A practical security summary for cyber security professionals securing Large Language Model and Generative AI applications.
The OWASP Top 10 for LLM Applications 2025 highlights the most important risks affecting systems that use Large Language Models, Retrieval-Augmented Generation, AI agents, plugins, tools, vector databases and generative AI workflows.
Contents
- 1 The OWASP Top 10 at a Glance
- 2 LLM Application Attack Surface
- 3 Quick Reference Table
- 4 LLM01:2025 – Prompt Injection
- 5 LLM02:2025 – Sensitive Information Disclosure
- 6 LLM03:2025 – Supply Chain
- 7 LLM04:2025 – Data and Model Poisoning
- 8 LLM05:2025 – Improper Output Handling
- 9 LLM06:2025 – Excessive Agency
- 10 LLM07:2025 – System Prompt Leakage
- 11 LLM08:2025 – Vector and Embedding Weaknesses
- 12 LLM09:2025 – Misinformation
- 13 LLM10:2025 – Unbounded Consumption
- 14 Risk Heat View
- 15 What Security Teams Should Focus On
- 16 Practical Security Controls
- 17 Key Takeaways
- 18 AI & LLM Security Acronyms
The OWASP Top 10 at a Glance
Prompt Injection
Malicious or hidden prompts alter model behaviour.
Sensitive Information Disclosure
PII, secrets or business data leaks through outputs.
Supply Chain
Risk from models, datasets, packages and suppliers.
Data and Model Poisoning
Manipulated training, fine-tuning or embedding data.
Improper Output Handling
Unsafe model output reaches downstream systems.
Excessive Agency
Agents have too much functionality or permission.
System Prompt Leakage
Internal prompts reveal rules, secrets or weak design.
Vector and Embedding Weaknesses
RAG and vector database access-control risks.
Misinformation
Hallucinated or misleading outputs are trusted.
Unbounded Consumption
Denial of service, denial of wallet and model abuse.
LLM Application Attack Surface
Security view: prompt injection, sensitive data exposure, excessive agency, unsafe output handling and RAG leakage all occur around the boundaries between users, applications, models, tools, APIs and data stores.
Quick Reference Table
| OWASP ID | Risk | Primary Control Focus |
|---|---|---|
| LLM01 | Prompt Injection | Input separation, prompt hardening, output validation, least privilege |
| LLM02 | Sensitive Information Disclosure | Data classification, redaction, access control, output monitoring |
| LLM03 | Supply Chain | Model provenance, dependency scanning, SBOM, supplier review |
| LLM04 | Data and Model Poisoning | Data provenance, dataset validation, model behaviour monitoring |
| LLM05 | Improper Output Handling | Output encoding, validation, sandboxing, secure coding |
| LLM06 | Excessive Agency | Least privilege, tool restrictions, human approval, monitoring |
| LLM07 | System Prompt Leakage | Do not store secrets in prompts; enforce controls outside the model |
| LLM08 | Vector and Embedding Weaknesses | Permission-aware retrieval, tenant isolation, document classification |
| LLM09 | Misinformation | Source grounding, verification, citations, human review |
| LLM10 | Unbounded Consumption | Rate limits, quotas, cost monitoring, timeouts, abuse detection |
LLM01:2025 – Prompt Injection
Prompt injection occurs when user input, external content or hidden instructions manipulate the behaviour of the LLM in unintended ways. This may be direct, such as a user entering malicious instructions, or indirect, such as the model processing poisoned web pages, documents, emails or images.
Security impact: data disclosure, policy bypass, incorrect decisions, unauthorised tool use, harmful content generation or command execution in connected systems.
- Treat all prompts and retrieved content as untrusted input.
- Separate user instructions from external content.
- Apply least privilege to tools, plugins and APIs.
- Use output validation and human approval for high-risk actions.
- Test direct, indirect, obfuscated and multimodal prompt injection scenarios.
LLM02:2025 – Sensitive Information Disclosure
This risk occurs when an LLM application exposes personal data, credentials, confidential business information, legal material, proprietary algorithms or other sensitive content.
- Prevent sensitive data entering prompts, logs, training or fine-tuning pipelines unless explicitly approved.
- Use data classification, redaction and tokenisation where appropriate.
- Apply strict access controls to source data and RAG repositories.
- Provide clear user guidance on what must not be entered into AI tools.
- Monitor outputs for secrets, PII and confidential information.
LLM03:2025 – Supply Chain
LLM supply chain risk includes compromised models, poisoned datasets, vulnerable dependencies, unsafe LoRA adapters, unclear licensing, weak model provenance and third-party AI service risks.
- Use trusted model sources and verify integrity with hashes or signatures where possible.
- Maintain an inventory of models, datasets, packages, APIs and AI services.
- Review licences, terms of service and data usage policies.
- Scan dependencies and patch vulnerable components.
