Docs

Appearance

OWASP for AI Security

OWASP's AI security work — produced by the OWASP GenAI Security project — is the de-facto generative AI security baseline. It is maintained by a community of security engineers, ML researchers, and LLM application practitioners under the OWASP Foundation.

Two Top 10 lists anchor the project. Both are in active use across enterprise AI programs:

OWASP Top 10 for Large Language Model Applications

The 2025 list (LLM01:2025–LLM10:2025) for any LLM-powered application — chatbots, copilots, RAG, automation

OWASP Top 10 for Agentic Applications

Taxonomy for multi-step autonomous agents — delegation, tools, memory, inter-agent comms

Which list should you use?

Use both if you build AI agents. The two lists are layered:

DimensionOWASP Top 10 for LLMOWASP Top 10 for Agentic
Scopeany LLM-powered applicationautonomous and semi-autonomous agents
Attack surfaceprompts, retrieval, outputs, data exposure, supply chainplanning, tool use, delegation, memory, inter-agent comms
Typical usersapp and platform engineers, red teamsagent framework developers, platform teams running agents in production
Maturitystable (2025 edition, v2.0)newer taxonomy, evolving rapidly

For a chatbot, RAG system, or LLM copilot — the LLM list is the primary reference. For an agent that plans, uses tools, and collaborates with other agents — apply the Agentic list on top of the LLM list.

Where OWASP fits in a broader AI governance program

OWASP's taxonomies are control-level — they name specific risks and mitigations. They plug into higher-order frameworks:

  • NIST AI RMF — OWASP categories feed the Measure function (as evaluation targets) and the Manage function (as treatment targets).
  • ISO/IEC 42001 — OWASP categories map onto Annex A.6 (AI system lifecycle) and A.7 (data for AI) as concrete risk sources.
  • EU AI Act — OWASP categories inform the Article 15 obligations on accuracy, robustness, and cybersecurity.

Other OWASP GenAI Security resources

Beyond the two Top 10 lists, the project maintains:

  • threat modeling guidance for GenAI systems
  • guidance on prompt-injection defenses
  • secure LLM deployment checklists
  • working groups on red-teaming, evaluations, and governance

All of it feeds the same goal: turning AI security risks into shared, named categories that teams can reason about consistently.

Frequently asked questions about OWASP for AI

What is OWASP for AI?

OWASP's AI-focused work is produced by the OWASP GenAI Security project. It maintains two community-voted Top 10 lists: the OWASP Top 10 for Large Language Model Applications (covering LLM-powered applications broadly) and the OWASP Top 10 for Agentic Applications (covering multi-step autonomous agents). Together they form the de-facto baseline taxonomy for generative AI security risks.

Should I use OWASP Top 10 for LLM or OWASP Top 10 for Agentic Applications?

Use both. The OWASP Top 10 for LLM covers the attack surface of any LLM-powered application — prompts, retrieval, outputs, data exposure, supply chain. The OWASP Top 10 for Agentic Applications extends the taxonomy to agents that plan, use tools, collaborate with other agents, and persist memory. Teams building autonomous agents apply both lists together.

Is the OWASP GenAI Security project official OWASP?

Yes. The OWASP GenAI Security project is a community-driven project under the OWASP Foundation. It maintains the OWASP Top 10 for LLM Applications and the OWASP Top 10 for Agentic Applications, publishes companion guidance, and runs working groups on generative AI security.

Disclaimer

This page is for general informational purposes and does not constitute legal or security advice.