OWASP LLM Top 10 for AI Applications
The OWASP GenAI security project gives teams a shared vocabulary for reviewing LLM application risk.
Use this lesson as a checklist before shipping any app that sends model output to users, tools, databases, or workflows.
The risk areas
| Risk area | What to look for |
|---|---|
| Prompt injection | user or document instructions override app rules |
| Insecure output handling | model output is executed or rendered unsafely |
| Training data poisoning | bad data changes model behavior |
| Model denial of service | huge prompts or loops create excessive cost |
| Supply chain vulnerabilities | unsafe models, datasets, packages, or plugins |
| Sensitive information disclosure | secrets or private data appear in prompts/logs/output |
| Insecure plugin/tool design | tools expose too much power |
| Excessive agency | model can take high-impact actions unsafely |
| Overreliance | humans trust wrong answers without verification |
| Model theft | model, prompts, or proprietary behavior are extracted |
Review questions
Ask these before launch:
- What data can the model see?
- What tools can it call?
- Which actions require human approval?
- What happens if the model is wrong?
- What logs contain user data or secrets?
- How do we detect prompt injection?
- Can output become HTML, SQL, shell, or code?
- Can a malicious document influence actions?
- What is the rollback plan?
Mitigation patterns
| Risk | Mitigation |
|---|---|
| Prompt injection | context separation, detection, least-privilege tools |
| Insecure output | encode output, validate schemas, avoid direct execution |
| Model DoS | token limits, rate limits, budgets, timeouts |
| Sensitive data | redaction, access control, retention limits |
| Excessive agency | scoped tools, confirmations, audit logs |
| Overreliance | citations, confidence messaging, human review |
Security is a lifecycle
LLM security is not one review. It changes when you:
- switch models
- change prompts
- add tools
- add retrieval sources
- expand user permissions
- expose outputs in new channels
Knowledge check
Q1: Why is "excessive agency" dangerous?
Because the model may be able to take real actions beyond what is safe or intended.
Q2: What should happen before a high-impact action?
The app should require explicit permission, validation, and audit logging.