Kiteworks | Your Private Data Network

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS
Home > Security and Compliance Blog > Cybersecurity Risk Management > Insider Risk Costs: Uncovering the $19.5M Threat Inside

Insider Risk Costs: Uncovering the $19.5M Threat Inside

by Patrick Spencer updated March 12, 2026 Cybersecurity Risk Management
Reading Time: 9 minutes

Cybersecurity conversations tend to drift toward the dramatic: nation-state actors, zero-day exploits, supply chain infiltration. These threats are real and they deserve attention. But there is a more mundane and considerably more expensive problem sitting inside most organizations every day, and the 2026 DTEX/Ponemon Insider Risk Report puts a very precise number on it.

Key Takeaways

  1. Negligence Is the Costliest Insider Threat Category. The 2026 DTEX/Ponemon Insider Risk Report found negligent insiders account for 53% of total insider risk cost—$10.3M annually—up 17% year over year. The culprit isn’t the disgruntled employee walking out with data. It’s the well-meaning employee moving too fast, using the wrong tools, and creating exposures that nobody logged.
  2. Shadow Apps Are the New Data Loss Channel. Employees routinely paste internal documents, source code, legal materials, and business strategy into unapproved public tools. With only 18% of organizations having fully integrated AI governance into their insider risk programs, most companies have no real visibility into what’s leaving—or where it’s going.
  3. Average Insider Risk Cost Is Now $19.5M per Organization—and Rising. Up from $17.4M in 2024 and $16.2M in 2023, this trajectory is not leveling off. Containment remains the single largest cost driver at $247,587 per incident. Speed to contain is the difference between a manageable incident and a financial event.
  4. AI Agents Are Inside Your Perimeter—and Most Insider Risk Programs Do Not Cover Them. Only 19% of organizations classify AI agents as insider risk equivalents to human employees, yet 44% already expect malicious use of those same agents to significantly increase data theft. The definitions have not caught up to the deployments.
  5. Programs That Invest in Insider Risk Management Avoid an Average of $8.2M in Annual Breach Costs. Organizations with formal insider risk programs avoid roughly seven incidents per year. Privileged access management delivers the greatest cost reduction at $6.1M. The ROI case is not theoretical—it is documented and repeatable.

The average organization spent $19.5M dealing with insider risk in 2025. That figure is up from $17.4M in 2024 and $16.2M in 2023. It is not a one-year anomaly. It is a trajectory. And what is driving it—what the report makes painstakingly clear—is not a surge in rogue employees. It is something far harder to defend against: ordinary people, doing their jobs, making decisions that create extraordinary levels of risk.

The report draws on data across 354 companies and 7,490 insider incidents. It covers the full spectrum of insider risk categories—from the negligent employee who pastes sensitive data into a public tool to the malicious insider deliberately exfiltrating intellectual property. What it surfaces is a portrait of data security that most organizations prefer not to look at directly: The most expensive breach vector in your environment is probably already trusted, credentialed, and active.

Negligence Costs More Than Malice

The instinct in insider risk conversations is to focus on the malicious actor—the employee selling data, the contractor stealing source code, the disgruntled executive walking out with the customer list. These cases exist, they are serious, and they represent real financial exposure. But they are not where most of the money is going.

Negligent insiders account for 53% of total insider risk cost, at $10.3M annually, up 17% year over year. The average negligent incident costs $747,107. There were 13.8 of them per organization in the reporting period. Negligence—not malice—is the dominant cost driver in insider risk programs across industries. DTEX identifies three primary contributors: unmonitored file sharing, personal webmail, and shadow apps—tools employees adopt independently, outside of IT visibility or policy controls.

What constitutes a negligent insider incident in 2026 is not someone trying to circumvent security. It is someone trying to do their job faster. They need to get a document reviewed. They need to summarize a long report. They need to share something with a client before a deadline. The friction between security controls and workflow demands is real, and when those two forces collide, security frequently loses.

Containment is the largest single cost component at $247,587 per incident, compared to $39,728 for escalation. That disparity is not accidental. It reflects how difficult it is to locate, assess, and remediate incidents that were never logged in the first place. When data moves through unapproved channels, the forensic trail that containment depends on simply does not exist.

The Apps You Don’t Know About Are Your Biggest Compliance Liability

Shadow apps are now the top driver of negligent insider incidents according to the DTEX report. Employees are pasting internal documents, legal materials, source code, architecture diagrams, and business strategy into public tools including ChatGPT, Gemini, Perplexity, and Grok. These transfers happen at the application layer, outside the scope of traditional DLP controls, and they create uncontrolled data flows that land outside enterprise boundaries without logging, without consent, and without the data-processing agreements that compliance frameworks require.

