OWASP Top 10 AI Vulnerabilities Explained

The OWASP top 10 AI vulnerabilities are a commonly used search phrase for guidance on security risks in LLM and generative AI systems. Originally launched as the OWASP Top 10 for Large Language Model Applications (LLMs), the initiative later expanded into the broader OWASP GenAI Security Project, which helps teams assess risks such as prompt injection, sensitive information disclosure, supply chain exposure, excessive agency, and improper output handling.

To reduce attack surface and better protect stakeholders and users from cyberattacks, security and DevSecOps teams should consider integrating OWASP’s AI security guidance into system architecture, secure development lifecycle (SDLC) controls, and operational governance. The earlier teams apply these practices during development, the better they will be able to manage AI-specific risks. This guide explores the OWASP AI Top 10 framework in detail, including its risk categories and how teams can map vulnerabilities to DevSecOps controls.

What is the OWASP “AI Top 10” framework and what is the official name?

People often search for “OWASP top 10 AI vulnerabilities,” but the official OWASP resource is the OWASP Top 10 for LLMs and GenAI Apps, part of the OWASP GenAI Security Project. The project provides guidance for identifying and mitigating security risks in LLM-powered and generative AI applications, including the latest 2025 Top 10 risks and mitigation strategies.

Resources may still reference the framework’s older names, such as the OWASP Top 10 for LLMs v1.1 (2023) or 2023-24 LLM Top 10. OWASP maintains both archived versions and the most current guidance on its project pages, so teams can track how AI security risks and mitigation practices have evolved.

How OWASP evolved from LLM Top 10 into the broader GenAI Security Project

As generative AI ecosystems and attack surfaces expanded, OWASP’s guidance evolved to address broader risks.

Originally, the OWASP Top 10 for LLM Applications was a focused project on risks to LLM applications. As generative AI systems became more complex and integrated into broader software environments, the initiative expanded into the OWASP GenAI Security Project. 

According to OWASP, the LLM Top 10 remains a core component of the broader GenAI Security Project, while the broader project provides additional guidance about generative AI security and safety across multiple initiatives. It also provides resources for LLM apps and agentic AI security.

OWASP is also developing related frameworks, such as the OWASP Top 10 for Agentic Applications (2026), which identifies the most critical security risks facing agentic AI and autonomous systems. While related, it is separate from the LLM and GenAI Top 10. 

Risk categories in the OWASP AI vulnerabilities framework

The OWASP Top 10 for LLM Applications framework identifies systemic weaknesses that can arise in AI-powered applications, rather than focusing on isolated model issues. The framework groups risk across multiple layers of the AI application stack, including:

• Prompt and input manipulation
• Sensitive data exposure
• Output validation and execution misuse
• Data, model, and retrieval integrity risks
• Tool, plugin, and integration risk
• Supply chain and dependency exposure
• Availability and cost abuse

Unlike traditional OWASP web vulnerability categories, which primarily focus on application code flaws, generative AI risks often span architecture, orchestration, data pipelines, and runtime behavior in addition to code flaws.

All 10 OWASP AI vulnerabilities explained (OWASP LLM/GenAI Top 10, 2025)

The OWASP Top 10 for LLMs (2025) identifies the most critical security risks affecting generative AI systems. These are:

1. Prompt Injection (LLM01:2025) happens when attackers manipulate prompts or external content to alter model behavior. Malicious inputs can override system instructions, leading to policy bypass, data exposure, and unintended actions.
2. Sensitive Information Disclosure (LLM02:2025) can happen through prompts, context, memory, outputs, or integrations. If not properly controlled, LLM applications can unintentionally leak secrets, internal data, or regulated information.
3. Supply Chain (LLM03:2025) risks enter through third-party models, SDKs, connectors, plugins, frameworks, and datasets used within AI systems. Weaknesses or malicious components in dependencies can compromise application integrity and introduce hidden vulnerabilities.
4. Data and Model Poisoning (LLM04:2025) occurs when malicious or corrupted data affects training, fine-tuning, embeddings, or retrieval sources. This can degrade reliability, safety, or security outcomes.
5. Improper Output Handling (LLM05:2025) happens when applications trust and execute model output without validation or sanitization. It can lead to downstream injection, unsafe automation, or application misuse.
6. Excessive Agency (LLM06:2025) occurs when LLM-powered systems are granted overly broad permissions or autonomous actions. When AI agents are given too much permission, they can perform actions that affect system integrity or business processes.
7. System Prompt Leakage (LLM07:2025) happens when hidden system instructions are exposed or inferred by users or attackers. It can weaken defences and reveal internal logic or constraints.
8. Vector and Embedding Weaknesses (LLM08:2025) are vulnerabilities in vector stores, embeddings, and retrieval layers that pose security risks. They may allow unauthorized data access, manipulation of knowledge sources, or unreliable retrieval results.
9. Misinformation (LLM09:2025) is when LLMs generate false, misleading, or overconfident outputs. Without proper monitoring and human oversight, these outputs can lead to business and security risks.
10. Unbounded Consumption (LLM10:2025) occurs when model or tool usage is not properly limited. Attackers and poorly designed workflows can consume too many resources, leading to increased costs, degraded performance, and service disruption.

