AI Security / OWASP LLM Top 10

AI Security · Reference

OWASP LLM Top 10

The 2026 Reference, With Real Mitigations

The OWASP Top 10 for LLM Applications is the consensus list of the most critical security risks in language-model software. This is the per-item reference: each of the ten with a real example of how it bites and the practical mitigation enterprises run in production — plus what changed in the 2025 revision. For the broader defense program around the list, see the LLM security guide.

OWASP LLM Top 10 (2026): The Reference With Real Mitigations

30-SECOND EXECUTIVE TAKEAWAY

The list is the floor, not the program. Covering all ten is the baseline; making the controls run in production with named owners is the work.
Three entries drive real incidents. Prompt injection (LLM01), improper output handling (LLM05), and excessive agency (LLM06) are the priority trio — the rest are mostly consequences of these.
2025 added the RAG risks. System prompt leakage and vector/embedding weaknesses joined the list as retrieval and agents moved into production.

What the list is, and how it evolved

The OWASP Top 10 for LLM Applications is maintained by the OWASP GenAI Security Project, built by a working group spanning vendors, researchers, and enterprise security teams. Like the original web Top 10, it is a consensus ranking by severity and observed prevalence, not a vendor’s opinion — which is why it has become the default rubric for assessing LLM features.

The list moves. The first edition (2023) named prompt injection, data leakage, and the early agentic risks. The 2025 revision reflected a year of real incidents and the shift to agents: it added System Prompt Leakage (LLM07) and Vector and Embedding Weaknesses (LLM08) to cover RAG-specific failures, broadened denial-of-service into Unbounded Consumption (LLM10) to include cost and model-wallet drain, and consolidated data and model poisoning. The full current list is below.

OWASP LLM TOP 10 (2025)

The ten, with a real example and the fix

Each entry pairs the threat with a concrete example of how it shows up and the mitigation enterprises actually apply. Coverage of all ten is the floor.

LLM01

Prompt Injection

Example: A Stanford student extracted Bing Chat’s full system prompt with "ignore previous instructions"; indirect injection via a poisoned web page or document is the production-scale version.

Mitigation: Architecture controls; treat all inputs as untrusted; input filtering; output validation. See the dedicated prompt injection guide.

LLM02

Sensitive Information Disclosure

Example: Crafted queries coax a model into revealing context-window contents, other users’ data in a shared session, or secrets embedded in the system prompt.

Mitigation: Minimize context; strip secrets from prompts; PII detection on the outbound path; per-tenant isolation.

LLM03

Supply Chain

Example: A fine-tuned model downloaded from a public hub ships a malicious pickle payload, or a base model carries an inherited backdoor.

Mitigation: Source models from trusted vendors; scan model files (ProtectAI, HiddenLayer); inventory and risk-tier every model.

LLM04

Data and Model Poisoning

Example: A RAG vector store ingests attacker-planted documents that bias retrieval, or fine-tuning data is contaminated to embed a backdoor trigger.

Mitigation: Provenance for every data source; monitor RAG ingestion; ability to roll back a contaminated index or training run.

LLM05

Improper Output Handling

Example: Model output is passed to eval(), a SQL query, or rendered as raw HTML, turning a hallucination or injection into code execution or XSS.

Mitigation: Treat model output as untrusted input. Validate against schemas. Never pass to exec/shell. Render as plain text by default.

LLM06

Excessive Agency

Example: An agent with email-send and file-delete tools is prompt-injected through a document it reads and chains those tools into an exfiltration.

Mitigation: Default-deny tools; allowlist per task; human-in-the-loop on irreversible actions; constrain each tool’s permissions.

LLM07

System Prompt Leakage

Example: A system prompt containing business logic, examples, or an API key is extracted and reused to bypass intended behavior.

Mitigation: Assume system prompts leak. Put no secrets in them. Use them for instruction, never as a security boundary.

LLM08

Vector and Embedding Weaknesses

Example: A multi-tenant RAG system leaks one tenant’s documents to another through an access-control gap in the vector store.

Mitigation: Per-tenant access control on vector stores; avoid embedding sensitive data without need; monitor anomalous query patterns.

LLM09

Misinformation

Example: A hallucinated legal citation or product spec is presented as fact and acted on downstream.

Mitigation: Cite sources; validate structured outputs against known data; set user expectations; human review on high-stakes outputs.

LLM10

Unbounded Consumption

Example: An attacker scripts expensive long-context calls to drain the model wallet, or floods the service to deny it to others.

Mitigation: Per-user and per-session rate limits; token-budget enforcement; anomaly detection on usage and spend.