The compliance exposure is direct. Under GDPR, CCPA, HIPAA, and a growing set of sector-specific frameworks, organizations have affirmative obligations around how personal data is processed, where it goes, and who can access it. When an employee pastes a contract containing customer PII into a public tool, that data has now been shared with a third party under conditions the organization almost certainly cannot document. If a regulator asks for evidence of lawful processing, there is none. If a privacy rights request comes in for that data, the organization may not even know where it went.

The DTEX report identifies AI notetakers as a particularly high-risk category within this broader problem. These tools record, transcribe, and often store meeting content—content that frequently includes PII, sensitive business information, and privileged discussions. Without consistent access controls, defined retention limits, and formal data-processing agreements, AI notetakers function as unmonitored data repositories that sit outside any reasonable compliance perimeter.

Ninety-two percent of organizations acknowledge that generative tools have fundamentally changed how employees access and share information, yet only 13% have formally integrated this reality into their business strategy. Seventy-three percent worry that unauthorized tool use is creating invisible data loss pathways. Only 18% have fully integrated AI governance policies into their insider risk management programs. That gap—between concern and action—is where compliance exposure accumulates quietly, until it does not.

The Insider Perimeter Just Got a Lot More Complicated

The definition of an insider has always been straightforward: a person with authorized access to organizational systems, data, or premises. That definition is now under pressure in ways that most insider risk programs have not yet adapted to.

Nineteen percent of organizations have deployed autonomous agents into daily workflows. These tools access corporate systems, conduct work autonomously, and in many cases bypass traditional controls and logging entirely. They operate with credentials. They access data. They take actions with security and compliance implications. And they do all of this without the behavioral signals that human insider risk programs are designed to detect. The problem is that most insider risk frameworks still define “insider” in human terms. Only 19% of organizations classify AI agents as equivalent to human insiders from a risk governance standpoint, despite 44% already expecting malicious use of those agents to significantly increase data theft risk.

DTEX describes agentic browsers and task-completion agents already observed accessing corporate environments, conducting work on behalf of users, and bypassing the logging infrastructure that organizations depend on for detection and compliance evidence. When an autonomous agent accesses sensitive data, the audit trail that compliance frameworks require may simply not exist. The access happened. The data was read or transferred. But the event looks nothing like what traditional monitoring systems were built to catch.

This is not a future-state problem. Organizations that have deployed agents for productivity purposes are already operating in this gap. The insider risk programs designed around human behavioral analytics do not have native coverage for non-human principals, and the compliance implications of that gap grow larger as deployment rates increase.

The Cost of Slow Containment Is a Number You Can Measure

One of the more clarifying findings in the DTEX report is the relationship between containment speed and total incident cost. It is not a nuanced relationship. It is direct and significant.

Organizations that contain insider incidents in under 30 days spend an average of $14.2M annually managing insider risk. Organizations where containment takes longer than 90 days spend $21.9M. That $7.7M delta is not attributable to more severe incidents. It is attributable to time. Containment at $247,587 per incident is the largest single cost component in insider risk programs. Every day an incident is uncontained adds to that number.

The budget trajectory in the DTEX data reinforces this from a different angle. Organizations increased insider risk budget share from 8.2% of total security spend in 2023 to 19% in 2025. Over that same period, average containment time fell from 86 days to 67 days—a 17% reduction. More investment in insider risk programs is producing measurable improvement in containment speed, and faster containment is producing measurable reduction in total cost.

Among the tools that deliver the greatest cost reduction, the DTEX data is instructive. Privileged access management leads at $6.1M in annual savings, followed by user behavior analytics and behavioral intelligence at $5.1M, user training at $4.8M, and SIEM at $4.6M. User training and awareness is the most widely deployed tool at 83%, but it delivers less than half the financial impact of privileged access controls. Organizations optimizing purely for deployment breadth rather than cost impact are leaving significant money on the table.

What This Means for Your Compliance Program

The compliance implications of the DTEX findings concentrate in three areas: data flow visibility, AI governance, and incident documentation.

On data flow visibility, the fundamental problem is that organizations cannot demonstrate compliant data handling for flows they cannot see. Unmonitored file-sharing platforms, personal webmail, and unapproved tools that process sensitive data outside managed environments all create regulatory exposure under frameworks requiring documented control over where data goes and who accesses it. GDPR‘s accountability principle, CCPA‘s service provider requirements, and HIPAA‘s minimum necessary standard all presuppose organizations can map their data flows. Shadow apps make that mapping incomplete at best.

