AI Security · OWASP LLM Top 10

LLM Security

The OWASP LLM Top 10 Explained for Enterprise

LLM security, generative AI security, and GenAI security are three names for the same problem space and the same control set: protecting language-model applications against the attack patterns that don\u2019t exist in traditional software. This guide walks through the full OWASP LLM Top 10 with mitigations, covers data poisoning and model supply-chain risk specifically, and gives the practical defense stack that turns the Top 10 from a checklist into an operational program.

30-SECOND EXECUTIVE TAKEAWAY

OWASP LLM Top 10 is the floor. Coverage of all ten is the baseline; exceeding it is what defines a real LLM security program.
Three risks dominate real incidents. Prompt injection, excessive agency, and improper output handling drive almost every disclosed LLM compromise.
Architecture is the strongest control. Constrained tool permissions, default-deny on actions, and treating model output as untrusted reduce blast radius more than any input filter ever will.

Why LLM security needs its own checklist

OWASP\u2019s original Top 10 was built for web applications and the bug classes that show up in code. It still applies to the parts of an LLM system that look like a web app: the API in front of the model, the auth on the API, the database the application talks to. What it doesn\u2019t cover is the model itself, which has bug classes the original Top 10 was never designed for.

That\u2019s the gap the OWASP LLM Top 10 fills. The list is consensus-built across vendors, researchers, and enterprise security teams; the 2025 update reflected another year of real-world incidents and the rise of agentic AI. Most enterprises in 2026 use the LLM Top 10 as the engineering-side checklist alongside whatever they\u2019re doing for traditional application security.

The full list is below with practical mitigations for each. Coverage of all ten is the floor. The real work is making the controls actually run on the systems you have in production, with a named owner, a quarterly review, and a feedback loop into the AI risk register.

OWASP LLM TOP 10 (2025)

The full list, with mitigations

Each entry includes the threat in plain language and the practical mitigation enterprises apply in production. The numbering reflects OWASP\u2019s 2025 ordering by severity and prevalence.

LLM01

Prompt Injection

User-supplied or third-party content that overrides developer intent.

Mitigation: Architecture controls; input filtering; output validation. See the dedicated guide.

LLM02

Sensitive Information Disclosure

Models leak training data, system prompts, or context-window contents through crafted queries.

Mitigation: Limit context to what is needed; strip secrets from system prompts; output validation; PII detection on the outbound path.

LLM03

Supply Chain

Compromised foundation models, fine-tuned weights, or model files (pickle, safetensors). Vulnerabilities inherited from the model layer.

Mitigation: Source models from trusted vendors only; scan model files for malicious payloads (ProtectAI, HiddenLayer); maintain an inventory and risk-tier of every model.

LLM04

Data and Model Poisoning

Adversarial content in training, fine-tuning, or retrieval data that backdoors or biases the model.

Mitigation: Curate training and fine-tuning data; monitor RAG inputs; require provenance for any external data sources used in retrieval.

LLM05

Improper Output Handling

Downstream systems trust model output without validation. Code execution, SQL injection, XSS via LLM output.

Mitigation: Treat LLM output as untrusted user input. Validate against schemas. Never pass to eval, exec, or shell. Render as plain text by default.

LLM06

Excessive Agency

Agents with broad tool permissions take destructive or unauthorized actions when prompt-injected or hallucinating.

Mitigation: Default-deny tools. Allowlist per task. Human-in-the-loop on irreversible actions. Constrained permissions on each tool.

LLM07

System Prompt Leakage

System prompts containing logic, examples, or secrets exposed to attackers.

Mitigation: Assume system prompts will leak. Don’t put secrets in them. Use them for instruction, not for security boundary.

LLM08

Vector and Embedding Weaknesses

Embedding spaces leak information; access-control gaps in vector stores; embedding inversion attacks.

Mitigation: Apply per-tenant access control to vector stores. Avoid embedding sensitive data without need. Monitor for unusual query patterns.

LLM09

Misinformation

Hallucinated outputs presented as fact; downstream decisions made on incorrect information.

Mitigation: Cite sources where possible. Validate with structured outputs against a known dataset. Set user expectations.

LLM10

Unbounded Consumption

Resource exhaustion attacks: token-burning, denial-of-service, model wallet drain.

Mitigation: Rate limits per user and per session. Token budget enforcement. Anomaly detection on usage patterns.

Where data poisoning actually shows up

Data poisoning sounds dramatic and rarely is, in the form most enterprises expect. The 2024 OWASP update folded model poisoning into the same category to reflect that the operational risk for most enterprises lives in three pragmatic places: fine-tuning data quality (when the organization fine-tunes on data it didn\u2019t fully curate), retrieval data quality (RAG systems that ingest untrusted documents from email, third-party portals, or external collaborators), and feedback-loop data (RLHF or thumbs-up/down signals that an attacker can manipulate at scale).

The general defense pattern is the same across all three: provenance for every data source, monitoring for unusual content patterns in ingested data, and the ability to roll back a contaminated training run or a poisoned retrieval index. In 2026 most enterprises don\u2019t have those controls in place, which is why this category sits on the OWASP list and is likely to climb the ranking as more incidents surface.

