Kiteworks’ Data Security and Compliance Risk: 2025 Annual Survey Report presents a clear picture of enterprise risk management struggling to keep pace with accelerating AI adoption. Across industries, the data points to systemic gaps in governance, visibility, and operational readiness are increasing both the frequency and cost of security incidents.
The most significant finding is the limited implementation of AI governance frameworks. Out of the 461 respondents across all major industries, on average, only 17% of organisations report having technical governance in place. In contrast, a quarter of organizations without governance rely primarily on contractual safeguards to manage AI-related data risk. As regulatory scrutiny increases, these approaches are unlikely to provide sufficient protection or auditability. The result is a widening oversight gap at the same time enterprises are deploying AI into core workflows.
This lack of governance correlates with widespread uncertainty around basic risk indicators. Nearly half (46%) of surveyed organizations could not quantify how often they experience breaches, and 60% were unable to estimate litigation costs. More than a third (36%) have implemented no privacy-enhancing technologies at all. These blind spots reduce an organization’s ability to prioritize controls, allocate budget effectively, or respond quickly when incidents occur.
Detection speed is a critical cost driver. Among organizations working with more than 5,000 third parties, nearly a third take over 90 days to detect breaches. Extended detection times are associated with significantly higher litigation costs, reinforcing that incident response maturity is as financially important as preventive controls. As ecosystems grow, delayed visibility compounds risk.
Third-party scale itself is a strong predictor of breach frequency. Organizations exchanging private data with more than 5,000 partners report 10 or more annual breaches at a rate of 24%. By comparison, those with fewer than 500 partners report zero breaches 34% of the time. Notably, the highest relative risk sits in the 1,001–5,000 partner range, where supply chain exposure increases by 46%. These mid-sized ecosystems face enterprise-scale complexity without commensurate resources or tooling.
The financial consequences of repeated breaches escalate sharply. Organizations experiencing one to three breaches annually typically report litigation costs under $1 million. Among those with 10 or more breaches, 77% exceed $3 million in legal costs. Each additional breach tier amplifies cost, reinforcing the economic case for early intervention rather than reactive remediation.
The report also identifies a behavioral divide between low- and high-breach organizations. Those with fewer incidents emphasize operational efficiency, while high-breach organizations focus on financial damage control. The data suggests that proactive investment in governance and privacy reduces downstream cost volatility and operational disruption.
Privacy maturity, in particular, shows measurable returns. Organizations with well-developed privacy programs report lower security losses, stronger customer loyalty, and improved operational efficiency. These outcomes position privacy investment as a performance lever rather than a compliance obligation, especially as AI systems increase data reuse and sharing.
External pressures are adding to the challenge. 35% of organizations report higher operational costs driven by tariffs, while 46% have increased budgets for compliance tools. This dual pressure limits the viability of geographic avoidance strategies and increases the importance of scalable, centralized governance models.
The report highlights the true cost structure of compliance. For every dollar spent on visible compliance activities, organizations incur an estimated $2.33 in hidden costs, including delayed innovation and audit fatigue. Organizations with comprehensive governance frameworks achieve significantly better cost visibility, enabling more informed decisions about localization, tooling, and deployment.
Finally, the survey underscores a structural tension between compliance practices and AI requirements. More than a third of organizations segregate data geographically to meet regulatory demands, yet this approach conflicts with AI’s reliance on unified datasets. Without modern governance architectures, enterprises face a trade-off between regulatory adherence and model performance.
Taken together, the findings point to a growing execution gap. AI adoption is advancing faster than the controls designed to govern it. For enterprise leaders, the data suggests that governance, privacy, and third-party oversight are no longer peripheral risk functions but foundational components of sustainable AI deployment.