How AI vulnerabilities expand the application attack surface

Every new AI integration expands the attack surface, often in ways security teams are not yet fully equipped to monitor. Here are several ways AI components increase exposure.

• Application-layer vulnerabilities: Because AI features are typically embedded within existing applications, traditional vulnerabilities such as misconfigurations and injection flaws can interact with AI-driven functionality and amplify security risks.
• Prompt and orchestration logic: LLM systems rely on prompts, system instructions, and orchestration frameworks to guide model behavior. Accordingly, weak prompt isolation — the ability to separate trusted instructions from untrusted input — and poorly designed workflows can allow attackers to manipulate model instructions or influence downstream actions.
• Model behavior and output handling: AI systems generate outputs probabilistically, so applications that treat model responses as trusted instructions may accidentally execute unsafe or malicious outputs.
• Data and retrieval pipelines: Generative AI applications often rely on external data sources, vector databases, and retrieval pipelines. If these sources are manipulated or insufficiently protected, they can affect model responses and compromise system integrity.
• API and plugin/tool integrations: Many AI systems interact with external APIs and automation tools. These integrations can introduce new attack vectors if models are allowed to call external services without proper validation or access controls.
• Third-party AI services and dependencies: Weaknesses in third-party components, such as external models, can introduce supply chain risks that compromise the security of the entire application environment.

Ultimately, teams should keep in mind that many security incidents stem from integration and workflow weaknesses, not only from model design.

What happens when LLM and GenAI vulnerabilities get exploited

When attackers exploit LLM and GenAI vulnerabilities, multiple systems may be affected beyond the model itself:

• Exposure of API keys or tokens: Prompt injection or insecure integrations can cause AI systems to reveal credentials stored in prompts or connected services. Attackers can use these to access internal infrastructure or external platforms.
• Leakage of proprietary or regulated data: Sensitive information stored in prompts, memory systems, training data, or retrieval databases may be exposed through model outputs, which could potentially violate privacy regulations or confidentiality obligations.
• Compromised automated workflows: LLM-driven automation can trigger unintended actions when manipulated prompts or malicious inputs alter system behavior, leading to corrupted processes or unsafe operational decisions.
• Unauthorized actions through connected tools: Attackers may be able to trigger unauthorized actions like modifying records or initiating transactions when AI systems are permitted to interact with APIs or plugins.
• Service degradation or cost spikes: Threat actors can generate excessive queries and overload AI infrastructure, degrading performance and inflating unexpected operational costs.
• Regulatory, audit, and compliance issues: Security incidents involving AI systems can create compliance exposure if organizations fail to adequately protect sensitive information like personal and financial data.
• Reputational and financial damage: When the public discovers an organization has experienced AI security failures, the organization may experience eroded customer trust and disrupted business operations. It may also incur financial losses from lost business, regulatory penalties, and remediation costs.

Many real-world incidents stem from integration weaknesses, trust boundary failures, or unsafe automation paths, rather than flaws in the underlying model alone. As generative AI systems become more deeply embedded in business workflows, these risks may increasingly resemble full-stack security issues.

Mapping OWASP AI vulnerabilities to DevSecOps controls

To mitigate generative AI security risks, teams must bake safeguards throughout the software development lifecycle (SDLC). Here’s how they can accomplish that.

