What Is the OWASP Top 10 for LLMs?

What Is the OWASP Top 10 for LLMs?

The OWASP Top 10 for LLM Applications is the OWASP project’s canonical list of the most critical security risks specific to systems built around large language models. The list, first published in 2023 and refreshed annually, covers ten categories: prompt injection, insecure output handling, training-data poisoning, denial-of-service, supply-chain, sensitive-information disclosure, insecure plugin design, excessive agency, overreliance, and model theft. It is the reference engineers use when scoping an LLM threat model, the taxonomy red-team corpora map to, and the framework many enterprise procurement reviews now ask about by name.

Why It Matters in Production LLM and Agent Systems

The OWASP Web Top 10 took a decade to become the default reference for application security; the LLM Top 10 has compressed that adoption curve. By 2026, security questionnaires from regulated buyers — banks, hospitals, public-sector — explicitly ask which of the ten an LLM vendor has documented controls for. “We don’t have a position on LLM01 prompt injection” is a deal-blocker.

The taxonomy also forces a shape on the threat model that is otherwise easy to under-scope. Without it, engineering teams patch the attack they read about that week — usually direct prompt injection — and ignore training-data supply-chain (LLM05) or excessive agency (LLM08), which are higher-impact for agent systems. The Top 10 is the checklist that says “if you have agents calling tools, you owe a control for LLM08.”

In 2026 agent stacks, three categories dominate the real incident logs: LLM01 prompt injection (especially indirect injection through retrieved content), LLM06 sensitive-information disclosure (PII leakage from context windows), and LLM08 excessive agency (agents invoking tools they should not have access to). A defense program that quantifies its posture against each category — block-rate, false-positive rate, audit coverage — is the one that survives an enterprise review.

How FutureAGI Handles the OWASP LLM Top 10

FutureAGI maps each of the ten categories to concrete evaluators, gateway primitives, and tracing surfaces. The mapping is deliberately direct so engineering teams can answer the question “which control fires for LLMxx?” without ambiguity.

• LLM01 Prompt Injection — PromptInjection and ProtectFlash evaluators run as pre-guardrail in Agent Command Center; same checks run on retrieved context for indirect injection.
• LLM02 Insecure Output Handling — post-guardrail: [ContentSafety, ContainsValidLink] plus downstream sanitization; traceAI captures the raw output for forensic review.
• LLM03 Training Data Poisoning — covered upstream of FutureAGI through dataset provenance; FutureAGI’s regression evaluators (Faithfulness, Groundedness) detect drift indicative of poisoning post-deployment.
• LLM04 Denial of Service — Agent Command Center rate-limiting, retry-strategy, and routing-policy primitives plus token-cost-per-trace alerting.
• LLM05 Supply-Chain Vulnerabilities — model-registry pinning in the gateway plus traceAI logging of provider, model, and version per call.
• LLM06 Sensitive Information Disclosure — PII and DataPrivacyCompliance evaluators as both pre and post-guardrails; audit-log captures every redaction.
• LLM07 Insecure Plugin Design — security-detector evaluator family (SQLInjectionDetector, CodeInjectionDetector, PathTraversalDetector, SSRFDetector) screens tool-call arguments and outputs.
• LLM08 Excessive Agency — tool-call schema validation through JSONValidation, ParameterValidation, and ActionSafety evaluators; gateway routing-policy enforces tool allowlists per route.
• LLM09 Overreliance — output-side Faithfulness, Groundedness, and CitationPresence evaluators surface unsupported claims so user-facing UI can attach warnings.
• LLM10 Model Theft — Agent Command Center API-key rotation, rate-limiting, and request-signature logging; traceAI audit logs support exfiltration investigation.

Engineering teams that wire these into the eval pipeline and the gateway from day one publish a clean OWASP-LLM-Top-10 control matrix in their security questionnaire. FutureAGI gives the controls and signals; the policy decisions and the broader security program remain yours.

How to Measure or Detect It

Each Top 10 category gets its own metric, then rolled into a posture summary:

• LLM01 block-rate — PromptInjection and ProtectFlash fire-rate, broken out by direct vs. indirect injection.
• LLM06 redaction count — PII post-guardrail fires per 1K requests; trend toward zero.
• LLM08 unauthorized-tool-call rate — fraction of trajectories where an agent attempted a tool outside its allowlist.
• LLM07 tool-call security findings — count of SQLInjectionDetector, CodeInjectionDetector, SSRFDetector hits on tool inputs/outputs.
• Coverage matrix completeness — fraction of the ten categories with a documented control, owner, and audit-log signal.

from fi.evals import PromptInjection, PII, ActionSafety

inj = PromptInjection()
pii = PII()
act = ActionSafety()
print(inj.evaluate(input=user_msg).score)
print(pii.evaluate(output=resp).score)

Common Mistakes

• Treating LLM01 as the whole program. Prompt injection gets headlines; LLM06, LLM08, and LLM07 cause more real-world damage in agent systems.
• Ignoring indirect prompt injection in the LLM01 control. A guardrail that only inspects user inputs misses the 2026 dominant attack vector.
• No control for LLM08 excessive agency. Tool allowlists, parameter validation, and trajectory-level review are the controls; “trust the model” is not one.
• Mapping evaluators to categories without measuring fire-rate. A control that has never fired in production is either healthy or broken — you cannot tell without a regression suite.
• Skipping LLM05 supply-chain. Pin model versions and log provider per call; “auto-upgrade to latest” silently breaks reproducibility and audit.