The OWASP Top 10 for LLM Applications is a community-driven list of the most critical security risks facing applications that are built on large language models. It is published by OWASP, the Open Worldwide Application Security Project, the same nonprofit known for its long-running OWASP Top 10 for web applications. The list gives builders of AI products a shared vocabulary and a starting checklist for threat modeling.
The 2025 edition enumerates ten risk categories: prompt injection; sensitive information disclosure; supply chain vulnerabilities; data and model poisoning; improper output handling; excessive agency; system prompt leakage; vector and embedding weaknesses; misinformation; and unbounded consumption. Several of these map directly to attacks documented in the research literature, prompt injection and indirect prompt injection, data and model poisoning, and training-data extraction, while others, such as excessive agency and unbounded consumption, capture operational risks specific to deploying autonomous, tool-using LLM systems. Each entry comes with descriptions, example scenarios, and suggested mitigations.
The value of the list is less in any single item and more in providing a consensus reference. By the time a risk appears on the OWASP Top 10, it has been judged broadly relevant by practitioners, which makes the list a reasonable baseline for security reviews, vendor questionnaires, and internal standards.
For a business reader, the OWASP Top 10 for LLM Applications is a practical bridge between cutting-edge attack research and day-to-day governance: it translates academic threats into a checklist that engineering and risk teams can actually act on when shipping AI features.