IBM’s newly released 2025 Cost of a Data Breach Report suggests local organisations have seen breach costs drop from ZAR 53.1 million in 2024 to ZAR 44.1 million this year — a 17 percent reduction that’s being credited to artificial intelligence, machine learning and automated security tools.
It looks good on paper. Faster detection. Shorter breach lifecycles. Fewer rands burned. But a closer look reveals a more complicated reality.
While costs are falling, the number of records breached is rising. In 2025, the average South African breach compromised 23 445 records. Threat actors are getting better, not worse. Shadow AI tools, deepfakes, and supply chain attacks are now standard fare. And AI models themselves have become attack surfaces, not just defences.
AI-driven cyber defence is not a shield. It is a shortcut. And shortcuts only work when the underlying structure is sound. In South Africa, it isn’t.
Only 47 percent of companies included in the report had formal AI governance frameworks in place. Without them, even the most sophisticated tools can become liabilities. Model poisoning, data leakage, ethical drift and silent failures remain largely unaddressed.
Detection and escalation costs (ZAR 17.5 million) are still the biggest line item in an average South African breach, followed by lost business (ZAR 13.1 million) and post-breach response (ZAR 12.5 million). These aren’t just financial losses. They are indicators of brittle systems, institutional blind spots and underinvestment in human-centred security practices.
It is no surprise, then, that sectors like finance, hospitality and professional services continue to be the hardest hit. Financial institutions reported an average breach cost of ZAR 70.2 million. For services firms, it was ZAR 56.7 million. Despite the use of automation and DevSecOps, too many organisations still treat security as a bolt-on instead of a design principle.
The real risk isn’t that AI won’t work. It’s that it will work just well enough for companies to stop asking deeper questions.
As was recently pointed out, South Africa remains a global hotspot for data breaches, ranking 27th worldwide in Q2 2025. Regulatory fatigue, skills shortages and weak policy enforcement continue to define the cybersecurity landscape.
AI can automate alerts. It can shorten response times. But it cannot fix poor security culture or build trust with users. It cannot replace leadership. And it certainly cannot govern itself.
This is not a call to abandon AI-driven cyber defence. It is a call to interrogate it. For South Africa, the drop in breach costs should be seen as a reprieve — not a sign that we’ve solved the problem.
Until governance catches up, AI remains a high-stakes experiment. One we’re running live, with real users, real money, and real consequences.