AI Breach Disclosure: The Industry Accountability Gap

Key Takeaways

• A 2025 survey of 200 cybersecurity leaders found that 48% failed to disclose material cybersecurity incidents to executive leadership or the board in the prior year, with 71% acknowledging they might not report a breach if given the choice [1]. This structural suppression culture predates AI-specific deployments and is likely to compound significantly as AI systems become central to enterprise operations.

• ISACA’s 2026 AI Pulse Poll found that one in three organizations do not require employees to disclose when AI has been used in work products, 20% cannot identify who holds ultimate accountability for AI-caused harm, and only 12% have a documented and regularly tested process for shutting down an AI system in an emergency [3][4].

• The fifteen major AI developers that signed White House voluntary AI safety commitments in 2023 faced no enforcement mechanism, and a July 2024 MIT Technology Review investigation found implementation falling materially short of stated commitments — particularly on transparency and public disclosure of system failures [7].

• The EU AI Act’s serious incident reporting obligations take effect August 2, 2026, requiring notification within two to fifteen days depending on severity [6]. The SEC’s Cyber and Emerging Technologies Unit has accumulated more than $8 million in enforcement penalties through early 2026 for late or inadequate cybersecurity disclosures [13]. Organizations whose actual disclosure culture diverges from these obligations face rapidly compounding legal exposure.

• IBM’s 2025 Cost of a Data Breach Report found that 97% of organizations that experienced AI-related security incidents lacked proper AI access controls, shadow AI incidents added $670,000 above the global mean breach cost, and 63% of organizations experiencing AI-related breaches had no AI governance policies in place [2]. Incident volume is growing faster than governance maturity, making disclosure capability increasingly urgent.

Background

The security industry has understood the breach disclosure problem since at least the mid-2010s: organizations experience incidents, weigh the cost of disclosure against the cost of concealment, and too often choose concealment. What distinguishes 2026 is the intersection of this long-standing structural problem with the accelerating enterprise deployment of AI systems. AI introduces both a new category of security incidents — model compromise, training data exfiltration, agentic process manipulation — and a new rhetorical layer in which organizations publicly champion responsible AI development while their internal governance practices tell a different story.

The accountability gap addressed in this note is not simply a reporting lag. It is a structural divergence between how organizations present their AI risk posture externally and how they actually manage, detect, and disclose AI-related failures internally. The gap has three dimensions: cultural, in that incentive structures within organizations systematically favor non-disclosure, as documented by survey evidence on leadership fear and reputational concern; technical, in that organizations lack the visibility to know what is happening inside their AI deployments; and normative, in that the voluntary commitment regime intended to establish transparency standards has produced neither enforcement nor accountability. Regulatory pressure is now converging on all three dimensions simultaneously, but enforcement infrastructure remains uneven across jurisdictions.

AI incident reporting occupies an uncomfortable position in this landscape. Traditional breach notification frameworks — GDPR’s 72-hour window, the SEC’s four-day materiality rule, state breach notification statutes — were designed around recognizable data exfiltration scenarios: a threat actor accessed a database, credentials were stolen, records were exposed. AI incidents often do not fit this pattern. A model retrained on poisoned data, an agentic workflow manipulated via prompt injection, or a customer-facing language model steered toward harmful outputs may cause significant harm without triggering a clearly defined notification obligation. This definitional ambiguity is not incidental: it creates room for organizations to characterize AI failures as operational anomalies rather than security incidents, avoiding disclosure requirements entirely.

Security Analysis

The Numbers Behind the Rhetoric

Empirical data on AI disclosure gaps is sparse as a structural consequence of the phenomenon itself — organizations that suppress incidents do not report them to researchers either — but the available evidence consistently points to a sector-wide deficit. VikingCloud’s 2025 Cyber Threat Landscape Report, surveying 200 cybersecurity leaders across the United States, United Kingdom, and Ireland, found that 48% had failed to report a material incident to their board in the prior year, that 86% of those non-disclosing organizations had withheld multiple incidents, and that 71% acknowledged they might not report a breach if faced with the choice again [1]. The two primary reasons respondents gave for non-disclosure were fear of punitive rather than constructive leadership response (40%) and concern about financial or reputational harm (44%). These figures predate widespread AI deployment at scale; they establish the baseline disclosure culture into which AI-specific incident reporting must now integrate.

The AI-specific picture amplifies the problem. IBM’s 2025 Cost of a Data Breach Report found that 13% of organizations had already experienced a security breach specifically involving AI models or applications, and that 97% of those organizations lacked proper AI access controls at the time of the incident [2][10]. The same report found that 63% of organizations experiencing AI-related breaches operated with no governance policies for managing AI or detecting unauthorized use — meaning that when incidents occurred, there was no policy framework governing whether or how to disclose them. This governance vacuum is not neutral: it tends to produce ad hoc decisions under pressure, which, based on the available evidence, tend toward concealment over disclosure.

