OWASP Top 10 for LLM Applications & Agentic Systems
Technical security guidance for the full AI stack -- models through agents
// What is OWASP AI Security?
OWASP published two complementary lists covering the full AI security stack. The LLM Top 10 (updated for 2025) addresses model-layer risks in applications that use large language models. The Agentic Top 10 addresses action-layer risks in autonomous systems that plan, decide, and act with access to tools and data.
Together, these 20 risk categories give security teams and developers a technical testing framework for AI systems. The LLM list covers vulnerabilities like prompt injection, data poisoning, and excessive agency. The agentic list tackles what happens when AI systems can take real-world actions -- tool misuse, insufficient human oversight, privilege escalation through agent chaining, and supply chain risks in agent ecosystems.
Unlike regulatory frameworks, OWASP's lists are practitioner-driven and updated as new attack patterns emerge. They're increasingly referenced by auditors, enterprise procurement teams, and cyber insurance carriers as the baseline for AI security testing.
// Inside the Regulation
The two OWASP AI security lists address different layers of the AI stack. Organizations deploying LLM-powered applications should evaluate against the LLM Top 10. Organizations with AI agents that take actions should evaluate against both lists.
OWASP Top 10 for LLM Applications (2025)
Risk categories specific to applications that use large language models for text generation, summarization, analysis, and other tasks.
LLM01: Prompt Injection
Manipulating LLM behavior through crafted inputs that override system instructions -- both direct injection and indirect injection through external content.
LLM02: Sensitive Information Disclosure
LLMs revealing confidential data from training sets, RAG corpora, or system prompts through carefully constructed queries.
LLM03: Supply Chain Vulnerabilities
Risks from third-party models, training data, plugins, and dependencies -- poisoned models, malicious packages, and compromised fine-tuning data.
LLM04: Data and Model Poisoning
Corrupting training data or fine-tuning processes to introduce backdoors, biases, or exploitable behaviors into the model.
LLM05: Improper Output Handling
Failing to validate or sanitize model outputs before they reach downstream systems, enabling injection attacks through the AI as an intermediary.
LLM06: Excessive Agency
Granting LLMs unnecessary capabilities, permissions, or autonomy beyond what their function requires.
LLM07: System Prompt Leakage
System prompts containing sensitive instructions, API keys, or business logic exposed through prompt injection or model behavior analysis.
LLM08: Vector and Embedding Weaknesses
Vulnerabilities in vector databases and embedding pipelines used for retrieval-augmented generation -- including poisoning and access control bypass.
LLM09: Misinformation
LLMs generating plausible but incorrect information (hallucinations) that gets treated as authoritative by users or downstream systems.
LLM10: Unbounded Consumption
Resource exhaustion through excessive model queries, large context windows, or denial-of-service attacks targeting AI infrastructure costs.
OWASP Top 10 for Agentic Applications (2025)
Risk categories for autonomous AI systems that plan, decide, and take actions through tool integrations, API calls, and multi-step workflows.
Agent Behavior Hijacking
Manipulating an agent's decision-making through poisoned context, adversarial inputs, or exploiting the agent's reasoning process.
Tool Misuse
Agents calling connected tools in unintended ways -- making unauthorized API calls, accessing restricted data, or performing actions outside their mandate.
Insecure Multi-Agent Communication
Vulnerabilities in how agents communicate with each other -- message tampering, impersonation, and lack of authentication between agent systems.
Identity Spoofing and Impersonation
Agents acting under false identities or inheriting permissions they shouldn't have, enabling unauthorized access through identity confusion.
Cascading Hallucination Attacks
One agent's hallucinated output becoming another agent's trusted input in multi-agent systems, compounding errors into real-world consequences.
Insufficient Human Oversight
Critical agent decisions made without appropriate human review gates -- especially for irreversible actions or high-impact operations.
Insecure Agent Memory
Agents storing sensitive information in persistent memory without access controls, encryption, or expiration -- creating data exposure risks.
Privilege Escalation via Agent Chaining
Agents combining their individual permissions through multi-step workflows to achieve access levels none of them should have independently.
Supply Chain Vulnerability in Agent Ecosystems
Malicious or compromised tools, plugins, and skills in agent marketplaces -- the ClawHavoc-style supply chain attacks targeting agent frameworks.
Insufficient Logging and Monitoring
Agent actions not logged or monitored, making it impossible to detect abuse, investigate incidents, or maintain an audit trail of AI system behavior.
Note: Both lists are updated as new attack patterns emerge. The LLM Top 10 was significantly revised for 2025, and the Agentic Top 10 was published in late 2025 in response to the rapid deployment of autonomous AI systems. MITRE ATLAS added 14 agent-specific attack techniques in October 2025 that align with several of these categories.
// Who Must Comply
- 1 Any organization deploying LLM-powered applications (chatbots, copilots, search, content generation)
- 2 Organizations with AI agents that can take actions -- API calls, file operations, email, code execution
- 3 Development teams building or integrating AI features into existing applications
- 4 Security teams responsible for testing and monitoring AI systems
- 5 Organizations whose customers or regulators expect documented AI security practices
// Key Requirements
Input Validation & Prompt Security
Validate and sanitize all inputs reaching AI models to prevent prompt injection -- both direct and indirect through external content
Output Handling Controls
Sanitize model outputs before they reach downstream systems or users to prevent injection and misinformation propagation
Agent Scope & Permissions
Apply least privilege to agent tool access and implement scope constraints that prevent agents from exceeding their intended function
Human Oversight Gates
Require human approval for irreversible or high-impact agent actions with appropriate review interfaces and escalation paths
AI Supply Chain Verification
Verify integrity of third-party models, plugins, and agent tools through provenance tracking, signature verification, and behavioral testing
AI Activity Logging
Log model queries, agent actions, tool invocations, and data flows with sufficient detail for detection, investigation, and audit
// Enforcement & Penalties
OWASP lists are voluntary community-driven standards with no direct enforcement mechanism. However, they're increasingly referenced by auditors evaluating AI security practices, enterprise procurement teams in vendor assessments, and cyber insurance carriers when evaluating AI-related risk exposure. Non-alignment is a soft liability, not a regulatory violation.
No direct regulatory fines (voluntary standard)
Examples:
- Auditors referencing OWASP AI lists during SOC 2 and ISO 27001 assessments of AI systems
- Enterprise customers requiring OWASP alignment in procurement security questionnaires
- Increased liability exposure in breach litigation if known OWASP AI vulnerabilities were unaddressed
- Insurance carriers citing OWASP categories when evaluating or denying AI-related claims
// Cyber Insurance Impact
Cyber insurance carriers are beginning to reference OWASP AI lists when evaluating organizations that deploy AI systems. Demonstrating alignment with both the LLM and Agentic Top 10 provides evidence of proactive AI security practices. As AI-related claims increase, expect OWASP AI security alignment to carry the same weight in underwriting that OWASP Top 10 web security alignment carries today.
// How Breach Craft Helps
We help organizations achieve OWASP AI Security compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of OWASP AI Security.
// Related Frameworks
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873