. In March 2023, Samsung Electronics authorized employee use of ChatGPT in its semiconductor business unit. Within three weeks, three separate incidents of sensitive data leakage were documented.
In the first, an employee pasted faulty source code into ChatGPT to debug it. In the second, an employee entered program code for identifying defective equipment to receive optimization suggestions. In the third, an employee used ChatGPT to transcribe a recorded internal meeting and generate minutes — uploading the audio directly. All three incidents sent Samsung’s proprietary data to OpenAI’s servers, where, under the terms of service at the time, it could be used to train future models.
Samsung’s response — capping ChatGPT inputs at 1,024 bytes and accelerating development of an in-house AI — became the template that dozens of enterprises followed. JPMorgan Chase and Goldman Sachs restricted ChatGPT access entirely after discovering employees had shared sensitive financial data through it. The Samsung case established what security researchers now call the “shadow AI” pattern: employees using consumer AI tools for legitimate work tasks without understanding that the data they enter may leave the organization permanently.
The Open Worldwide Application Security Project (OWASP) published its Top 10 for LLM Applications in 2025, documenting the ten most critical vulnerabilities in enterprise AI deployments. Prompt injection — the manipulation of natural-language inputs to override the AI’s intended instructions — ranks first. OWASP researchers found it present in over 73% of production AI deployments assessed during security audits. Only 34.7% of organizations had deployed dedicated defenses against it.
Unlike traditional application vulnerabilities, prompt injection operates at the semantic layer, not the network or application layer. Existing firewalls, SIEM platforms, SOAR systems, and data loss prevention tools were not designed to detect it. Research published in 2025 demonstrated that five carefully crafted documents can manipulate AI responses 90% of the time. The attack success rate for prompt injections in auto-execution mode — where AI agents act on retrieved content without human review — ranged from 66.9% to 84.1%.
“Most modern attacks against AI systems are integrity attacks — prompt injection is the primary vector. The fundamental architectural weakness is that LLMs cannot reliably distinguish between trusted instructions and untrusted data.”
Bruce Schneier, cryptographer and fellow at Harvard Kennedy School · AI and Trust · June 2025
On May 22, 2025, the National Security Agency Artificial Intelligence Security Center (AISC), CISA, FBI, and cyber agencies from Australia, the United Kingdom, and New Zealand jointly released a Cybersecurity Information Sheet on AI data security. The document identified three primary risk categories for AI systems: data supply chain vulnerabilities, maliciously modified data (including “split-view poisoning” via expired domain purchases), and data drift. It outlined ten cybersecurity best practices specific to AI systems and recommended controls across four phases of the AI lifecycle.
On May 1, 2026, six national cybersecurity agencies — CISA, NSA, and the cyber arms of Australia, Canada, New Zealand, and the United Kingdom — jointly published “Careful Adoption of Agentic AI Services,” defining five categories of agentic AI risk: privilege escalation, design and configuration failures, behavioral misalignment, structural brittleness, and accountability gaps. The document marked the first time Western allied agencies had specifically addressed autonomous AI agents as a distinct threat surface.
On January 8, 2026, the Department of Homeland Security published a Federal Register request for information on security considerations for AI agents — the first formal government inquiry into the governance gap that EchoLeak and the Mercor breach had exposed in production environments. NIST’s Center for AI Standards and Innovation (CAISI) announced the AI Agent Standards Initiative on February 17, 2026, framing it as both a domestic governance response and a geopolitical competition with China over international AI standards-setting.
The security research community has been largely consistent in its diagnosis: the AI security problem is not primarily a patching problem. It is a structural problem. Traditional enterprise security was built for deterministic systems — software that does what it was programmed to do. LLMs are probabilistic systems whose outputs depend on context, training data, and input in ways that are not fully predictable in advance. The security tooling built for the former does not transfer to the latter.
“AI adoption is greatly outpacing AI security and governance. The paradox is that the same technology helping organizations defend better is also creating new risks faster than organizations can govern them.”
IBM Security report authors · Cost of a Data Breach Report 2025 · July 30, 2025
In April 2025, Google DeepMind introduced the CaMel framework as one proposed architectural response — treating LLMs as untrusted elements within secure infrastructure through a dual-LLM approach with explicit separation between a Privileged LLM and a Quarantined LLM. The framework has not been widely adopted. By 2026, IBM X-Force researchers found that 97 million ChatGPT credentials appeared for sale on the dark web, suggesting that credential compromise — not prompt injection — remains the leading vector for unauthorized AI access in practice.
By 2027, Gartner analysts project that 40% of all AI data breaches will result from cross-border misuse of generative AI — data flowing through AI tools into jurisdictions where it is not legally permitted to be processed, creating compliance exposure alongside the security exposure that has dominated the conversation so far.
NSA's AI Security Center, alongside CISA, FBI, and international partners, released guidance on protecting AI data from supply chain attacks, data poisoning, and unauthorized modification. Securing the data used to train and operate AI systems is foundational — organizations must address AI risks across the full AI lifecycle, not just at deployment.
Six allied cybersecurity agencies — CISA, NSA, ASD, CCCS, GCSB, and NCSC — jointly published 'Careful Adoption of Agentic AI Services.' Agentic AI creates new attack surfaces: privilege escalation, configuration failures, behavioral misalignment, structural brittleness, and accountability gaps. Organizations deploying AI agents must address these before deployment, not after.
New IBM Cost of a Data Breach Report 2025: 97% of organizations that experienced an AI-related security incident lacked proper AI access controls. 63% have no AI governance policies at all. Shadow AI adds $670K to the average breach cost. The AI oversight gap is real — and it's measurable.
The Mercor breach should be a wake-up call for every company feeding proprietary data to AI training pipelines. You are only as secure as the weakest dependency in the stack — and most teams do not know what that dependency is.
We approved five AI tools for enterprise use last quarter. By the time procurement finished, employees were already using twelve others. Shadow AI is not a policy problem anymore. It is a detection problem.
The AI security crisis is not a future risk. Mercor lost 4 terabytes of frontier-lab training data through a poisoned Python library. Microsoft’s flagship enterprise AI product was demonstrated to exfiltrate corporate documents with zero user interaction. Samsung leaked semiconductor source code to a consumer chatbot. And 97% of the companies that experienced an AI model breach had no access controls in place when it happened. The attack surface is new. The attackers are not waiting for the governance to catch up.