Kernel of Truth

A practical security summary for cyber security professionals securing Large Language Model and Generative AI applications.

The OWASP Top 10 for LLM Applications 2025 highlights the most important risks affecting systems that use Large Language Models, Retrieval-Augmented Generation, AI agents, plugins, tools, vector databases and generative AI workflows.

The OWASP Top 10 at a Glance

LLM01
Prompt Injection

Malicious or hidden prompts alter model behaviour.

LLM02
Sensitive Information Disclosure

PII, secrets or business data leaks through outputs.

LLM03
Supply Chain

Risk from models, datasets, packages and suppliers.

LLM04
Data and Model Poisoning

Manipulated training, fine-tuning or embedding data.

LLM05
Improper Output Handling

Unsafe model output reaches downstream systems.

LLM06
Excessive Agency

Agents have too much functionality or permission.

LLM07
System Prompt Leakage

Internal prompts reveal rules, secrets or weak design.

LLM08
Vector and Embedding Weaknesses

RAG and vector database access-control risks.

LLM09
Misinformation

Hallucinated or misleading outputs are trusted.

LLM10
Unbounded Consumption

Denial of service, denial of wallet and model abuse.

LLM Application Attack Surface

User Prompts “` Application Auth • Policy • UI LLM Model / Agent Tools APIs RAG Vector Database “`

Security view: prompt injection, sensitive data exposure, excessive agency, unsafe output handling and RAG leakage all occur around the boundaries between users, applications, models, tools, APIs and data stores.

Quick Reference Table

OWASP IDRiskPrimary Control Focus
LLM01Prompt InjectionInput separation, prompt hardening, output validation, least privilege
LLM02Sensitive Information DisclosureData classification, redaction, access control, output monitoring
LLM03Supply ChainModel provenance, dependency scanning, SBOM, supplier review
LLM04Data and Model PoisoningData provenance, dataset validation, model behaviour monitoring
LLM05Improper Output HandlingOutput encoding, validation, sandboxing, secure coding
LLM06Excessive AgencyLeast privilege, tool restrictions, human approval, monitoring
LLM07System Prompt LeakageDo not store secrets in prompts; enforce controls outside the model
LLM08Vector and Embedding WeaknessesPermission-aware retrieval, tenant isolation, document classification
LLM09MisinformationSource grounding, verification, citations, human review
LLM10Unbounded ConsumptionRate limits, quotas, cost monitoring, timeouts, abuse detection

LLM01:2025 – Prompt Injection

Prompt injection occurs when user input, external content or hidden instructions manipulate the behaviour of the LLM in unintended ways. This may be direct, such as a user entering malicious instructions, or indirect, such as the model processing poisoned web pages, documents, emails or images.

Security impact: data disclosure, policy bypass, incorrect decisions, unauthorised tool use, harmful content generation or command execution in connected systems.

  • Treat all prompts and retrieved content as untrusted input.
  • Separate user instructions from external content.
  • Apply least privilege to tools, plugins and APIs.
  • Use output validation and human approval for high-risk actions.
  • Test direct, indirect, obfuscated and multimodal prompt injection scenarios.

LLM02:2025 – Sensitive Information Disclosure

This risk occurs when an LLM application exposes personal data, credentials, confidential business information, legal material, proprietary algorithms or other sensitive content.

  • Prevent sensitive data entering prompts, logs, training or fine-tuning pipelines unless explicitly approved.
  • Use data classification, redaction and tokenisation where appropriate.
  • Apply strict access controls to source data and RAG repositories.
  • Provide clear user guidance on what must not be entered into AI tools.
  • Monitor outputs for secrets, PII and confidential information.

LLM03:2025 – Supply Chain

LLM supply chain risk includes compromised models, poisoned datasets, vulnerable dependencies, unsafe LoRA adapters, unclear licensing, weak model provenance and third-party AI service risks.

  • Use trusted model sources and verify integrity with hashes or signatures where possible.
  • Maintain an inventory of models, datasets, packages, APIs and AI services.
  • Review licences, terms of service and data usage policies.
  • Scan dependencies and patch vulnerable components.
  • Perform AI red teaming before adopting third-party models or AI platforms.

LLM04:2025 – Data and Model Poisoning

Data and model poisoning occurs when training data, fine-tuning data, embeddings or model artefacts are manipulated to introduce bias, backdoors, harmful behaviours or incorrect outputs.

  • Track data provenance and maintain version control for datasets.
  • Validate and review data sources before training, fine-tuning or indexing.
  • Monitor model behaviour for unexpected changes.
  • Use trusted sources for RAG and embedding pipelines.
  • Include poisoning scenarios in AI red team testing.