Secure architecture and trust boundaries

AI-enabled systems should be designed with clear trust boundaries between users, models, tools, and data sources. This includes:

• Limiting model and agent permissions to prevent unintended access to sensitive systems or data.
• Enforcing separation of trust boundaries like system prompts and user inputs to reduce the impact of compromised components.
• Reducing excessive AI agency and limiting it to clearly defined tasks and permissions to prevent unintended system behavior.
• Adding approval gates, such as human approval or additional validation steps, for high-impact actions such as executive transactions or modifying records.

Input and output validation

Teams also need to validate both model inputs and outputs to prevent manipulation and unsafe execution paths. At a minimum, they should:

• Sanitize and constrain prompts where appropriate to reduce the likelihood of prompt injection or malicious instructions.
• Treating model output as untrusted data and verifying it before execution or rendering.
• Implement guardrails, filtering, and policy checks to help prevent unsafe outputs from reaching downstream systems.
• Use allowlists for tool calls and destinations to restrict which services an AI system can access. This helps limit abuse of external integrations.

Identity, access, and secrets management

Besides validating both model inputs and outputs, teams should also implement strong access controls. This is because AI systems often interact with multiple services and data sources, which means a larger attack surface. Here’s how teams can get started doing this:

• Use scoped credentials and least privilege to limit potential damage if credentials are exposed. Least privilege means granting users or security systems only the minimum access necessary to perform their tasks.
• Protect and rotate secrets to reduce the risk of compromise.
• Avoid placing broad secrets in prompts or system context. The more teams store secrets in prompts or system instructions, the higher the risk of leakage through prompt injection or model outputs.
• Monitor, log, and audit tool access and privileged actions to detect misuse and make forensic investigation easier if and when attacks happen.

Dependency and supply chain analysis

Generative AI systems frequently rely on external models, frameworks, and plugins, which introduce supply chain risks. As such, security teams should do the following to decrease the attack surface:

• Identify vulnerable open-source libraries using dependency scanning tools. 
• Monitor AI SDK and plugin dependencies for security issues.
• Maintain Software Bill of Materials (SBOM) visibility to track dependencies and identify affected components when emerging vulnerabilities are announced.
• Define update and provenance review practices by verifying the source and integrity of models, datasets, and software components before deployment.

Continuous static application security testing

Besides performing security testing on the model behavior, security teams should also extend testing to the surrounding application code. Specifically, they should:

• Detect insecure API integrations and weaknesses in surrounding app code using static analysis tools.
• Identify code-level injection vectors and unsafe execution paths through code reviews and automated testing. 
• Enforce secure coding standards in CI/CD pipelines to prevent vulnerable code from reaching production.
• Use policy gates and automated security policies to block deployments when critical vulnerabilities are detected. 

Monitoring and response

Finally, since AI systems behave dynamically, security teams must implement continuous monitoring and incident readiness to maintain a tough security posture. They should:

• Track abnormal usage, tool calls, and cost spikes to help detect abuse or exploitation.
• Add observability for prompts, outputs, and approvals (with privacy controls) to help teams understand system behavior and detect anomalies. An example of this would be logging AI interactions.
• Create incident response playbooks specifically for AI-integrated systems and incidents, including prompt injection attacks and model misuse.

Why traditional AppSec tools still matter in AI systems

Despite having unique weaknesses that traditional software lack, AI applications are still software applications that rely on APIs, open-source libraries, CI/CD pipelines, and the authentication and authorization mechanisms.

Because of this, traditional application security practices such as static and composition analysis (SCA) remain critical for reducing AI-related exposure at the code and dependency levels. However, traditional AppSec tools alone are not sufficient to address all AI-specific threats, such as prompt injection or excessive model agency that may emerge from runtime behavior and AI orchestration logic. As a result, organizations must combine traditional AppSec controls with AI-specific security practices to fully reduce risk in generative AI environments.

How Kiuwan supports AI application security

Kiuwan supports AI-powered security testing through Static Application Security Testing (SAST) and Software Composition Analysis (SCA). With these tools, organizations can reduce risk in the application and software supply chain layers of AI-enabled systems, as well as gain structured visibility into code and dependency risks. 

Static Application Security Testing (SAST)

Static Application Security Testing (SAST) analyzes application code to identify code-level vulnerabilities and insecure integration patterns in application code surrounding AI functionality. Integrated with CI/CD workflows, it supports secure SDLC workflows and CI/CD integrations across 30-plus programming languages. 

