Every CFO and CISO has seen the headline: the average data breach costs millions of dollars. The number moves a little every year, the story stays the same. For most mid-market operators, the number is abstract enough to file under "things that happen to bigger companies" and go back to the quarterly plan.
That filing is wrong. The 2025 edition of the IBM Cost of a Data Breach Report — the most widely cited breach economics study in the industry, produced annually with the Ponemon Institute — is the first one where the gap between "what you think a breach costs" and "what it actually costs in your segment" has become commercially dangerous to ignore. Three numbers are worth committing to memory, and one framework is worth bringing with you into every identity conversation for the next twelve months.
Here they are.
"Attackers are logging in, not hacking in. The 2025 data says it plainly: credential-based access is the slowest, most expensive, and most overlooked attack category of the year."
The U.S. average is now $10.22 million per breach
The global average dropped to $4.44 million in 2025 — down from $4.88 million the year before. That headline looks like good news until you isolate the U.S. data. In the United States, the average cost of a data breach in 2025 was $10.22 million — a record high, and more than double the global average.
Why the divergence? A few factors. U.S. regulatory environments impose sharper notification requirements and larger fines. U.S. litigation exposure is meaningfully higher. Cyber insurance in the U.S. has hardened — underwriters are tightening coverage and pushing more costs onto the insured. And the U.S. economy runs on data-intensive sectors (healthcare, financial services, technology) that are inherently more expensive to breach.
For a mid-market company, the useful reframe is not "we are smaller than the companies in this dataset." IBM's cohort includes organizations of all sizes, and the per-record, per-incident, per-endpoint math scales down less than executives expect. The useful reframe is: a single breach in the U.S. in 2025 cost more than most mid-market IT budgets for the entire year. The comparison is not theoretical.
Credential-based attacks cost $4.67 million and take 246 days to detect
Buried inside the report is the statistic that matters most for an identity practice. When the initial attack vector is compromised credentials, the average breach cost is $4.67 million, and the average time to identify and contain the incident is 246 days.
246 days. Eight months. That is the window between an attacker walking through your front door with a valid username and password and your team noticing something is wrong. Every other attack category — phishing, cloud misconfiguration, business email compromise, malicious insider — is detected faster. Credential-based attacks are slower and more expensive because they do not look like attacks. They look like normal logins. The user session is authenticated. The MFA prompt (if there is one) succeeded. The logs show a login from a device the system has seen before. Nothing fires.
Phishing overtook stolen credentials as the single most common initial vector in 2025 — 16% of breaches — but the two categories are bound together. Phishing is the mechanism; stolen credentials are the outcome. Once the credential is loose in the criminal ecosystem, detection clocks start at zero and run for most of a year.
The implication for a mid-market identity program is simple and unforgiving: the 246-day detection window does not close because you have MFA on the front door. It closes when you have credential lifecycle hygiene, anomaly monitoring tied to identity telemetry, service account governance, and documented JML processes that actually run. None of those are platform features. They are practice disciplines, and they are the exact things a two-week assessment surfaces.
63% of organizations have no AI governance policy — and 97% of AI-model breaches happened at organizations with no AI access controls
This is the number that will define the next twenty-four months of identity work, and it is the one most mid-market CIOs are not yet tracking.
In the 2025 report, IBM reported that one in six organizations experienced a breach involving AI-driven attacks, 13% of organizations reported an incident on an AI model specifically, and 97% of those organizations lacked proper AI access controls. A separate finding: 63% of all surveyed organizations have no AI governance policy at all. Shadow AI — employees using AI tools outside of sanctioned platforms — accounted for 20% of breaches.
Read those three numbers together. The picture is an industry-wide failure to extend identity governance to the newest and fastest-growing category of non-human users: AI agents, copilots, and automation service accounts. The tools are being deployed. The credentials they use are being provisioned. The access they hold is expanding. And by the numbers, almost none of it is being governed.
