Short answer
The OWASP Top 10 for LLM applications is a community security framework for generative AI systems. It gives teams a shared list of the main risks to look for in LLM products, agents, tools, and connected workflows. If you only know one AI security topic today, it is usually prompt injection. The value of OWASP is that it shows prompt injection is only one part of the real operating surface.
The current official list on March 11, 2026 is the 2025 OWASP GenAI Top 10. It includes prompt injection, sensitive information disclosure, supply chain risk, data and model poisoning, improper output handling, excessive agency, system prompt leakage, vector and embedding weaknesses, misinformation, and unbounded consumption.
If you want the practical follow-up after this overview, read our guide to reducing prompt injection risk. If you want the basics first, read our prompt injection explainer. If you want the MCP-specific operational checklist, read our 2026 guide to MCP security best practices. This page is the framework view: what the full risk map looks like and how to use it.
What is the OWASP Top 10 for LLM applications?
OWASP's list is a prioritization framework for AI application security. It is not a law, not a certification, and not a complete security program. It is best understood as a high-signal map that helps builders, security teams, and operators ask better questions earlier.
That matters because AI systems fail in different ways than conventional software. Some failures live in the model, some in the prompts, some in the retrieval layer, some in connected tools, and some in the authority you give the system after it produces output. OWASP is useful because it puts those failure modes in one place.
The best way to use the list is to pair it with concrete engineering work. NIST's Generative AI Profile is useful for risk-management language, and MITRE ATLAS is useful for attack-path thinking. OWASP gives the list. Your engineering process still has to turn that list into controls and tests.
The OWASP Top 10 for LLM applications in plain English
This table is the fastest way to understand what each 2025 item means.
| OWASP item | Plain-English meaning | Why it matters |
|---|---|---|
| LLM01 Prompt Injection | Untrusted text is treated like instructions. | It can hijack workflows, leak data, or steer tool use. |
| LLM02 Sensitive Information Disclosure | The system exposes private, confidential, or regulated data. | It turns AI convenience into a data exposure problem. |
| LLM03 Supply Chain | Risk enters through third-party models, libraries, datasets, tools, or providers. | Trusted AI stacks often depend on components the team did not build. |
| LLM04 Data and Model Poisoning | Training or retrieval inputs are corrupted to alter behavior. | Poisoned inputs can create persistent errors or backdoor-like effects. |
| LLM05 Improper Output Handling | The system trusts model output too early. | Bad output can become code execution, XSS, SSRF, bad queries, or unsafe automation. |
| LLM06 Excessive Agency | The model has too much authority, permission, or tool power. | Even a small model error becomes expensive when the system can act widely. |
| LLM07 System Prompt Leakage | Internal instructions or hidden prompt content are revealed. | Leakage often exposes weak security assumptions or secrets placed where they should not be. |
| LLM08 Vector and Embedding Weaknesses | Weaknesses in embeddings, similarity search, or vector storage create security issues. | Retrieval systems can be manipulated, confused, or abused in ways teams miss. |
| LLM09 Misinformation | The model generates false or misleading content. | Bad output can harm decisions, operations, trust, or public communication. |
| LLM10 Unbounded Consumption | Attackers or bad design drive runaway cost or resource use. | Token spend, compute, and repeated querying can become an availability or cost problem. |
The four OWASP LLM risks most teams should prioritize first
Every system is different, but for many production teams the first four items to take seriously are LLM01, LLM02, LLM05, and LLM06. They sit closest to everyday workflows, connected tools, and the practical ways AI systems cause damage.
1. LLM01 Prompt injection
This is the category most readers already know, and for good reason. Prompt injection can arrive directly through a chat prompt or indirectly through webpages, files, tool output, search results, or retrieved text. It is the clearest example of instructions and data collapsing into each other.
If you are new to the topic, start with what prompt injection is, how indirect prompt injection works, and how prompt injection differs from jailbreaking.
