The OWASP Top 10 for LLM Applications, Explained

The OWASP Top 10 for LLM Applications has become the de facto framework for understanding AI application risks. Every vendor references it. Every compliance team asks about it. But the actual document is dense and technical.

Here's what each risk actually means, in plain language.

LLM01: Prompt Injection

The big one. An attacker includes instructions in their input that override the model's system prompt. This can cause the model to ignore its intended behavior and follow the attacker's instructions instead.

There are two types. Direct injection: the user submits the malicious instruction. Indirect injection: the malicious instruction is embedded in data the model processes (an email, a document, a web page).

Prompt injection is ranked #1 because it's pervasive, hard to fully prevent, and enables most other attacks on the list.

LLM02: Sensitive Information Disclosure

The model reveals information it shouldn't. This could be training data, personal information, system prompts, API keys, or internal business data.

This happens through direct questioning ("What's in your system prompt?"), through data leakage in generated responses, or through extraction attacks that reconstruct training data.

LLM03: Supply Chain Vulnerabilities

Risks from third-party components: pre-trained models with backdoors, poisoned training data, compromised plugins or extensions, vulnerable dependencies in the ML pipeline.

This is the AI equivalent of the Log4j problem. When you use a model or tool you didn't build, you inherit its vulnerabilities.

LLM04: Data and Model Poisoning

Manipulation of training data or fine-tuning data to influence the model's behavior. An attacker who can inject data into the training pipeline can create backdoors, biases, or targeted vulnerabilities that are extremely difficult to detect.

This is a supply chain attack that operates at the model level rather than the code level.

LLM05: Improper Output Handling

The model's output is trusted and used without validation. This leads to XSS when model output is rendered in web pages, SQL injection when model output is used in database queries, command injection when model output is executed as code, or SSRF when model output is used as URLs.

The model is treated as a trusted source when it should be treated as untrusted user input.

LLM06: Excessive Agency

The model has access to too many tools, too many permissions, or too much autonomy. When combined with prompt injection, excessive agency means a compromised model can do more damage.

This is the principle of least privilege applied to AI agents. Every unnecessary capability is unnecessary attack surface.

LLM07: System Prompt Leakage

The system prompt contains instructions, guidelines, and sometimes credentials that define the model's behavior. Attackers can extract this information through various techniques, revealing the application's logic, boundaries, and potentially sensitive configuration.

LLM08: Vector and Embedding Weaknesses

Vulnerabilities in how vector databases and embeddings are used. This includes poisoning the vector store to influence retrieval, extracting sensitive information from embeddings, or manipulating similarity search results to return attacker-controlled content.

Particularly relevant for RAG (Retrieval-Augmented Generation) applications.

LLM09: Misinformation

The model generates content that is factually incorrect but presented with high confidence. In agentic contexts, this can lead to automated decisions based on hallucinated data.

This is distinct from a security attack but creates real risk when AI agents make decisions based on information the model confidently fabricated.

LLM10: Unbounded Consumption

Attacks that consume excessive resources: denial of service through expensive queries, resource exhaustion through repeated requests, or financial drain through excessive API calls.

In pay-per-token environments, an attacker who triggers expensive model operations can cause significant financial damage without compromising any data.

What this means for your security posture

The OWASP Top 10 is a risk taxonomy, not a solution guide. But it maps clearly to the security controls you need.

Input classification addresses LLM01, LLM02, and LLM07. Policy enforcement addresses LLM05, LLM06, and LLM10. Tool governance addresses LLM06 and LLM05. Supply chain security addresses LLM03 and LLM04. Output filtering addresses LLM02, LLM05, and LLM09.

No single control covers all ten risks. Comprehensive AI security requires multiple layers working together.