Adversa AI’s 2025 AI Security Incidents Report analyzed 17 documented real-world cases — a curated subset of reported incidents — across industries and concluded that AI incident volume in 2025 was on pace to surpass all prior years combined [5]. The small documented sample reflects the broader underreporting problem this note addresses. Generative AI was implicated in 70% of incidents, with 35% of cases attributable to prompt injection attacks that require no specialized tooling and leave minimal forensic trace [5]. AI-related privacy incidents have increased sharply: the Stanford AI Index 2025 report documented a 56.4% year-over-year increase in documented AI incidents, reaching 233 reported cases across 2024 alone [9]. These are reported figures; the actual incident population, accounting for systematic suppression, is substantially higher.

Why Incidents Stay Unreported

The suppression of AI incident disclosure operates through several reinforcing mechanisms. The first is definitional ambiguity. Current breach notification frameworks do not address AI-specific failures with precision. A model that generates harmful outputs due to adversarial instruction manipulation is not clearly a “personal data breach” under GDPR or a “cybersecurity incident” under the SEC’s Item 1.05 framework, even if it causes material harm to affected users. Legal teams default to the narrower reading, and the incident is logged as an operational anomaly rather than a reportable event. This interpretive conservatism is predictable and, from the perspective of legal risk management, rational — but it systematically excludes a growing class of material events from the disclosure record.

The second mechanism is organizational incentive structure. The VikingCloud data make clear that non-disclosure decisions are driven primarily by fear of consequences, not by genuine assessment of whether events are material [1]. As AI systems become integrated into revenue-generating products, the perceived stakes of disclosure rise accordingly. Disclosing that a customer-facing AI model was compromised or manipulated carries reputational implications distinct from disclosing a backend database breach — implications that compound in an environment where competitors are marketing AI capabilities as proof of technological leadership. Organizations that have staked brand identity on AI innovation face heightened internal pressure to treat AI failures as exceptional rather than reportable.

The third mechanism is technical invisibility. ISACA’s 2026 data show that one-third of organizations do not require employees to disclose when AI has been used in work products [3]. If an organization has no visibility into where AI is deployed, it cannot detect AI-specific incidents, and incidents it cannot detect are incidents it cannot report. IBM’s shadow AI analysis reinforces this structural observation: shadow AI — tools employees use without organizational knowledge or approval — was implicated in 20% of AI-related breaches, with those incidents taking a full week longer on average to detect and adding $670,000 above the global mean breach cost [2]. Unmanaged deployment creates an observation blind spot; in the absence of visibility, governance failures go undetected and incidents go unreported.

The Voluntary Commitment Paradox

The responsible AI landscape of the past three years is characterized by a proliferation of public commitments unmatched by operational accountability. In July 2023, seven major AI developers signed White House voluntary commitments covering safety testing, information sharing on serious risks, and transparency about system capabilities and limitations; eight additional companies joined in September 2023. The commitments were explicitly voluntary and contained no enforcement mechanism. A July 2024 MIT Technology Review investigation found that while some red-teaming practices had improved at the margin, meaningful transparency and accountability remained absent, and commitments to public disclosure of system failures had not been operationalized [7]. The political transition of early 2025 further reduced whatever normative pressure these commitments had generated, as the incoming administration de-emphasized the voluntary framework.

This pattern — public commitment, private non-implementation — is not unique to AI, but it is more consequential in the AI context because of deployment velocity. Organizations announced responsible AI principles in 2023 and 2024 while simultaneously deploying systems those principles were not yet operationally equipped to govern. The commitment can function as a substitute for governance rather than a driver of it: external expectations are satisfied while internal maturity lags. ISACA’s 2026 finding that only 11% of organizations are completely confident in their ability to explain a serious AI incident to regulators is the operational consequence of this gap [3]. Organizations that have published AI ethics statements cannot, in practice, account for what their AI systems are doing or explain what went wrong when they fail.

Regulatory Pressure and Its Limits

Three major regulatory frameworks are now converging on AI incident disclosure obligations, each with different scope and enforcement posture.