The priority trio

Treating all ten as equal is a common mistake. Three entries do most of the damage. Prompt injection (LLM01) is the root cause of nearly every disclosed incident. Improper output handling (LLM05) is what lets a compromised output reach a dangerous sink — a shell, a query, a browser. Excessive agency (LLM06) is the multiplier that turns a text problem into an action problem when the model holds tools. Secure those three first; several of the remaining entries are downstream consequences of them. For agents specifically, see the agentic AI security guide.

FOR YOUR ROLE

How to operationalize the list

For the technical CTO

Make all-ten coverage a required checklist item in the architecture review for every LLM feature. Assign an owner per risk and a quarterly re-assessment. Prioritize the trio that drives real incidents: LLM01, LLM05, LLM06.

For the business CAIO

Translate the Top 10 into a one-page board brief with examples from your own deployments, and tie it into the AI risk register. Fund the gateway and red-teaming layers before they become a board-level question.

For the CISO

Add each category to red-team and SOC playbooks, build LLM-specific SIEM detections, and write an incident runbook for LLM compromise covering context revocation and agent-session kill. Use the list as the assessment rubric, not a poster.

OWASP LLM Top 10: Frequently Asked Questions

What is the OWASP LLM Top 10?

The OWASP Top 10 for Large Language Model Applications is the consensus list of the most critical security risks in LLM-based software, maintained by the OWASP GenAI Security Project. It is built by a working group of vendors, researchers, and enterprise security teams, and updated as new attack patterns surface. The current (2025) list runs from prompt injection (LLM01) through unbounded consumption (LLM10). Most enterprise LLM security programs use it as the baseline engineering checklist.

What changed in the 2025 OWASP LLM Top 10?

The 2025 revision reflected a year of real incidents and the rise of agentic AI. The headline additions were System Prompt Leakage (LLM07) and Vector and Embedding Weaknesses (LLM08), recognizing RAG-specific risks. Unbounded Consumption (LLM10) broadened the older "denial of service" entry to include cost and model-wallet exhaustion. Data poisoning and model poisoning were consolidated, and Excessive Agency (LLM06) gained prominence as agents moved into production. The ordering reflects severity and observed prevalence.

Which OWASP LLM risk is the most important?

Prompt injection (LLM01), by a wide margin. Almost every disclosed real-world LLM incident traces to direct or indirect prompt injection at the root. The two that turn an injection into a real incident are Improper Output Handling (LLM05), which lets model output reach a dangerous sink, and Excessive Agency (LLM06), which gives the compromised model the tools to act. Treat those three as the priority trio.

Is the OWASP LLM Top 10 a compliance requirement?

It is not a law, but it functions as a de facto standard. Frameworks like ISO 42001 and the NIST AI Risk Management Framework expect a credible threat model for AI systems, and the OWASP LLM Top 10 is the most widely used way to demonstrate one for LLM applications. In practice, auditors and customers increasingly ask whether your LLM features are assessed against it. See the AI compliance guide for how it maps to the formal frameworks.

How do I use the OWASP LLM Top 10 in practice?

As a gate, not a poster. Make coverage of all ten a required item in the architecture review before any LLM feature ships, assign a named owner per risk, and re-assess quarterly because the list and your systems both change. Pair it with a structured red team that probes each category, and feed findings into the AI risk register. The list defines the surface; the program is what makes the controls actually run in production.

What is the difference between the OWASP LLM Top 10 and the original OWASP Top 10?

The original OWASP Top 10 covers web application vulnerabilities (injection, broken access control, and so on) and still applies to the conventional parts of an LLM system — the API, the auth, the database. The OWASP LLM Top 10 covers the model-specific bug classes the original was never designed for: prompt injection, training-data poisoning, excessive agency, and the rest. A complete program uses both lists, because an LLM application is a web application with a model bolted on.

Published Invalid Date · Updated Invalid Date

Thomas Prommer Technology Executive — CTO/CIO/CTAIO

These salary reports are built on firsthand hiring experience across 20+ years of engineering leadership (adidas, $9B platform, 500+ engineers) and a proprietary network of 200+ executive recruiters and headhunters who share placement data with us directly. As a top-1% expert on institutional investor networks, I've conducted 200+ technical due diligence consultations for PE/VC firms including Blackstone, Bain Capital, and Berenberg — work that requires current, accurate compensation benchmarks across every seniority level. Our team cross-references recruiter data with BLS statistics, job board salary disclosures, and executive compensation surveys to produce ranges you can actually negotiate with.

Profile LinkedIn Newsletter

Continue the AI security cluster

The list defines the surface; the cluster covers how to defend it.

LLM Security program Prompt Injection → MCP Security →