The OWASP AI Top 10 is the community-maintained list of the most critical security risks in applications built on large language models, and its 2025 edition keeps prompt injection at number one while adding new categories for system prompt leakage and vector weaknesses. Formally titled the OWASP Top 10 for LLM Applications, it is the closest thing the field has to a shared vocabulary for AI risk, and it is now the reference most security teams anchor their LLM threat models to. This walkthrough covers what each entry means in practice and what actually mitigates it.
Why the OWASP Top 10 for AI exists
Teams shipping LLM features hit a familiar problem: the classic web risks still apply, but they do not describe the failure modes unique to models. A model can be talked into ignoring its instructions. It can leak its own system prompt. It can be handed a poisoned document that changes its behavior. None of that fits neatly into the traditional OWASP Top 10, so the OWASP Gen AI Security Project produced a dedicated list. When people search for the owasp top 10 ai, this is what they mean, and the current edition was published in November 2024 for 2025.
The 2025 list, entry by entry
Here is the full 2025 ranking with what each one means and the practical defense:
LLM01 Prompt Injection. Untrusted input overrides the model's instructions, whether typed directly by a user or hidden inside a document, web page, or tool output the model reads (indirect injection). This remains number one because there is no clean fix. Defenses are layered: separate trusted instructions from untrusted content, constrain what the model is allowed to do, and never let model output trigger a sensitive action without a check.
LLM02 Sensitive Information Disclosure. The model reveals secrets, personal data, or proprietary information, either from its training data or from context it was given. Mitigate by minimizing what sensitive data ever enters a prompt, scrubbing outputs, and applying access controls to retrieval sources.
LLM03 Supply Chain. Compromised or vulnerable models, datasets, plugins, and the software packages around them. A poisoned model pulled from a public hub, or a vulnerable Python dependency in your inference stack, both live here. This is the entry most familiar to anyone doing dependency management, and it is where software composition analysis carries over directly. Our SCA product page covers scanning the conventional dependency tree that surrounds every AI system.
LLM04 Data and Model Poisoning. Manipulating training or fine-tuning data to embed backdoors or bias. Defend with data provenance, integrity checks, and careful vetting of any dataset or base model you did not produce.
LLM05 Improper Output Handling. Treating model output as trusted and passing it unsanitized into a browser, a shell, or a SQL query. This is where an LLM feature becomes a classic XSS or injection bug. The fix is the old one: encode and validate model output exactly as you would any untrusted input.
LLM06 Excessive Agency. The model, often through tools or plugins, is granted more permissions or autonomy than the task needs, so a successful prompt injection can take real actions. This is the central risk in agentic and MCP-connected systems. Constrain tool scope, require confirmation for consequential actions, and apply least privilege to every capability the model can invoke.
LLM07 System Prompt Leakage. New in 2025. Attackers extract the hidden system prompt, exposing instructions, logic, and sometimes embedded secrets. The real lesson is to stop putting anything security-sensitive in the system prompt at all, since it should be treated as potentially readable.
LLM08 Vector and Embedding Weaknesses. Also new. Flaws in the retrieval-augmented generation (RAG) layer: poisoned or leaked embeddings, and access-control gaps in the vector store that let one user retrieve another's data. Secure the vector database as carefully as any other datastore.
LLM09 Misinformation. The model produces confident, plausible, wrong output (hallucination) that users act on. Mitigate with grounding, retrieval, human review for high-stakes use, and interfaces that communicate uncertainty rather than hiding it.
LLM10 Unbounded Consumption. Uncontrolled resource use, from denial-of-wallet attacks that run up inference bills to context-window exhaustion. Rate-limit, cap token usage, and monitor spend the way you would any metered resource.
Where agentic systems go beyond this list
The 2025 list is application-centric and only partially covers autonomous multi-agent behavior. For teams building agents that plan, call tools, and act with limited human oversight, OWASP has since produced a separate OWASP Top 10 for Agentic Applications, aimed at the risks that emerge when systems chain actions together. If your architecture is a single LLM feature, the LLM Top 10 is your reference. If it is a fleet of cooperating agents wielding tools, read both, because Excessive Agency (LLM06) is only the doorway into that larger set of concerns.
How to actually use the list
The OWASP AI Top 10 is most useful as a threat-modeling checklist, not a compliance box to tick. Walk each entry against your specific system: where does untrusted input reach the model, what can the model's output trigger, what tools can it call, what data sits in its context and its vector store. That exercise almost always surfaces an Excessive Agency or Improper Output Handling gap that generic "add AI safety" advice would miss. Pair it with the supply-chain hygiene you already run on conventional code, since LLM03 makes clear that an AI system is still, underneath, a software supply chain. A platform such as Safeguard can scan the packages and models feeding your AI stack alongside the rest of your dependencies.
FAQ
What is the OWASP AI Top 10?
It is the OWASP Top 10 for LLM Applications, a community-maintained list from the OWASP Gen AI Security Project ranking the most critical security risks in applications built on large language models. The 2025 edition was published in November 2024.
What is the number one risk?
Prompt injection (LLM01). Untrusted input, whether typed directly or hidden inside content the model reads, overrides the model's instructions. It stays at the top because there is no single clean fix, only layered mitigation.
How is it different from the classic OWASP Top 10?
The classic list covers general web application risks. The AI list covers failure modes unique to LLMs, such as prompt injection, model poisoning, system prompt leakage, and excessive agency, that traditional web categories do not capture. Both apply to a typical AI feature.
Does it cover autonomous AI agents?
Only partially, mainly through Excessive Agency (LLM06). OWASP publishes a separate Top 10 for Agentic Applications for teams building autonomous, tool-using, multi-agent systems, and those teams should consult both lists.