Insider risk now costs organizations $19.5 million annually

Routine employee activity across enterprise systems is generating increasing financial exposure for global organizations.

What happened

Organizations now face an average annual cost of $19.5 million from insider-related incidents, according to the 2026 Cost of Insider Risks Global Report conducted by the Ponemon Institute. Based on data from 354 organizations that experienced one or more material insider incidents in the past year, the report found that negligent or mistaken insiders generate the largest financial impact at $10.3 million in annualized cost per organization, averaging $747,107 per incident across 13.8 incidents per year. Malicious insiders account for $4.7 million in annualized cost, while credential theft incidents add $4.5 million. Containment is the most expensive phase of the incident lifecycle at $247,587 per incident, with organizations spending an average of 67 days containing events. Incidents resolved in under 30 days carry annualized costs of $14.2 million, compared to $21.9 million for those lasting more than 90 days.

Going deeper

Negligence remains the leading cause of insider incidents, with financial exposure rising from $8.8 million in 2024 to $10.3 million in 2025. Generative AI use is changing insider risk patterns, as employees upload internal documents, legal files, source code, architecture diagrams, and strategic plans into public platforms such as ChatGPT, Claude, Gemini, Perplexity, and Grok. AI meeting assistants are creating transcripts that capture sensitive internal discussions, and AI agents are carrying out enterprise tasks that may bypass traditional logging controls. Although many organizations report workforce behavior shifts linked to AI, only a small proportion have formally embedded generative AI into business strategy or integrated AI governance into insider risk programs, while visibility into AI agent activity remains inconsistent, increasing uncertainty around how enterprise data is accessed and processed.

What was said

Raj Koo, Chief Technology Officer at DTEX, told Help Net Security on February 26, 2026, “To mitigate shadow AI risks without stifling productivity, organizations must shift from a block-first approach to an audit and educate model.” He added, “Technologies that understand intent, inspect prompts, and analyze usage patterns are critical. Instead of outright blocking, real-time nudges at the point of risk can guide employees toward safer practices.” Koo said the strategy has a measurable impact, stating, “This approach reduces containment time for insider incidents by 17 percent, from 81 to 67 days, and prevents at least seven major incidents annually, saving $8.2 million in breach costs.” He also said AI agents should be treated as operational identities, explaining, “To classify the risks posed by AI agents, organizations must view them as dynamic, non-human identities governed by functional access controls,” and stressed that “micro privileges and human in the loop approvals for high stakes decisions are essential guardrails.”

In the know

Threat intelligence and enforcement reports indicate that a big portion of healthcare data breaches stem from internal activity, including unauthorized access, misdirected communications, and employee mistakes. Even IBM’s X-Force Threat Intelligence Index found that “more than 70% of healthcare breaches analyzed were linked to insider activity,” whether through intentional misuse or unintentional errors that exposed sensitive data. These findings challenge the common assumption that ransomware and external hacking groups represent the primary HIPAA risk for most organizations.

The big picture

The $19.5 million annual cost of insider risk is linked to what the report Healthcare IT is dangerously overconfident about email security describes as the "friction-bypass cycle." Although negligence is cited as the leading cause of incidents, the data shows that 86% of healthcare IT leaders say their security tools create workflow friction, prompting staff to "go rogue" and bypass approved systems to stay productive. The behavior fuels a growing "confidence gap," where 92% of leaders feel secure even as 8 out of 10 admit they are concerned about their actual HIPAA compliance status.

FAQs

Why are negligent insiders more costly than malicious insiders?

Negligent activity occurs more frequently and often affects a broader range of systems, leading to repeated incidents that accumulate substantial containment and investigation costs over time.

How does containment time influence financial impact?

Extended containment periods increase legal expenses, operational disruption, forensic investigation costs, and regulatory exposure, which collectively drive higher annualized impact.

What role does generative AI play in insider risk?

Generative AI tools can unintentionally expand data exposure when employees input sensitive material into public platforms or when AI agents operate with insufficient logging and access controls.

Why should AI agents be treated as operational identities?

AI agents can access enterprise systems, retrieve data, and execute actions autonomously, which creates risk profiles similar to privileged user accounts and requires defined access governance.

Which sectors face the highest insider risk costs?

Health and pharmaceutical organizations report average annualized costs of $28.8 million, followed by technology and software organizations at $24.2 million, with North American organizations reporting costs above the global average.