LLM05:2025 – Improper Output Handling

Improper output handling happens when LLM-generated content is passed to downstream systems without proper validation, sanitisation or encoding.

  • Treat LLM output as untrusted user-controlled input.
  • Use context-aware output encoding for HTML, JavaScript, SQL, shell and file paths.
  • Use parameterised queries for database operations.
  • Do not execute generated code without review and sandboxing.
  • Log and monitor unusual or policy-violating outputs.

LLM06:2025 – Excessive Agency

Excessive agency occurs when an LLM or AI agent is given too much functionality, too many permissions or too much autonomy to act without suitable controls.

  • Minimise the tools and functions available to the model.
  • Use least-privilege service accounts and user-context authorisation.
  • Avoid open-ended tools such as unrestricted shell, browser or URL-fetching functions.
  • Require human approval for destructive, financial or externally visible actions.
  • Monitor tool usage, rate-limit actions and alert on abnormal behaviour.

LLM07:2025 – System Prompt Leakage

System prompt leakage is the exposure of internal prompts and instructions used to guide model behaviour. The real issue is not simply that the prompt is visible, but that organisations may place secrets, permissions, business logic or weak security controls inside it.

  • Never put secrets, keys, tokens or credentials in system prompts.
  • Do not rely on prompts to enforce authorisation.
  • Move security decisions into deterministic application code.
  • Use guardrails and policy enforcement outside the LLM.
  • Assume attackers can infer or extract some prompt behaviour through testing.

LLM08:2025 – Vector and Embedding Weaknesses

Vector and embedding weaknesses affect systems using Retrieval-Augmented Generation, vector databases and embedding-based retrieval. Risks include data leakage, cross-tenant retrieval, poisoned knowledge sources and embedding inversion.

  • Use permission-aware retrieval and enforce document-level access control.
  • Separate tenants, departments and sensitivity levels in vector stores.
  • Validate and classify content before indexing.
  • Monitor retrieval activity and log source documents used in answers.
  • Test for cross-context leakage and poisoned document injection.

LLM09:2025 – Misinformation

Misinformation occurs when an LLM produces false, misleading or unsupported information that appears credible. This includes hallucinated facts, invented references, unsafe code suggestions or incorrect business guidance.

  • Use RAG with trusted sources for factual answers.
  • Require citations or source references for important claims.
  • Use human review for high-impact decisions.
  • Clearly label AI-generated content and communicate limitations.
  • Validate generated code, packages and commands before use.

LLM10:2025 – Unbounded Consumption

Unbounded consumption occurs when an LLM application allows excessive, uncontrolled or expensive use of inference resources. This can lead to denial of service, denial of wallet, service degradation or model extraction.

  • Apply rate limits, quotas and request size limits.
  • Set timeouts and throttling for expensive operations.
  • Monitor token usage, cost anomalies and repeated failure patterns.
  • Limit queued actions and design graceful degradation.
  • Protect model APIs against extraction and abuse.

Risk Heat View

High Impact / High Priority

  • Prompt Injection
  • Sensitive Information Disclosure
  • Excessive Agency
  • Improper Output Handling

Supply Chain and Integrity

  • Supply Chain
  • Data and Model Poisoning
  • Vector and Embedding Weaknesses

Operational and Governance Risk

  • System Prompt Leakage
  • Misinformation
  • Unbounded Consumption

What Security Teams Should Focus On

  • Threat model AI workflows: map prompts, data sources, vector stores, tools, plugins, APIs and downstream systems.
  • Treat the LLM as untrusted: validate input, validate output and enforce security controls outside the model.
  • Control data access: apply least privilege to documents, embeddings, APIs and connected tools.
  • Secure the AI supply chain: inventory models, datasets, dependencies, licences and third-party services.
  • Monitor behaviour: log prompts, outputs, retrieval sources, tool calls, token usage and anomalous activity.
  • Red team the system: test prompt injection, indirect injection, data leakage, agent abuse and RAG poisoning.

Practical Security Controls

Control AreaRecommended Action
IdentityUse least privilege, user-context authorisation and strong access control for connected tools.
Data ProtectionClassify, redact and restrict sensitive data before it enters prompts, RAG stores or training pipelines.
Application SecurityValidate and encode LLM output before passing it to browsers, databases, shells or APIs.
Cloud SecurityMonitor cost, usage, API keys, model endpoints and service permissions.
Detection EngineeringCreate detections for abnormal token usage, prompt injection patterns, suspicious retrieval and unusual tool calls.
GovernanceMaintain an AI inventory covering models, datasets, owners, risks, suppliers and approved use cases.
Incident ResponsePrepare playbooks for prompt injection, data leakage, model abuse, AI service compromise and supply chain issues.