Software Composition Analysis (SCA)

Software Composition Analysis (SCA) detects vulnerable open-source components and helps monitor supply chain exposure across dependencies. This visibility supports SBOM visibility and governance workflows.

Governance and compliance

Delivered through Sembi, Kiuwan SAST and SCA enable security-by-design across AI-powered applications. They help teams enforce policy-driven remediation workflows and align security practices with organizational standards and processes. Teams also receive actionable remediation guidance. 

Frequently asked questions about OWASP top 10 AI vulnerabilities

How is the OWASP Top 10 for LLM/GenAI apps different from the traditional OWASP Top 10 for web applications?

The OWASP Top 10 for Large Language Model (LLM) Applications focuses on risks specific to generative AI systems, such as prompt injection, model misuse, and insecure integrations with external tools and data sources. In contrast, the traditional OWASP Top 10 for web apps focuses on classic software vulnerabilities like injection flaws and security misconfigurations. Although some of these risks apply to AI-powered systems, the LLM Top 10 specifically addresses new attack surfaces created by AI orchestration layers, retrieval systems, model outputs, and autonomous actions.

Is “OWASP top 10 AI vulnerabilities” the official name of the framework?

No, “OWASP top 10 AI vulnerabilities” is a commonly used search phrase, but it’s not the official OWASP project name. The official framework is the OWASP Top 10 for Large Language Model Applications.

How is the 2025 OWASP LLM/GenAI Top 10 different from older OWASP LLM Top 10 lists?

Earlier versions of the framework focused mostly on risks affecting LLM-powered applications, with initial releases appearing in 2023 and updates following shortly after. The 2025 version expands the project’s scope to better reflect the broader generative AI ecosystem. It incorporates lessons learned from real-world deployments and highlights risks that emerge across model orchestration, retrieval systems, agentic workflows, integrations, and runtime operations.

Can static analysis detect prompt injection vulnerabilities?

Static analysis can identify code-level weaknesses, but generally can’t detect prompt injection vulnerabilities. Instead, teams should use prompt isolation, input validation, output filtering, and runtime monitoring to detect and mitigate prompt manipulation attacks.

What is the biggest risk in LLM-powered applications?

There is no single risk that applies to all LLM-powered applications. However, many experts believe that prompt injection and excessive model trust are probably the most significant threats. LLM applications often rely on model output to drive workflows, access data, or trigger actions, so if malicious inputs manipulate the model’s behaviour, they can bypass safeguards, expose sensitive data, and even cause unintended system actions.

How should DevSecOps teams govern AI deployments?

DevSecOps teams should treat AI deployments as part of the software supply chain and application security lifestyle. This means they should incorporate frameworks like the OWASP LLM Top 10 into security reviews and development processes to help systematically manage AI-related risks.

Does AI introduce new compliance or audit obligations?

Yes, AI introduces new compliance or audit obligations, especially when it processes sensitive data or affects regulated decisions. Security frameworks such as the OWASP LLM Top 10 can help organizations document risks and mitigation strategies for compliance audits.

Is the OWASP Top 10 for Agentic Applications the same as the LLM/GenAI Top 10?

No, the OWASP Top 10 for Agentic Applications is a separate but related framework. The LLM Top 10 focuses on risks affecting LLM-powered applications and generative AI systems, but the Agentic Applications Top 10 addresses security risks specific to autonomous AI agents.

Bottom line: Building an AI security strategy around the OWASP framework

As AI becomes more widespread, attack surfaces will continue to expand across prompts, outputs, models, retrieval layers, and integrations as organizations embed generative AI into critical applications, workflows, and data pipelines. To protect stakeholders and data, organizations must follow frameworks like the OWASP top 10 AI vulnerabilities framework, which provides structured risk guidance for LLM and GenAI application security.

To adopt this framework successfully, security teams should combine architecture controls, validation, access controls, governance, and continuous testing. They should adopt tools that combine static analysis, SCA, and SBOM visibility to reduce exposure before deployment, identify insecure integrations early, and improve ongoing supply chain governance across AI-enabled systems.

Try Kiuwan today to see how our tools can strengthen your DevSecOps teams. Our free 14-day trial includes guided integration into your CI/CD pipeline and DevOps environment, a compliance overview, vulnerability scanning, and support for over 30 programming languages.