OWASP Top 10 for LLMs Explained in Plain English

OWASP published a list of the 10 biggest security risks in LLM applications. If you ship AI features, you need to know what’s on it. The OWASP Top 10 for LLM Applications has quickly become the standard framework that security teams, auditors, and regulators reference when evaluating AI systems. Here’s what each risk means in plain English.

1. Prompt Injection

Someone tricks your AI into ignoring its instructions and following theirs instead. This can happen directly — a user types a cleverly worded message — or indirectly, through content the AI reads from external sources like documents, emails, or web pages. This is the most widespread and dangerous vulnerability in LLM applications today.

2. Insecure Output Handling

Your AI generates output that gets executed somewhere downstream without proper validation. For example, if your AI generates HTML or JavaScript that renders in a user’s browser, an attacker could use prompt injection to make the AI produce malicious code. The AI becomes a vector for traditional web attacks like cross-site scripting.

3. Training Data Poisoning

Bad data gets into the model’s training set — either the base model or your fine-tuning data — and corrupts the model’s behavior. This can introduce backdoors, biases, or vulnerabilities that are extremely difficult to detect after the fact. If you fine-tune models on user-generated content or scraped data, this risk is especially relevant.

4. Model Denial of Service

Someone overwhelms your AI with expensive queries designed to consume maximum resources. Unlike traditional DoS attacks that flood a server with requests, model DoS can involve crafting inputs that cause the model to generate extremely long outputs or enter resource-intensive processing loops. A single well-crafted prompt can be more expensive than thousands of normal requests.

5. Supply Chain Vulnerabilities

The models, plugins, data sources, or third-party components you rely on get compromised. This includes pre-trained models downloaded from public repositories, third-party plugins or tools your AI uses, and training datasets from external sources. If any link in your AI supply chain is compromised, your entire application inherits that vulnerability.

6. Sensitive Information Disclosure

The AI leaks personal data, API keys, system prompts, or internal business information through its responses. This can happen because the model memorized sensitive training data, because the retrieval system pulls in confidential documents, or because the system prompt contains information that should remain private. Users can often extract this information through targeted questioning.

7. Insecure Plugin Design

Your AI’s integrations with external systems — APIs, databases, file systems, email services — can be exploited through the AI. If your chatbot can query a database and the input isn’t properly sanitized, an attacker can use the AI as a proxy to perform SQL injection. The AI becomes an intermediary that bypasses your normal security controls.

8. Excessive Agency

Your AI can take actions it shouldn’t — send emails, delete data, make purchases, modify records — either because it has too many permissions or because it can be manipulated into misusing the permissions it has. The principle of least privilege applies to AI systems just as it does to human users, but many AI deployments grant far more access than necessary.

9. Overreliance

Users trust AI outputs without verification, leading to errors, misinformation, or poor decisions. When an AI confidently states something incorrect — which happens regularly — users who don’t verify the output can act on false information. This is especially dangerous in high-stakes domains like healthcare, legal, and financial services.

10. Model Theft

Someone extracts or replicates your proprietary model through the API. By sending carefully designed queries and analyzing the responses, an attacker can create a functional copy of your model without access to the original weights or training data. This threatens your intellectual property and competitive advantage.

What to Do About It

The OWASP Top 10 for LLMs is not just a list — it’s a framework for action. Every AI application should be assessed against these risks before going to production and at regular intervals afterward. An independent security assessment by a team that specializes in AI will identify which of these risks apply to your specific implementation and provide actionable remediation guidance.