OWASP Top 10 for LLM Applications (2025)

The OWASP Top 10 for LLM Applications is a practical security taxonomy for LLM applications and agentic systems. It helps teams turn “LLM security” into concrete risk categories, mitigations, and testing signals.

Related framework

For an agent-specific taxonomy (delegation, inter-agent comms, memory governance), see OWASP Top 10 for Agentic Applications (2026).

Key facts

Type

Security risk taxonomy

Scope

LLM applications and agents

Focus

Threats and mitigations

Version

2025 (v2.0, released 2024-11-18)

Best for

Security and engineering teams

Authoritative resources

• OWASP project page
• OWASP 2025 PDF
• OWASP GenAI Security “Top 10 for LLM Applications 2025” resource page

Why OWASP matters in AI governance

LLM security risks often become governance risks: data leakage, unsafe actions, supply chain exposures, and weak oversight. The OWASP Top 10 helps you name these risks consistently and attach evidence to mitigations.

Go deeper:

• Top risks
• Mitigations and testing

LLM app attack surface (quick map)

LLM app attack surface (where risks show up)

Inputs and content ingestionprompts, files, web pages, emails, tickets

LLM01:2025 Prompt Injection

LLM04:2025 Data and Model Poisoning

RAG and embeddingsvector stores, chunking, retrieval, grounding

LLM08:2025 Vector and Embedding Weaknesses

LLM04:2025 Data and Model Poisoning

System prompts and internal instructionshidden prompts, policies, tool schemas

LLM07:2025 System Prompt Leakage

LLM01:2025 Prompt Injection

Tools and actions (agents)function calling, plugins, automation, permissions

LLM06:2025 Excessive Agency

LLM05:2025 Improper Output Handling

Outputs and downstream useUI copy, API responses, automated actions, decisions

LLM09:2025 Misinformation

LLM05:2025 Improper Output Handling

Data exposure and loggingsecrets, PII, traces, monitoring, feedback

LLM02:2025 Sensitive Information Disclosure

LLM07:2025 System Prompt Leakage

Supply chain and vendorsmodel providers, libraries, datasets, hosting

LLM03:2025 Supply Chain

Resource and cost controlsrate limits, budgets, timeouts, abuse prevention

LLM10:2025 Unbounded Consumption

How Modulos operationalizes OWASP work

In Modulos, OWASP becomes executable governance:

• represent OWASP categories as requirements and mapped controls
• link evidence (design docs, red-team results, incident records)
• run tests and store results as governance signals

Frameworks

EU AI ActRegulatory

ISO 42001Standard

Requirements

Art. 9.1Risk management

Art. 10.2Data governance

6.1.1Risk assessment

Controls

Risk assessment processReusable

Data validation checksReusable

Components

Risk identification

Impact analysis

Evidence

Risk registerDocument

Test resultsArtifact

Requirements preserve the source structure

Controls are reusable across frameworks

Evidence attaches to components (sub-claims)

Related platform areas:

• Testing
• Evidence
• Human in the loop

Getting started

Top risks

A practical overview of OWASP LLM01:2025–LLM10:2025

Mitigations and testing

How to turn OWASP into controls, evidence, and tests in Modulos

Testing

Turn security evaluations into governance signals

Disclaimer

This page is for general informational purposes and does not constitute legal advice or security advice.