The EU AI Act’s Article 73 requires providers of high-risk AI systems to notify national market surveillance authorities of serious incidents — defined as events resulting in death, serious harm, fundamental rights violations, or serious harm to critical infrastructure — within two to fifteen days depending on severity [6]. Full compliance obligations take effect August 2, 2026, though a proposed Digital AI Omnibus amendment may defer some high-risk AI provisions. The European Commission published draft guidance on serious incident reporting in September 2025, with finalization expected by the compliance deadline [6][11]. Importantly, Article 73 creates obligations that run directly to regulators, not merely to affected individuals — meaning AI providers operating in EU markets will need reporting infrastructure in place regardless of whether an incident produces identifiable data breach victims.

The SEC’s cybersecurity disclosure framework requires public companies to file Form 8-K disclosures of material cybersecurity incidents within four business days of determining materiality [8]. The SEC formed the Cyber and Emerging Technologies Unit in February 2025 [8], and enforcement actions had accumulated more than $8 million in penalties through early 2026, concentrated on affirmative misrepresentation rather than nuanced disclosure judgment calls [13]. SEC Chair Atkins confirmed in late 2025 that existing principles-based rules already require disclosure of material AI impacts on financial results, operations, and risk factors [14]. No AI-specific enforcement action has yet been pursued, but the Commission’s stated position is that the existing toolkit applies.

GDPR enforcement continues to intensify across EU jurisdictions, with approximately 443 breach notifications filed per day and enforcement fines reaching €1.2 billion in 2025 [12]. AI-specific GDPR enforcement has focused primarily on training data provenance and discriminatory outputs rather than incident disclosure per se, but regulatory trends suggest that AI system failures affecting personal data subjects will receive increasing scrutiny. The Digital Operational Resilience Act, in force since January 2025, establishes incident reporting obligations for financial sector entities covering ICT-related incidents; DORA’s ICT incident reporting obligations, depending on regulatory interpretation, may extend to AI system failures in trading, credit decisioning, and customer service contexts where those failures constitute covered ICT disruptions.

The combined effect of these frameworks is that organizations now face overlapping, partially inconsistent AI disclosure obligations across jurisdictions. An AI incident affecting EU residents, involving a U.S.-listed company operating in financial services, may simultaneously trigger Art. 73, GDPR, Item 1.05, and DORA reporting requirements with different timelines, different notification recipients, and different definitional thresholds. Organizations without pre-built AI incident response infrastructure will find themselves making consequential disclosure decisions under time pressure with inadequate preparation.

Recommendations

Immediate Actions

Before any disclosure framework can operate effectively, organizations must establish an AI system inventory. Many organizations cannot report AI incidents because they do not know which AI systems they operate. This inventory should cover sanctioned deployments in internal and customer-facing products, third-party AI services embedded in vendor software, and known shadow AI usage — acknowledging that the last category will be incomplete by definition. The inventory should assign a named accountable owner to each system, directly addressing the governance deficit ISACA identified in which 20% of organizations cannot name who bears responsibility if an AI system causes harm [3].

Legal and compliance teams should conduct a gap analysis of current breach notification procedures against EU AI Act Article 73 requirements, SEC Item 1.05, and applicable GDPR and DORA obligations before the August 2026 compliance deadline. This analysis should produce explicit internal guidance specifying which AI failure scenarios constitute reportable incidents under each applicable framework. Given the definitional ambiguity documented above, this guidance requires legal sign-off and should be reviewed when any new AI system is deployed into production or customer-facing environments.

Short-Term Mitigations

Organizations should develop and test an AI-specific incident response runbook covering the scenarios most likely to arise in the near term: model output failures affecting users, prompt injection attacks targeting agentic workflows, training data compromise, unauthorized AI access or exfiltration, and shadow AI breaches. ISACA’s finding that only 12% of organizations have a documented and tested AI shutdown procedure indicates that incident response capability remains underdeveloped across the large majority of organizations [4]. The runbook should specify escalation triggers, internal escalation chains, regulatory notification timelines and templates, and the sequencing of containment actions — including the authority and procedure for suspending or reverting an AI system whose behavior cannot be explained.

Disclosure culture requires direct attention separate from disclosure procedure. The VikingCloud data showing that fear of leadership response drives 40% of non-disclosure decisions cannot be addressed by updating a policy document [1]. Organizations should establish explicit safe harbor protections for staff who report AI incidents in good faith, communicate those protections through leadership rather than through legal notices, and incorporate AI incident disclosure behaviors into CISO and security leadership performance criteria. Where board oversight of AI risk is absent, organizations should add AI to board-level risk committee agendas with standing reporting requirements.

Strategic Considerations

The voluntary commitment model has not produced accountability at scale. Available evidence — including investigations finding shortfalls on transparency and public disclosure — suggests structural limitations that voluntary frameworks cannot overcome without enforcement mechanisms. Organizations should not calibrate their disclosure programs against industry peer behavior or voluntary frameworks — both are likely to underperform regulatory requirements. Internal disclosure standards should be built against the most demanding binding requirements applicable to the organization and should treat regulatory minimums as floors rather than targets.