Key Takeaways

  • LLM security is broader than prompt engineering.
  • Prompt instructions are not reliable security controls.
  • RAG and vector databases introduce new access-control and data-leakage risks.
  • Agentic AI increases impact because the model can take action, not just generate text.
  • Security teams should treat LLM applications as integrated, high-risk systems.

Source and licence: Adapted from the OWASP Top 10 for LLM Applications 2025 by the OWASP GenAI Security Project. The original material is licensed under Creative Commons Attribution-ShareAlike 4.0.


AI & LLM Security Acronyms

This glossary explains the most common acronyms used in Generative AI, Large Language Models (LLMs), and AI security. It is intended as a quick reference for cybersecurity professionals, engineers and architects.

AcronymMeaningExplanation
AGIArtificial General IntelligenceA theoretical form of AI capable of performing intellectual tasks at or above human level across many different domains.
AIArtificial IntelligenceThe broad field of creating computer systems capable of performing tasks that normally require human intelligence.
APIApplication Programming InterfaceA mechanism that allows software applications to communicate with each other. Most LLMs are accessed through APIs.
AUPAcceptable Use PolicyA policy defining how users are permitted to interact with an AI service and what activities are prohibited.
CoTChain of ThoughtA reasoning technique where an LLM breaks complex problems into intermediate reasoning steps before producing an answer.
DLPData Loss PreventionTechnologies and policies designed to prevent sensitive information being disclosed to unauthorised users or AI systems.
DoWDenial of WalletAn attack that forces excessive LLM processing, significantly increasing cloud or API costs.
GenAIGenerative Artificial IntelligenceAI systems capable of generating new text, images, audio, code and other content.
GPUGraphics Processing UnitSpecialised hardware used to train and run AI models much faster than traditional CPUs.
HITLHuman in the LoopA security and governance practice requiring human approval before AI performs sensitive or high-risk actions.
IAMIdentity and Access ManagementControls that determine who or what can access AI models, data, APIs and connected systems.
JSONJavaScript Object NotationA structured data format frequently used when exchanging prompts and responses with LLM APIs.
KBKnowledge BaseA structured collection of documents or information used to answer questions, often via RAG.
LLMLarge Language ModelAn AI model trained on vast quantities of text to understand and generate natural language.
LLMOpsLarge Language Model OperationsThe operational discipline of deploying, monitoring, securing and managing LLMs in production.
MCPModel Context ProtocolAn open protocol that enables AI assistants to securely interact with external tools, services and data sources through a standard interface.
MLMachine LearningA branch of AI where systems learn patterns from data instead of following explicitly programmed rules.
MLOpsMachine Learning OperationsProcesses and tooling used to develop, deploy, monitor and maintain machine learning systems.
NLPNatural Language ProcessingThe field of AI focused on understanding and processing human language.
OCROptical Character RecognitionTechnology that converts text in scanned documents or images into machine-readable text.
OWASPOpen Worldwide Application Security ProjectA global non-profit organisation that develops widely adopted application security guidance, including the OWASP Top 10.
PIIPersonally Identifiable InformationInformation that can identify an individual, such as names, addresses, National Insurance numbers or email addresses.
PromptOpsPrompt OperationsThe governance, testing, version control and lifecycle management of prompts used in AI systems.
RAGRetrieval-Augmented GenerationAn AI architecture that retrieves relevant documents before generating a response, improving accuracy and reducing hallucinations.
RBACRole-Based Access ControlAn access control model where permissions are assigned according to a user’s role rather than individually.
RLHFReinforcement Learning from Human FeedbackA model training technique where human feedback is used to improve the quality and safety of AI responses.
SBOMSoftware Bill of MaterialsAn inventory of software components, libraries and dependencies used to understand supply chain risk.
SLMSmall Language ModelA compact language model that requires fewer computing resources and is often suitable for local deployment.
SOCSecurity Operations CentreThe team responsible for monitoring, detecting, investigating and responding to cybersecurity incidents.
TTPTactics, Techniques and ProceduresThe methods and behaviours attackers use during cyber intrusions.
UIUser InterfaceThe visual interface through which users interact with an AI application.
UXUser ExperienceThe overall experience users have when interacting with an application or AI system.
VDBVector DatabaseA specialised database that stores embeddings and enables semantic search for Retrieval-Augmented Generation (RAG).

🛡️Latest Security Alerts 🛡️

NCSC Latest
(The National Cyber Security Centre UK)