Skip to Content
Securing the Use of AI

What is the OWASP LLM Top 10?

The OWASP LLM Top 10 is the list of the ten most critical security risks in applications that use language models (the AI behind chatbots and assistants). Published by OWASP, a world reference organization in software security, it gives companies a common language and a starting point to protect the use and development of AI.

Zamak TechnologiesUpdated on July 11, 2026

What the OWASP LLM Top 10 is for

OWASP maintains ten-most-critical-risks lists that became industry references (the most famous is for web applications). The AI version was created because language models brought new risks the old lists did not cover. It serves to:

1

Give a common language

Security teams, developers and leadership start calling the same risks by the same names, instead of each one describing the problem in their own way.

2

Prioritize what matters

Instead of protecting everything at once, the company starts with the ten risks the global community identified as the most critical.

3

Guide those who build and those who buy AI

It serves both those who build an AI app and those who assess the security of a tool before adopting it.

4

Evolve with the threat

The list is revised as new attacks appear. The 2025 edition incorporated the rise of AI agents and real-world incidents.

Source: OWASP Top 10 for LLM Applications (2025 edition).

The ten risks of the OWASP list for AI (2025)

  • LLM01 Prompt Injection Hidden malicious instructions make the AI ignore its rules. The number 1 risk, for the second edition in a row.
  • LLM02 Sensitive Information Disclosure The AI reveals confidential data, whether from the conversation, the training or connected systems.
  • LLM03 Supply Chain risks Third-party models, data and components bring vulnerabilities inherited from outside.
  • LLM04 Data and Model Poisoning The training data is corrupted so the AI acts in a way controlled by the attacker.
  • LLM05 Improper Output Handling The AI's response is used by another system without verification, opening gaps like code execution.
  • LLM06 Excessive Agency The AI is given more permission than it needs and can trigger harmful actions on its own.
  • LLM07 System Prompt Leakage The internal instructions guiding the AI are exposed, revealing rules and configuration secrets.
  • LLM08 Vector and Embedding Weaknesses Flaws in how the AI stores and searches knowledge allow data to be manipulated or extracted.
  • LLM09 Misinformation The AI generates a wrong answer that looks true, and someone acts on it.
  • LLM10 Unbounded Consumption Abusive use that blows up cost and capacity, a kind of denial of service for AI.

Why the OWASP LLM Top 10 matters to your company

10 risks
the set the global security community considers most critical in AI
No. 1
prompt injection leads the list, reflecting real attacks
13%
of organizations have already suffered a breach of AI models or applications (IBM 2025)

Every company that adopts AI, whether using a ready-made assistant or building its own, inherits a new attack surface. The value of the OWASP LLM Top 10 is turning an abstract question (is AI safe?) into a concrete list that leadership can demand and the technical team can follow. Without such a reference, each AI project improvises its own security, and what has no name enters neither the budget nor the audit. With the list, the company can ask objectively: are we protected against prompt injection? Against sensitive data disclosure? Against an agent's excessive agency? It is the difference between trusting it is fine and being able to verify.

How to use the OWASP LLM Top 10 in practice

The list is not a product you install; it is a guide that informs decisions. To get value from it:

  1. Map where the company uses AIBefore applying the list, know which AI tools and applications exist, including those adopted without approval.
  2. Assess each use against the ten risksFor each application, ask which of the ten risks apply and what is already protected.
  3. Start at the topPrompt injection and sensitive data disclosure are usually the most urgent for those who use AI day to day.
  4. Demand the list from vendorsWhen hiring an AI tool, ask how it handles the OWASP LLM Top 10 risks. The answer separates the serious from the improvised.

In practice

You do not need to become an AI expert to use this list. Just bring it to the next conversation about an AI tool and ask: how do you handle each of these ten risks? Whoever has no clear answer has not thought about security yet.

How Zamak uses the OWASP LLM Top 10

Zamak Technologies uses the OWASP LLM Top 10 as a reference in managed cybersecurity in the Zamak Method: it assesses where the company exposes AI, prioritizes the most critical risks (starting with prompt injection) and applies the defenses alongside the internal team. A good starting point is the AI exposure diagnostic, which reveals which AI uses exist so they can then be assessed against the list.

Frequently asked questions about the OWASP LLM Top 10

What is the OWASP LLM Top 10?
It is the list of the ten most critical security risks in AI applications based on language models, published by OWASP. It serves as a common reference to protect the use and development of AI.
What is OWASP?
It is a nonprofit organization that is a world reference in software security. Its ten-most-critical-risks lists are widely adopted by the industry; the best known is for web applications.
What is the number 1 risk on the list?
Prompt injection (LLM01), in which hidden malicious instructions make the AI ignore its rules. It leads the list for the second edition in a row.
Is the list useful for those who only use AI, not develop it?
Yes. Besides guiding those who build AI apps, it helps those who buy tools assess a vendor's security and ask the right questions before adopting.
How often is the list updated?
OWASP revises the list as new attacks and technologies emerge. The 2025 edition incorporated the rise of AI agents and real incidents.
How do I start applying the OWASP LLM Top 10?
By mapping AI use in the company. With the picture in hand, each application is assessed against the ten risks, starting with the most urgent.