OWASP LLM Top 10
Table of Contents
Quick Answer
The OWASP LLM Top 10 is a beginner-friendly way to understand common security risks in applications that use large language models. It covers issues such as prompt injection, insecure output handling, sensitive data exposure, excessive agency, overreliance, and model theft.
What is the OWASP LLM Top 10?
The OWASP LLM Top 10 is a community-driven list of important security risks for applications that use large language models. It helps developers, security teams, and beginners understand how AI application risks differ from normal web application risks.
Why LLM Application Security is Different
LLM applications often combine prompts, retrieved documents, plugins, APIs, model outputs, and automated actions. This creates new trust boundaries. Traditional controls still matter, but AI applications also need prompt isolation, output validation, least-privilege tools, cost controls, and human review for sensitive actions.
The 10 Risks Explained in Simple Words
| OWASP LLM risk | Simple meaning | Basic defense |
|---|---|---|
| Prompt Injection | Untrusted text manipulates model behavior | Separate instructions from data and validate actions |
| Insecure Output Handling | Model output is trusted unsafely | Validate and sanitize before use |
| Training Data Poisoning | Bad data influences model behavior | Curate, monitor, and validate training data |
| Model Denial of Service | Cost or resource abuse | Rate limits, quotas, and monitoring |
| Supply Chain Vulnerabilities | Risky models, datasets, or components | Vet dependencies and providers |
| Sensitive Information Disclosure | Secrets or private data appear in outputs | Data minimization and access control |
| Insecure Plugin Design | Tools or plugins expose risky actions | Least privilege and approval checks |
| Excessive Agency | AI takes too much action autonomously | Scope permissions and use human approval |
| Overreliance | Users trust incorrect AI output | Verification and human review |
| Model Theft | Unauthorized model access or copying | Access control, monitoring, and abuse detection |
Which Risks Matter Most for Developers?
Developers should start with prompt injection, insecure output handling, sensitive information disclosure, plugin/tool permissions, and excessive agency. These risks appear when an LLM application is connected to user data, documents, APIs, code, or business workflows.
Which Risks Matter Most for Users?
Users should be careful about entering sensitive data into AI systems, trusting unverified AI output, and allowing AI tools to perform important actions without review. Human verification remains important even when an AI response sounds confident.
How to Start Securing an LLM Application
- Map where prompts, retrieved content, outputs, tools, and data flows exist.
- Separate trusted instructions from untrusted content.
- Validate output before it is used in HTML, SQL, code, or tool calls.
- Apply least privilege to plugins, APIs, and agents.
- Use logging, rate limits, monitoring, and human approval for sensitive workflows.
Recommended Learning Path
Start with the AI Security Roadmap, then study Prompt Injection, Cross-Site Scripting, SQL Injection, and Penetration Testing. LLM security is easier to understand when the web security fundamentals are clear.
FAQs
Sources and further reading
- OWASP Top 10 for Large Language Model Applications — Official OWASP LLM Top 10 project
- NIST Generative AI Profile — Generative AI risk management reference