Standards January 5, 2025 7 min read

OWASP LLM Top 10 2025 and Why It Matters

If you had to brief your board on AI risk in five minutes, this is the list they should expect. The OWASP LLM Top 10 is the baseline every enterprise should map to policy, tooling, and runtime enforcement.

OWASP LLM Top 10 risk framework

Executive Summary

The OWASP Top 10 for LLM applications (v1.1) calls out prompt injection, insecure output handling, supply chain risk, excessive agency, and sensitive data exposure as the core failure modes. Treat it as a control checklist: each item should map to a detection, a mitigation, and an owner.

What the OWASP LLM Top 10 Covers

Think of it as the minimum vocabulary for LLM risk. The list is not theoretical; it is a practical set of failure modes seen across real deployments. The current OWASP Top 10 for LLM applications includes prompt injection, insecure output handling, training data poisoning, model denial of service, supply chain vulnerabilities, sensitive information disclosure, insecure plugin design, excessive agency, overreliance, and model theft.

Why This List Matters

  • It is the shared language regulators, auditors, and boards now expect.
  • It maps directly to the real risks of agentic systems and tool integration.
  • It provides a minimum baseline for risk ownership and control coverage.

How LLM Risk Differs From Traditional AppSec

This list should feel different from the classic OWASP Web Top 10. LLM systems mix untrusted inputs with privileged actions, often through tools. That creates risks like prompt injection and excessive agency that do not exist in traditional web stacks. The model can act, not just respond.

From List to Controls

A list does not reduce risk until it becomes enforcement. For prompt injection, that means context separation and runtime policy gates. For insecure output handling, it means sanitization and validation before downstream execution. For excessive agency, it means default-deny tool scopes and explicit approvals. The same applies to data disclosure and model theft: policy controls must live outside the model.

Using the Top 10 as a Program Checklist

Treat each item as a control obligation: define ownership, detection, mitigation, and evidence. If you cannot demonstrate a control for a given risk, that is a policy gap. The easiest way to start is to map active AI workflows to the list and ask which risks they expose today.

How AARSM Helps

AARSM maps directly to the OWASP risks: prompt injection, excessive agency, and sensitive data exposure enforced at runtime, not just in policy docs.

About This Analysis

This analysis is based on the OWASP Top 10 for Large Language Model Applications and the OWASP GenAI Security Project materials for 2025.

Sources: OWASP LLM Top 10, OWASP LLM Top 10 GitHub.