As AI systems become embedded in critical business processes, the concept of materiality must be operationalized specifically for AI failure modes before incidents occur. A language model generating materially false information in customer communications, an agentic workflow executing unauthorized transactions, or a hiring AI producing systematically discriminatory outcomes may each constitute material events under existing disclosure frameworks, even without a traditional data breach. Organizations should document their materiality analysis framework for AI failures in advance, specifying the criteria, the decision-maker, and the timeline — so that when an incident occurs, the disclosure determination is a structured process rather than an improvised response.

CSA Resource Alignment

This note connects directly to several CSA frameworks and programs that address the governance and incident response dimensions of AI breach disclosure.

The AI Controls Matrix (AICM) v1.0 addresses the accountability structures described throughout this note. The Governance (GV) domain covers designation of responsible parties for AI systems, escalation procedures for failures, and the documentation of accountability chains — directly targeting the 20% gap ISACA identified in organizational AI accountability. The Incident Response (IR) domain covers AI-specific incident classification, containment, notification, and post-incident review. Organizations that have not mapped their current state against AICM GV and IR controls should treat that exercise as a prerequisite for EU AI Act Article 73 compliance.

CSA’s Cloud Incident Response Framework provides principles for multi-party incident coordination that extend to AI system failures in cloud environments. The shared responsibility model the framework articulates — delineating cloud provider and customer obligations — applies with equal force to AI services deployed on cloud infrastructure. Provider-customer boundaries around AI incident detection, notification timelines, evidence preservation, and root cause analysis should be explicitly negotiated in service agreements rather than left to default contract assumptions, which may not specify notification obligations for AI-specific incidents.

The STAR program’s AI-CAIQ questionnaire enables enterprises to assess AI provider disclosure practices during vendor selection and ongoing oversight. Procurement processes should include AI incident disclosure obligations, historical track record, and response capability as mandatory evaluation criteria. Enterprises that deploy third-party AI services without contractual disclosure requirements are creating accountability gaps that regulatory frameworks will not close.

CSA’s Zero Trust guidance is directly relevant to the shadow AI visibility problem. Zero Trust’s principle of continuous verification — rather than implicit trust in enrolled systems — provides a technical foundation for detecting AI systems operating outside sanctioned boundaries and monitoring sanctioned AI systems for behavioral anomalies that may indicate compromise. Visibility into what AI systems are doing is a prerequisite for disclosure capability: organizations cannot report what they cannot see.

References

[1] VikingCloud. “2025 Cyber Threat Landscape Report: Cyber Risks, Opportunities & Resilience.” VikingCloud, 2025.

[2] IBM Security. “Cost of a Data Breach Report 2025.” IBM, 2025.

[3] ISACA. “New ISACA Research Reveals AI Blind Spot at the Heart of Enterprise Risk.” ISACA Press Release, 2026.

[4] ISACA. “The AI Security Gap: Adoption Is Accelerating but Response Capability Is Lagging.” ISACA Now Blog, 2026.

[5] Adversa AI. “Adversa AI Unveils Explosive 2025 AI Security Incidents Report.” Adversa AI, 2025.

[6] EU Artificial Intelligence Act. “Article 73: Reporting of Serious Incidents.” EU AI Act Reference, 2024.

[7] MIT Technology Review. “AI companies promised to self-regulate one year ago. What’s changed?.” MIT Technology Review, July 2024.

[8] U.S. Securities and Exchange Commission. “SEC Announces Cyber and Emerging Technologies Unit to Protect Retail Investors.” SEC Press Release, February 2025.

[9] Stanford University Human-Centered Artificial Intelligence. “Artificial Intelligence Index Report 2025.” Stanford HAI, 2025.

[10] Jones Walker LLP. “The AI Oversight Gap: IBM’s 2025 Data Breach Report Reveals Hidden Costs of Ungoverned AI.” Jones Walker LLP, 2025.

[11] European Commission. “EU AI Act: Shaping Europe’s Digital Future.” European Commission, 2024.

[12] DLA Piper. “GDPR Fines and Data Breach Survey: January 2026.” DLA Piper, January 2026.

[13] Cleary Gottlieb Steen & Hamilton LLP. “The Shifting SEC Enforcement Landscape: 2025 Year-in-Review.” Cleary Gottlieb, January 2026.

[14] SEC Chair Paul S. Atkins. “Remarks at the Investor Advisory Committee Meeting.” U.S. Securities and Exchange Commission, December 4, 2025.