On AI governance, the DTEX data puts a number on the gap: 92% of organizations acknowledge that generative tools have fundamentally changed how employees share information, but only 13% have integrated AI into formal business strategy and only 18% have integrated AI governance into their insider risk management programs. The EU AI Act, sector-specific financial guidance, and evolving enforcement postures around automated decision-making all point toward increased scrutiny of how organizations govern employee use of AI tools—scrutiny that organizations with no governance framework are poorly positioned to meet.

On incident documentation, the compliance case for insider risk investment is not just about preventing incidents. It is about being able to demonstrate what happened, who was involved, and what actions were taken when incidents do occur. The tools that deliver the greatest financial impact—privileged access management and behavioral analytics—are also the tools that generate the audit trails and forensic evidence that compliance investigations require. Investment in insider risk management is simultaneously investment in the documentation infrastructure that regulatory accountability depends on.

What Your Program Needs to Do Differently

The 2026 DTEX report does not describe a new threat landscape. It describes a familiar one at a more advanced stage of complexity, where the tools available to employees have outpaced the governance frameworks designed to manage them, and where the compliance frameworks organizations operate under are beginning to demand accountability for data flows that most programs cannot currently document.

The programs that manage this environment effectively are not the ones with the most controls. They are the ones with the clearest visibility—into where data is going, who is accessing it, and which behaviors represent risk before they become incidents. That visibility is what makes containment faster, compliance documentation possible, and determines whether an organization spends $14.2M or $21.9M annually on insider risk.

Three adjustments materially improve program effectiveness based on the DTEX findings. First, expand the definition of “insider” to include autonomous agents with credentials and data access. Second, prioritize visibility over blocking—when organizations block popular tools, employees shift to alternatives, creating flows that are harder to see rather than eliminating the underlying behavior. Third, close the AI governance integration gap. Organizations where AI governance lives outside the insider risk program are operating with a structural blind spot that grows larger as employee use of these tools increases.

The organizations that close these gaps in 2026 will not just face lower incident costs. They will be better positioned to demonstrate the kind of documented control over data flows that the evolving regulatory environment is moving toward requiring. The ones that do not will continue to discover their exposure in the most expensive way possible—one incident at a time.

Frequently Asked Questions

Organizations without a formal insider risk program absorb the full cost of every incident. The 2026 DTEX/Ponemon report found organizations with formal programs avoid roughly seven incidents and $8.2M in breach costs per year. Average annual insider risk cost reached $19.5M per organization in 2025—up from $17.4M the prior year. Containment is the largest cost driver at $247,587 per incident, and incidents contained in under 30 days cost $7.7M less annually than those that drag past 90 days.

Negligent insiders are the dominant cost driver across industries per the 2026 DTEX/Ponemon report, accounting for 53% of total insider risk cost at $10.3M annually. The average negligent incident costs $747,107, and there were 13.8 of them per organization in the reporting period. The primary negligent drivers are shadow apps, unmonitored file sharing, and personal webmail—not deliberate policy circumvention, but employees optimizing for speed in their daily workflows.

Shadow apps create direct HIPAA exposure for healthcare organizations because data transferred to unmanaged tools lacks the documented processing agreements, retention controls, and audit trails that HIPAA requires. The DTEX report identifies shadow apps as the top driver of negligent insider incidents, with employees routinely pasting internal documents—including patient-related materials—into public tools. Only 18% of organizations have fully integrated AI governance into insider risk programs, leaving most unable to document compliant data handling for these flows.

Autonomous agents with data access create SOX and GDPR accountability obligations that most current insider risk frameworks were not designed to address. The 2026 DTEX report identifies a structural governance gap: Only 19% of organizations classify agents as insider risk equivalents to human employees, yet 44% expect malicious agent use to significantly increase data theft risk. Agents bypass traditional logging, meaning the access records, processing documentation, and control evidence that compliance frameworks require may not exist.

Containment speed has a direct and measurable impact on total annual insider risk cost according to the DTEX/Ponemon report. Organizations containing incidents in under 30 days spend $14.2M annually on insider risk; those where containment exceeds 90 days spend $21.9M—a $7.7M annual difference. Organizations that increased insider risk budget share from 8.2% to 19% between 2023 and 2025 reduced average containment time from 86 days to 67 days, demonstrating that investment in program maturity directly improves containment speed.

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo

Table of Contents

Table of Content
Share
Tweet
Share
Explore Kiteworks