This is not a future problem. It is a 2026 problem with 2025 data behind it. Any mid-market company rolling out Microsoft Copilot, Claude, internal agent frameworks, or API-driven automation is currently accumulating an identity surface area that has no certification process, no lifecycle owner, and no revocation path when a contractor leaves or a project ends. Every one of those credentials is a 246-day detection window waiting to open.
Where does your identity program actually sit? Gartner has a scorecard for that.
The Gartner IAM Program Maturity Model is the analyst framework most commonly used by CISOs and IAM leaders to benchmark an identity program against industry peers. It scores the program across six domains — governance, organization, vision and strategy, processes, architecture and infrastructure, and business value — and places each domain on a five-level scale.
The five levels are straightforward:
Level 1 — Initial. Ad hoc, informal. Identity work happens, but there is no defined process. Changes are reactive. Documentation is thin or missing entirely.
Level 2 — Developing. Semiformal processes are starting to emerge. Technical projects are underway but are not yet tied to a broader program. Most post-acquisition environments land here or at Level 1 across most domains.
Level 3 — Defined. Formal, consistent processes exist across the identity program. Roles and responsibilities are documented. Governance has a structure, even if it is not yet fully refined. This is the target state for most mid-market organizations.
Level 4 — Managed. Integrated, metric-driven processes. The program is measured against business outcomes. Identity data flows into security operations. Certifications and reviews are automated and consistent.
Level 5 — Optimized. Continuous improvement. Identity is a strategic function with direct business value contribution. Very few organizations — even large enterprises — sit at Level 5 across all six domains.
The uncomfortable observation that runs through every mid-market engagement I have seen is that most organizations are carrying a Level 2 identity program and paying for a Level 4 breach. The gap between where the program is and where the exposure is sets the risk posture, not the platform choice.
$10,000 versus $10.22 million
Put the numbers next to each other.
The U.S. average cost of a breach in 2025 was $10.22 million. The average cost of a credential-based attack was $4.67 million. The average detection window for that attack category was 246 days. 63% of organizations have no AI governance policy. 97% of organizations that experienced an AI model breach lacked proper AI access controls.
The cost of a focused, fixed-scope identity security assessment that surfaces the specific gaps driving those outcomes — credential lifecycle, admin sprawl, JML process failures, access certification drift, machine and AI identity exposure — is $10,000.
The ratio is not subtle. Against the U.S. average breach cost alone, the assessment represents 0.1% of the downside it is designed to reduce. Against the credential-based attack category specifically, it is 0.2%. Most operational expenses a mid-market CIO approves in a given quarter have a worse ratio than that, by an order of magnitude.
The number that is harder to quantify, but harder to ignore, is the one that sits behind the others: the 246-day detection window is not a platform problem. It closes only when someone who knows what identity exposure actually looks like has looked at your environment and said, in writing, exactly where it is open. That is what the assessment is. That is what the deliverable contains. That is what the arithmetic argues for.
Benchmark your identity program before an auditor, an underwriter, or an attacker does it for you
Risk Ready Identity applies the Gartner IAM Program Maturity Model and the IGA + Access Management taxonomy to assess and remediate post-acquisition identity posture for growing companies. The two-week assessment produces a written findings report, a maturity scorecard placing your program on the Gartner five-level scale across all six domains, and a prioritized remediation roadmap your team can execute.
Fixed scope. Fixed price. No ambiguity about what you are getting or when the engagement ends.
The next one goes deeper.
Data briefs, case studies, and field reports from inside mid-market identity environments. No pitch. No filler. Straight to your inbox when it publishes.
Subscribe — it's freeSources. IBM Cost of a Data Breach Report 2025 (IBM Security + Ponemon Institute, July 2025). Gartner IAM Program Maturity Model (Gartner Research, multiple publications). Risk Ready Identity references these frameworks under their publicly available summaries and does not claim affiliation with, endorsement by, or certification from IBM, Ponemon Institute, or Gartner.