2. LLM02 Sensitive information disclosure
Many AI failures matter because they expose something that should have stayed private: customer records, confidential notes, credentials, PII, or internal context. In practice this category often combines with other items. Prompt injection can cause the leak. Excessive agency can widen the blast radius. Weak output handling can repeat or store the disclosure.
This is why teams should not frame AI security only as "did the model say something strange?" The harder question is whether it said something private.
3. LLM05 Improper output handling
This category is one of the most important and one of the most underrated. The model can generate text, code, commands, URLs, or parameters. The real security failure happens when the surrounding system treats that output as trusted too soon.
If output flows into a browser context, a query, a shell, a tool call, a downstream parser, or another agent step without validation, you have moved from "the model might be wrong" to "the system might execute the mistake."
4. LLM06 Excessive agency
Excessive agency means the system can do too much with too little review. This is where connected AI products become operationally risky. A model that can browse, message, buy, update records, call tools, or expose context is much more dangerous than a model that can only answer text.
This is also why prompt injection and excessive agency amplify each other. The more authority an agent has, the more damaging a successful injection becomes.
How to use the OWASP Top 10 in practice
The wrong way to use the list is to turn it into a checklist that says "we thought about all ten." The right way is to use it to drive design review, access-control decisions, red teaming, and testing.
- Map each feature to the OWASP items it actually touches.
- Prioritize the categories that can cause real harm in your workflow, not the ones that are easiest to talk about.
- Ask where the model reads untrusted text, where it can reveal private data, where its output is trusted, and where it can act.
- Use NIST-style risk language for governance and OWASP-style categories for engineering conversations.
- Test high-risk flows with adversarial cases instead of treating a written policy as proof.
The simplest mental model is this: OWASP gives you the categories, NIST helps with program-level risk management, and red teaming shows whether your controls hold up under pressure.
Where Veridicus Scan fits
A post like this should not pretend one product solves the OWASP Top 10. It does not. But some categories do have obvious places for product controls. Veridicus Scan fits most naturally as a pre-ingestion and intake control for AI-bound content.
If your team feeds URLs, PDFs, DOCX files, extracted text, redirects, or parser-visible metadata into an LLM workflow, the first useful question is often whether that material should reach the model unchanged. That is where the product pages on coverage, URL scanning, report exports, and MCP automation fit into the OWASP picture.
In OWASP terms, that makes Veridicus Scan most relevant to LLM01 prompt injection, LLM05 improper output handling, parts of LLM06 excessive agency, and some retrieval-facing issues under LLM08 vector and embedding weaknesses. It is one control in the map, not the whole map.
What the OWASP Top 10 does not do
The list is useful because it creates a shared vocabulary. But it does not replace:
- Threat modeling for your actual architecture
- Least-privilege design for tools and agents
- Input inspection and validation
- Output validation and execution boundaries
- Red teaming, logging, review, and incident response
The cleanest way to say it is that the OWASP Top 10 helps you see the terrain. It does not walk it for you.
FAQ
What is the OWASP Top 10 for LLM applications?
It is OWASP's community-driven list of the main security risks and mitigations for LLM and generative AI applications. As of March 11, 2026, the current official list is the 2025 OWASP GenAI Top 10.
Is the OWASP Top 10 for LLMs only about prompt injection?
No. Prompt injection is only one category. The list also covers sensitive information disclosure, supply chain risk, poisoning, improper output handling, excessive agency, system prompt leakage, vector and embedding weaknesses, misinformation, and unbounded consumption.
Which OWASP LLM risks matter first for most teams?
For many teams, the highest-priority items are prompt injection, sensitive information disclosure, improper output handling, and excessive agency. Those four touch everyday agent behavior, connected tools, and exposure of private data.
Does the OWASP Top 10 replace threat modeling or testing?
No. The OWASP Top 10 is a prioritization framework, not a full security program. Teams still need threat modeling, secure development, red teaming, access control design, and operational review.