FOR YOUR ROLE

What to do this quarter

For the technical CTO

Adopt the OWASP LLM Top 10 as the engineering checklist for every LLM-facing application. Run an inventory of which apps cover which risks. Require an architecture review before any new LLM feature ships, with the Top 10 on the checklist. Default-deny agent permissions across the board.

For the business CAIO

Translate the Top 10 into a one-page brief for the executive committee, with specific examples from your organization’s LLM deployments. Tie LLM security findings into the broader AI risk register. Fund the LLM gateway and red teaming layers of the security stack before they’re a board-level question. See the AI risk management guide.

For the CISO

Add OWASP LLM Top 10 patterns to red team and SOC playbooks. Build LLM-specific detection rules in the SIEM. Establish an incident response runbook for LLM compromise that covers context revocation, agent session kill, and forensic preservation.

LLM Security: Frequently Asked Questions

What is LLM security?

LLM security is the discipline of protecting applications built on large language models against attack patterns specific to LLMs: prompt injection, jailbreaks, sensitive information disclosure, insecure output handling, training data poisoning, model theft, and the unsafe use of LLM-generated content downstream. It overlaps heavily with generative AI security and GenAI security; in practice the three terms describe the same problem space and the same control set.

What is the OWASP LLM Top 10?

The OWASP LLM Top 10 is the consensus list of the most critical security risks for LLM applications, maintained by OWASP and updated as new attack patterns surface. The 2025 version led with prompt injection (LLM01), sensitive information disclosure (LLM02), supply chain (LLM03), data and model poisoning (LLM04), improper output handling (LLM05), excessive agency (LLM06), system prompt leakage (LLM07), vector and embedding weaknesses (LLM08), misinformation (LLM09), and unbounded consumption (LLM10). Most enterprise LLM security programs use it as the baseline checklist.

What is data poisoning in the context of LLMs?

Data poisoning is the introduction of adversarial content into training data, fine-tuning data, or retrieval data with the goal of degrading model behavior, embedding backdoors, or biasing outputs. The 2024 LLM update folded model poisoning into the same category. Real risk depends on data lineage: an LLM trained only on curated data has minimal poisoning risk; an LLM fine-tuned on web-scraped or user-contributed data has meaningful risk; a RAG system whose vector store accepts untrusted documents has the highest practical risk.

What is excessive agency, and why is it on the OWASP list?

Excessive agency means giving an LLM-based agent more capability than it needs to do its job. The risks compound: the more tools an agent can call, the more permissions each tool has, and the wider the autonomy of the agent, the larger the blast radius when (not if) the agent gets prompt-injected, hallucinates a destructive action, or chains together actions that no one anticipated. The OWASP guidance is to default-deny tool permissions and require human-in-the-loop on sensitive actions. See our agentic AI security guide.

How is generative AI security different from LLM security?

Mostly the same problem with different framings. "Generative AI security" is the broader term that includes image, video, and audio generation models alongside LLMs. "LLM security" is the subset focused specifically on text-based language models. In enterprise practice, the controls overlap by 80–90% because most generative AI deployments are LLM-based. Use whichever term fits the audience.

Which OWASP LLM Top 10 risk is most exploited in production?

Prompt injection (LLM01), and it isn’t close. Almost every disclosed real-world LLM incident traces back to direct or indirect prompt injection at the root. Sensitive information disclosure (LLM02) and improper output handling (LLM05) are common downstream consequences. Excessive agency (LLM06) is the multiplier that turns an injection into a real-world incident with action consequences. See our prompt injection guide for the full breakdown.

What’s the practical mitigation stack for LLM security?

Five layers in priority order. Architecture (treat all model inputs as untrusted; constrain agent permissions; never send raw model output to a code interpreter). Input filtering (sanitize retrieved content; classify inputs before sending). Model and prompt design (instruction-hierarchy models; structured outputs; spotlighting). Output validation (schema and allowlist validation; human approval on irreversible actions). Detection and response (logging, anomaly detection, an actual incident response runbook for LLM compromise).

Published Invalid Date · Updated Invalid Date

Thomas Prommer Technology Executive — CTO/CIO/CTAIO

These salary reports are built on firsthand hiring experience across 20+ years of engineering leadership (adidas, $9B platform, 500+ engineers) and a proprietary network of 200+ executive recruiters and headhunters who share placement data with us directly. As a top-1% expert on institutional investor networks, I've conducted 200+ technical due diligence consultations for PE/VC firms including Blackstone, Bain Capital, and Berenberg — work that requires current, accurate compensation benchmarks across every seniority level. Our team cross-references recruiter data with BLS statistics, job board salary disclosures, and executive compensation surveys to produce ranges you can actually negotiate with.

Profile LinkedIn Newsletter

Continue the AI security cluster

The Top 10 defines the surface; the rest of the cluster covers how to defend it.

AI Security hub Prompt Injection → Agentic AI Security →