- Perform AI red teaming before adopting third-party models or AI platforms.
LLM04:2025 – Data and Model Poisoning
Data and model poisoning occurs when training data, fine-tuning data, embeddings or model artefacts are manipulated to introduce bias, backdoors, harmful behaviours or incorrect outputs.
- Track data provenance and maintain version control for datasets.
- Validate and review data sources before training, fine-tuning or indexing.
- Monitor model behaviour for unexpected changes.
- Use trusted sources for RAG and embedding pipelines.
- Include poisoning scenarios in AI red team testing.
LLM05:2025 – Improper Output Handling
Improper output handling happens when LLM-generated content is passed to downstream systems without proper validation, sanitisation or encoding.
- Treat LLM output as untrusted user-controlled input.
- Use context-aware output encoding for HTML, JavaScript, SQL, shell and file paths.
- Use parameterised queries for database operations.
- Do not execute generated code without review and sandboxing.
- Log and monitor unusual or policy-violating outputs.
LLM06:2025 – Excessive Agency
Excessive agency occurs when an LLM or AI agent is given too much functionality, too many permissions or too much autonomy to act without suitable controls.
- Minimise the tools and functions available to the model.
- Use least-privilege service accounts and user-context authorisation.
- Avoid open-ended tools such as unrestricted shell, browser or URL-fetching functions.
- Require human approval for destructive, financial or externally visible actions.
- Monitor tool usage, rate-limit actions and alert on abnormal behaviour.
LLM07:2025 – System Prompt Leakage
System prompt leakage is the exposure of internal prompts and instructions used to guide model behaviour. The real issue is not simply that the prompt is visible, but that organisations may place secrets, permissions, business logic or weak security controls inside it.
- Never put secrets, keys, tokens or credentials in system prompts.
- Do not rely on prompts to enforce authorisation.
- Move security decisions into deterministic application code.
- Use guardrails and policy enforcement outside the LLM.
- Assume attackers can infer or extract some prompt behaviour through testing.
LLM08:2025 – Vector and Embedding Weaknesses
Vector and embedding weaknesses affect systems using Retrieval-Augmented Generation, vector databases and embedding-based retrieval. Risks include data leakage, cross-tenant retrieval, poisoned knowledge sources and embedding inversion.
- Use permission-aware retrieval and enforce document-level access control.
- Separate tenants, departments and sensitivity levels in vector stores.
- Validate and classify content before indexing.
- Monitor retrieval activity and log source documents used in answers.
- Test for cross-context leakage and poisoned document injection.
LLM09:2025 – Misinformation
Misinformation occurs when an LLM produces false, misleading or unsupported information that appears credible. This includes hallucinated facts, invented references, unsafe code suggestions or incorrect business guidance.
- Use RAG with trusted sources for factual answers.
- Require citations or source references for important claims.
- Use human review for high-impact decisions.
- Clearly label AI-generated content and communicate limitations.
- Validate generated code, packages and commands before use.
LLM10:2025 – Unbounded Consumption
Unbounded consumption occurs when an LLM application allows excessive, uncontrolled or expensive use of inference resources. This can lead to denial of service, denial of wallet, service degradation or model extraction.
- Apply rate limits, quotas and request size limits.
- Set timeouts and throttling for expensive operations.
- Monitor token usage, cost anomalies and repeated failure patterns.
- Limit queued actions and design graceful degradation.
- Protect model APIs against extraction and abuse.
Risk Heat View
High Impact / High Priority
- Prompt Injection
- Sensitive Information Disclosure
- Excessive Agency
- Improper Output Handling
Supply Chain and Integrity
- Supply Chain
- Data and Model Poisoning
- Vector and Embedding Weaknesses
Operational and Governance Risk
- System Prompt Leakage
- Misinformation
- Unbounded Consumption
What Security Teams Should Focus On
- Threat model AI workflows: map prompts, data sources, vector stores, tools, plugins, APIs and downstream systems.
- Treat the LLM as untrusted: validate input, validate output and enforce security controls outside the model.
- Control data access: apply least privilege to documents, embeddings, APIs and connected tools.
- Secure the AI supply chain: inventory models, datasets, dependencies, licences and third-party services.
- Monitor behaviour: log prompts, outputs, retrieval sources, tool calls, token usage and anomalous activity.
- Red team the system: test prompt injection, indirect injection, data leakage, agent abuse and RAG poisoning.
Practical Security Controls
| Control Area | Recommended Action |
|---|---|
| Identity | Use least privilege, user-context authorisation and strong access control for connected tools. |
| Data Protection | Classify, redact and restrict sensitive data before it enters prompts, RAG stores or training pipelines. |
| Application Security | Validate and encode LLM output before passing it to browsers, databases, shells or APIs. |
| Cloud Security | Monitor cost, usage, API keys, model endpoints and service permissions. |
| Detection Engineering | Create detections for abnormal token usage, prompt injection patterns, suspicious retrieval and unusual tool calls. |
| Governance | Maintain an AI inventory covering models, datasets, owners, risks, suppliers and approved use cases. |
| Incident Response | Prepare playbooks for prompt injection, data leakage, model abuse, AI service compromise and supply chain issues. |
Key Takeaways
- LLM security is broader than prompt engineering.
