Docs

Appearance

OWASP for AI Security

OWASP's AI security work — produced by the OWASP GenAI Security Project — is a widely referenced generative AI security baseline maintained by a community of security engineers, ML researchers, and LLM application practitioners under the OWASP Foundation.

Two Top 10 taxonomies anchor the project. Both are in active use across enterprise AI programmes:

OWASP Top 10 for Large Language Model Applications

The 2025 list (LLM01:2025–LLM10:2025) for any LLM-powered application — chatbots, copilots, RAG, automation

OWASP Top 10 for Agentic Applications

The 2026 list (ASI01–ASI10) for multi-step autonomous agents — delegation, tools, memory, inter-agent communication

Quick decision

  • Building a chatbot, copilot, or RAG system → the OWASP Top 10 for LLM Applications is your primary AI-security baseline. The Agentic list does not add coverage you need.
  • Building or operating a multi-step autonomous agent → apply both lists. The LLM list still covers the underlying language-model risks; the OWASP Top 10 for Agentic Applications adds the agentic-specific risks (planning, tool use, identity, memory, inter-agent communication).
  • Running an enterprise AI governance programme → treat the OWASP lists as the security-risk vocabulary inside higher-order frameworks (NIST AI RMF, ISO/IEC 42001). OWASP does not replace either; it feeds evidence into both.
  • Subject to the EU AI Act → treat OWASP categories as technical evidence sources for the Article 15 cybersecurity, accuracy, and robustness obligations on high-risk providers, and for the Article 9 risk-management system. Compliance is determined by the Regulation, not by the OWASP lists.

Which list should you use?

Use both if you build AI agents. The two lists are layered:

DimensionOWASP Top 10 for LLMOWASP Top 10 for Agentic
Scopeany LLM-powered applicationautonomous and semi-autonomous agents
Attack surfaceprompts, retrieval, outputs, data exposure, supply chainplanning, tool use, delegation, memory, inter-agent comms
Typical usersapp and platform engineers, red teamsagent framework developers, platform teams running agents in production
Maturitystable (2025 edition, v2.0)newer taxonomy, evolving rapidly

For a chatbot, RAG system, or LLM copilot — the LLM list is the primary reference. For an agent that plans, uses tools, and collaborates with other agents — apply the Agentic list on top of the LLM list.

Where OWASP fits in a broader AI governance program

OWASP's taxonomies are control-level — they name specific risks and mitigations. They plug into higher-order frameworks:

  • NIST AI RMF — OWASP categories feed the Measure function (as evaluation targets) and the Manage function (as treatment targets).
  • ISO/IEC 42001 — OWASP categories map onto Annex A.6 (AI system lifecycle) and A.7 (data for AI) as concrete risk sources.
  • EU AI Act — OWASP categories inform the Article 15 obligations on accuracy, robustness, and cybersecurity.

Other OWASP GenAI Security resources

Beyond the two Top 10 lists, the project maintains:

  • threat modeling guidance for GenAI systems
  • guidance on prompt-injection defenses
  • secure LLM deployment checklists
  • working groups on red-teaming, evaluations, and governance

All of it feeds the same goal: turning AI security risks into shared, named categories that teams can reason about consistently.

Frequently asked questions about OWASP for AI

What is OWASP for AI?

OWASP's AI-focused work is produced by the OWASP GenAI Security project. It maintains two community-voted Top 10 lists: the OWASP Top 10 for Large Language Model Applications (covering LLM-powered applications broadly) and the OWASP Top 10 for Agentic Applications (covering multi-step autonomous agents). Together they form the de-facto baseline taxonomy for generative AI security risks.

Should I use OWASP Top 10 for LLM or OWASP Top 10 for Agentic Applications?

Use both. The OWASP Top 10 for LLM covers the attack surface of any LLM-powered application — prompts, retrieval, outputs, data exposure, supply chain. The OWASP Top 10 for Agentic Applications extends the taxonomy to agents that plan, use tools, collaborate with other agents, and persist memory. Teams building autonomous agents apply both lists together.

Is the OWASP GenAI Security project official OWASP?

Yes. The OWASP GenAI Security project is a community-driven project under the OWASP Foundation. It maintains the OWASP Top 10 for LLM Applications and the OWASP Top 10 for Agentic Applications, publishes companion guidance, and runs working groups on generative AI security.

Source attribution

The OWASP Top 10 for Large Language Model Applications and OWASP Top 10 for Agentic Applications are published by the OWASP GenAI Security Project under the OWASP Foundation, licensed under Creative Commons Attribution-ShareAlike 4.0. Category designations are referenced as factual taxonomic labels; all explanatory content on this site is independently authored. "OWASP" and "OWASP Top 10" are trademarks of the OWASP Foundation; references on this site are descriptive use and do not imply endorsement, certification, or affiliation.

Disclaimer

This page is for general informational purposes and does not constitute legal advice or security advice. References to OWASP material reflect the publicly available text at the time of writing; for binding interpretation in your jurisdiction, consult the primary sources at genai.owasp.org and qualified counsel. The site links to OWASP material under CC BY-SA 4.0 for source clarity; no endorsement, certification, or affiliation by the OWASP Foundation is claimed.