The global average cost of a data breach decreased to USD 4.44 million in 2025, marking a 9% drop and the first decline in five years, as reported in IBM’s Cost of a Data Breach Report. At first glance, this appears to be progress, with security AI and automation paying dividends by shortening detection timelines and reducing investigative overhead.
However, this headline figure conceals a more troubling reality. Organizations with extensive automation reported breach costs nearly USD 1.9 million lower than those relying on manual processes. The gap between leaders and laggards is widening, not closing. Furthermore, the AI tools driving these cost savings are introducing new risks that regulators, insurers, and boards can no longer overlook.
The automation paradox is evident in security operations centers, which have rapidly adopted AI due to an industry facing a shortage of analysts. Burnout-driven turnover exceeds 25% annually in many SOC teams, among the highest in IT. Training a replacement analyst typically takes six to twelve months, making it difficult for organizations to hire their way to resilience.
Automation was intended to solve this issue, and within narrow, well-defined workflows—such as alert triage, log correlation, and repetitive enrichment tasks—it has. The Nextgen 2025/2026 Cybersecurity Trends Report estimates that industry telemetry in 2025 reached 308 petabytes across more than four million identities, endpoints, and cloud assets, producing nearly 30 million investigative leads. Of that volume, analysts confirmed only 93,000 genuine threats, a hit rate of just 0.3%. Without automation, managing this volume would be impossible.
Yet, Gartner’s 2025 Hype Cycle for Security Operations places AI SOC agents at the Peak of Inflated Expectations, cautioning that claims often surpass sustained, measurable improvement. Initial adoption often increases work before reducing it, and false positives and hallucinations remain operational risks. Cost models frequently limit wide deployment across SOC roles.
The paradox is apparent: while organizations need AI to manage the data deluge, ungoverned AI introduces the blind spots it was meant to remove. IBM’s 2025 report found shadow AI—staff using unsanctioned generative AI tools to process sensitive data—added an average of USD 670,000 to breach costs where present. A staggering 97% of breached organizations that encountered an AI-related security incident lacked proper AI access controls. Meanwhile, 63% of surveyed organizations admitted to having no AI governance policies at all.
This stark implication is that automation without governance redistributes risk rather than reducing it. In a regulatory climate increasingly demanding transparency, ungoverned AI in the SOC is not only a technical liability but also a compliance exposure.
The human cost is significant, extending beyond budget concerns. Studies cited in the Nextgen report show SOC teams routinely ignore or dismiss up to 30% of incoming alerts—not due to negligence, but necessity. With every alert appearing similar and context delivered across fragmented consoles, skilled analysts often rely on instinct rather than evidence for triage.
Consequences differ by sector, yet the pattern remains. In healthcare, with breaches costing USD 7.42 million per incident and taking 279 days to contain, alert fatigue transcends being merely an IT issue. ENISA’s dataset of 215 healthcare incidents between 2021 and 2023 found that 54% involved ransomware, with patient data as the primary target in 30% of cases. Hospitals have reported diverted ambulances and delayed surgeries directly tied to stretched staff and clogged detection pipelines.
In manufacturing and energy, where NIS2 enforcement began in 2025, a single day of downtime at a high-throughput plant can result in millions of euros in losses. Adversaries increasingly target industrial control systems by exploiting poorly segmented IT networks, preying on the kind of ambiguous, context-dependent alerts that overwhelmed analysts tend to dismiss.
Financial data reinforces this point. Breaches contained in under 200 days averaged USD 3.87 million in 2025, while those exceeding this duration averaged USD 5.01 million. Multi-environment incidents, spanning cloud, SaaS, and on-premises infrastructure simultaneously, were even more costly, averaging USD 5.05 million with lifecycles nearing 276 days. The operating environment dictates complexity, and complexity dictates cost.
The lesson from 2025 is that data volumes will continue to grow, but the teams poised for success are those treating correlation and enrichment as architectural necessities rather than optional add-ons.
Three regulatory frameworks are now converging on a single demand: prove resilience continuously, not merely report it post-factum.
The Digital Operational Resilience Act (DORA), effective across the EU from January 2025, reframes cybersecurity for financial services around operational resilience amid severe IT disruptions. The most disruptive element is its reporting requirement—institutions must submit incident reports within hours, backed by forensic, audit-grade evidence. Logs must be digitally signed and time