- Prompt instructions are not reliable security controls.
- RAG and vector databases introduce new access-control and data-leakage risks.
- Agentic AI increases impact because the model can take action, not just generate text.
- Security teams should treat LLM applications as integrated, high-risk systems.
Source and licence: Adapted from the OWASP Top 10 for LLM Applications 2025 by the OWASP GenAI Security Project. The original material is licensed under Creative Commons Attribution-ShareAlike 4.0.
AI & LLM Security Acronyms
This glossary explains the most common acronyms used in Generative AI, Large Language Models (LLMs), and AI security. It is intended as a quick reference for cybersecurity professionals, engineers and architects.
| Acronym | Meaning | Explanation |
|---|---|---|
| AGI | Artificial General Intelligence | A theoretical form of AI capable of performing intellectual tasks at or above human level across many different domains. |
| AI | Artificial Intelligence | The broad field of creating computer systems capable of performing tasks that normally require human intelligence. |
| API | Application Programming Interface | A mechanism that allows software applications to communicate with each other. Most LLMs are accessed through APIs. |
| AUP | Acceptable Use Policy | A policy defining how users are permitted to interact with an AI service and what activities are prohibited. |
| CoT | Chain of Thought | A reasoning technique where an LLM breaks complex problems into intermediate reasoning steps before producing an answer. |
| DLP | Data Loss Prevention | Technologies and policies designed to prevent sensitive information being disclosed to unauthorised users or AI systems. |
| DoW | Denial of Wallet | An attack that forces excessive LLM processing, significantly increasing cloud or API costs. |
| GenAI | Generative Artificial Intelligence | AI systems capable of generating new text, images, audio, code and other content. |
| GPU | Graphics Processing Unit | Specialised hardware used to train and run AI models much faster than traditional CPUs. |
| HITL | Human in the Loop | A security and governance practice requiring human approval before AI performs sensitive or high-risk actions. |
| IAM | Identity and Access Management | Controls that determine who or what can access AI models, data, APIs and connected systems. |
| JSON | JavaScript Object Notation | A structured data format frequently used when exchanging prompts and responses with LLM APIs. |
| KB | Knowledge Base | A structured collection of documents or information used to answer questions, often via RAG. |
| LLM | Large Language Model | An AI model trained on vast quantities of text to understand and generate natural language. |
| LLMOps | Large Language Model Operations | The operational discipline of deploying, monitoring, securing and managing LLMs in production. |
| MCP | Model Context Protocol | An open protocol that enables AI assistants to securely interact with external tools, services and data sources through a standard interface. |
| ML | Machine Learning | A branch of AI where systems learn patterns from data instead of following explicitly programmed rules. |
| MLOps | Machine Learning Operations | Processes and tooling used to develop, deploy, monitor and maintain machine learning systems. |
| NLP | Natural Language Processing | The field of AI focused on understanding and processing human language. |
| OCR | Optical Character Recognition | Technology that converts text in scanned documents or images into machine-readable text. |
| OWASP | Open Worldwide Application Security Project | A global non-profit organisation that develops widely adopted application security guidance, including the OWASP Top 10. |
| PII | Personally Identifiable Information | Information that can identify an individual, such as names, addresses, National Insurance numbers or email addresses. |
| PromptOps | Prompt Operations | The governance, testing, version control and lifecycle management of prompts used in AI systems. |
| RAG | Retrieval-Augmented Generation | An AI architecture that retrieves relevant documents before generating a response, improving accuracy and reducing hallucinations. |
| RBAC | Role-Based Access Control | An access control model where permissions are assigned according to a user’s role rather than individually. |
| RLHF | Reinforcement Learning from Human Feedback | A model training technique where human feedback is used to improve the quality and safety of AI responses. |
| SBOM | Software Bill of Materials | An inventory of software components, libraries and dependencies used to understand supply chain risk. |
| SLM | Small Language Model | A compact language model that requires fewer computing resources and is often suitable for local deployment. |
| SOC | Security Operations Centre | The team responsible for monitoring, detecting, investigating and responding to cybersecurity incidents. |
| TTP | Tactics, Techniques and Procedures | The methods and behaviours attackers use during cyber intrusions. |
| UI | User Interface | The visual interface through which users interact with an AI application. |
| UX | User Experience | The overall experience users have when interacting with an application or AI system. |
| VDB | Vector Database | A specialised database that stores embeddings and enables semantic search for Retrieval-Augmented Generation (RAG). |