The Raptoric Journal/AI Security
AI SecurityJune 14, 2026 · 13 min read

The OWASP Top 10 for LLM Applications, explained

The OWASP Top 10 for LLM Applications is the reference list of the most critical AI application risks. This is what each of the ten risks means and how to address it.
A security analyst reviewing a list of large language model application risks on screen.
Written by
R
Raptoric AI Security
Share
LinkedInX / TwitterCopy link

The OWASP Top 10 for Large Language Model Applications is the widely used reference list of the most critical security risks in AI applications. Published and maintained by the Open Worldwide Application Security Project, the same organization behind the long-standing OWASP Top 10 for web applications, it gives security teams, developers, and auditors a common vocabulary for the risks that come with building on large language models. If you build, buy, or assess AI applications, it is the single most useful starting point for understanding what can go wrong.

The list matters because LLM applications fail in ways traditional application security checklists do not cover. A model that follows instructions from untrusted data, that can be persuaded past its guardrails, or that can take actions through tools introduces risks with no direct equivalent in a conventional web app. This article walks through the ten risks in the current list, what each means in practice, and how to address it, drawing on the testing we do through our AI security service.

What is the OWASP Top 10 for LLM Applications?

It is a curated list of the ten most critical security risks specific to applications built on large language models, compiled by a global group of security practitioners. It is not a standard you certify against, but a reference that informs how AI applications should be designed, built, and tested. Security teams use it to scope testing, developers use it to avoid common mistakes, and assessors use it as a baseline for what an AI application should defend against. A good AI penetration test maps to this list while going beyond it.

The ten risks

The current list covers the following risks. Each links, where relevant, to a deeper treatment of the topic.

  • Prompt injection, where user or external input manipulates the model into behaving against the application's intent. This is the defining LLM risk, covered in prompt injection is not a prompt problem.
  • Sensitive information disclosure, where the model reveals confidential data, secrets, or content from other users or contexts.
  • Supply chain, where compromised models, datasets, or dependencies introduce risk before the application is even run.
  • Data and model poisoning, where training or retrieved data is corrupted to change the model's behavior, covered in AI data and model poisoning.
  • Improper output handling, where downstream systems trust model output and an attacker uses that trust to inject code or commands.
  • Excessive agency, where the model can take actions beyond what is safe, covered in securing AI agents.
  • System prompt leakage, where the model's hidden instructions are extracted, often as a step toward a fuller attack.
  • Vector and embedding weaknesses, where the retrieval layer of a RAG system is attacked, covered in RAG security.
  • Misinformation, where the model produces confident but false output that users act on.
  • Unbounded consumption, where uncontrolled use drives cost or denial of service, sometimes called denial of wallet.
The OWASP LLM Top 10 is not a checklist to tick once. It is a map of where AI applications break, and a reminder that most of those failures have no equivalent in traditional app security.

How the risks connect

The ten risks are not independent. The most damaging real-world attacks chain several together: an indirect prompt injection (risk one) hidden in a poisoned document (risk four) retrieved through a weak embedding layer (risk eight) that steers an over-permissioned agent (risk six) whose output is trusted downstream (risk five). Treating the list as ten separate boxes misses how attackers actually operate. This is why testing has to pursue realistic attack paths, not just check each risk in isolation, which is the difference between a checklist scan and genuine AI red teaming.

How to address the OWASP LLM risks

Most of the list comes down to a few durable principles, applied across the application rather than the model alone.

  • Treat all input the model processes, including retrieved and tool-returned content, as untrusted.
  • Put security controls outside the model, in code the attacker cannot influence, rather than relying on the prompt.
  • Constrain the model's capability and access, so manipulation cannot cause disproportionate harm.
  • Validate model output before any downstream system or user acts on it.
  • Govern the supply chain of models, datasets, and dependencies as you would any third-party code.
  • Log and monitor everything, so abuse can be detected, rate-limited, and investigated.
  • Test against realistic attack paths, mapping to the Top 10 but pursuing the chains attackers actually use.

OWASP, regulation, and governance

The OWASP LLM Top 10 is a technical reference, but it dovetails with governance and regulation. The EU AI Act's robustness and security requirements and the NIST AI Risk Management Framework both expect AI systems to be tested against realistic threats, and the Top 10 is a practical basis for that testing. Mapping your testing to the list also produces evidence you can use in AI governance and toward EU AI Act obligations.

The OWASP Top 10 for LLM Applications is the best shared starting point for understanding AI application risk. If you want your AI applications tested against it and the realistic attacks it describes, see our AI security service and book a scoping call.

Frequently asked questions

What is the OWASP Top 10 for LLM Applications?
It is a reference list of the ten most critical security risks in applications built on large language models, maintained by OWASP. It gives developers, security teams, and assessors a common vocabulary and a baseline for what an AI application should defend against.
How is it different from the OWASP Top 10 for web apps?
The web application Top 10 covers risks like injection and broken access control in conventional applications. The LLM Top 10 covers risks specific to language models, such as prompt injection, excessive agency, and model poisoning, that have no direct equivalent in traditional app security.
Is the OWASP LLM Top 10 a standard?
No. It is a reference list, not a certifiable standard. It informs how AI applications should be designed and tested, and it pairs well with frameworks like the NIST AI RMF and obligations like the EU AI Act, but you do not certify against it.
How do we test against the OWASP LLM Top 10?
Through AI penetration testing and red teaming that map to the list while pursuing realistic attack paths, because the most serious attacks chain several of the risks together rather than appearing in isolation.

Sources

  1. 1OWASP. OWASP Top 10 for Large Language Model Applications. Open Worldwide Application Security Project, 2025. Link
  2. 2NIST. Artificial Intelligence Risk Management Framework (AI RMF 1.0). National Institute of Standards and Technology, 2023. Link
Want this tested on your own systems?
Our team will scope it with you on a 30-minute call.
Book a scoping call
Keep reading
All insights →