What is the OWASP Top 10 for LLM Applications?

The OWASP Top 10 for LLM Applications is a community-built security standard that lists the most critical security risks in applications built on large language models. It is published by OWASP, the Open Worldwide Application Security Project, the non-profit behind the long-running web-application Top 10, and first appeared in 2023.

It is a list of risk categories, not a law and not a checklist you pass. Each entry names a class of failure and points to ways of preventing it, giving teams shared language to test against.

It sits inside the wider discipline of AI governance, at the security end, giving that work a concrete, testable shape.

It is a risk list, not a certification

The framing matters. You do not get "certified against OWASP" and you are not "audited against the OWASP LLM Top 10". OWASP publishes guidance; it is not an accreditation body that issues certificates. What you do is test your application against the risks it names, reduce the ones that apply, and keep a record. That evidence feeds the broader audit-readiness that certifiable standards and binding law require. Treat the list as a security yardstick: real value comes from testing coverage and risk reduction, not a badge.

The ten categories, walked

Each category below: what it is and why it matters for an enterprise LLM application or agent.

Prompt injection

An attacker crafts input that overrides the model's instructions, whether typed directly or hidden in content the model reads. It is the defining LLM risk: the flexibility that makes the model useful makes it steerable by anyone whose text reaches it.

Insecure output handling

The application trusts model output and passes it to another system unchecked. If it flows into a browser, shell, database query, or code, the model becomes a path for classic injection attacks.

Training-data poisoning

Manipulated data enters what a model learns from, at pre-training, fine-tuning, or retrieval, producing hidden bias, a backdoor, or degraded behaviour that looks normal until a trigger appears.

Model denial of service

An attacker sends inputs that consume resources, very long contexts, recursive prompts, or expensive operations, driving up latency and cost or taking the service down.

Supply-chain vulnerabilities

LLM applications depend on a long chain of third-party parts: base models, datasets, libraries, plugins, and hosted services. A weakness in any of them, a compromised model or a vulnerable dependency, becomes a weakness in the application.

Sensitive-information disclosure

The model reveals what it should not: training data, secrets from its context window, or another user's data leaking across a session. For regulated organisations, that is a data-protection problem.

Insecure plugin and tool design

When a model calls plugins or tools, weak design there gives an attacker reach into other systems. Tools that skip validation or run with broad permissions let a manipulated model do real damage.

Excessive agency

The model is given too much autonomy, permission, or functionality, so a wrong or manipulated decision causes real-world harm. An agent that can send money, change records, or email customers needs tight limits on what it does unsupervised, which is the heart of AI agent governance.

Overreliance

People and systems trust model output more than they should, acting on confident answers that are wrong, fabricated, or biased. It calls for human oversight and output validation that catches errors before they land.

Model theft

An attacker copies, extracts, or reconstructs a proprietary model, through unauthorised access or by querying it enough to clone its behaviour. The loss is commercial, and can expose what the model encodes about its data.

The agentic categories grow fastest. Once an application acts, a prompt injection that once produced a bad sentence can now trigger a bad action.

How the OWASP LLM Top 10 relates to the EU AI Act, ISO/IEC 42001, and NIST AI RMF

These are not competing regimes. The OWASP Top 10 for LLM Applications is the security-specific layer beneath the broader frameworks, giving them concrete failure modes to test for, and a serious programme uses all of them together.

The OWASP LLM Top 10 is a security risk list. It names the failure modes of LLM applications and how to test for them, but does not certify or bind you.

ISO/IEC 42001 is the international management-system standard for AI, and it is certifiable: an accredited body can audit your AI management system and issue a certificate. OWASP gives that system specific security risks to cover. See ISO/IEC 42001.

The NIST AI RMF is the voluntary US framework for managing AI risk across four functions: Govern, Map, Measure, and Manage. The OWASP list slots into Map and Measure, supplying the security failure modes to identify and test. See NIST AI RMF.

The EU AI Act is binding law. For high-risk systems it requires a lifecycle risk management system (Article 9) and traceable record-keeping (Article 72). It does not name OWASP, but the risks OWASP lists are the kind a high-risk system must manage and document. See the EU AI Act guide.

OWASP tells you the risks to test for, NIST and ISO/IEC 42001 give you the structure to test inside, and the EU AI Act makes proving that risk a legal duty for high-risk AI. For the wider structure they plug into, see the AI governance framework.

Where most teams fall short: testing the list continuously

Reading the list is easy. Testing against every category, on a live application that changes weekly, is the hard part. Prompt injection techniques evolve, new vulnerabilities ship daily, and an agent's permissions drift, so a one-time test tells you about the application as it was, not as it is now.

This is the gap Disseqt names PowerPoint Governance: a review that names every OWASP category in a slide, with nothing connecting it to the systems making decisions. The honest standard is continuous, because the threats are. You find the failure in private, before someone finds it in public.

How Disseqt tests against the OWASP LLM Top 10

Disseqt is the only unified assurance platform covering testing, monitoring, policy, audit, and compliance in one place, so a security team does not stitch point tools together to cover the list and prove it.

Testing happens in Test and Detect. Disseqt ships 65 ML-based validators across four families covering safety, bias, security, and compliance failure modes, plus 84 jailbreak techniques, single and multi-turn, drawn from a Live Vulnerability Database that updates as new attacks appear. That maps onto the OWASP categories, from prompt injection and insecure output handling to the agentic risks of excessive agency and tool design. Because the validators are ML-based, not LLM-as-judge, they run at sub-50ms inline latency with around 99 percent less water and 98 percent less CO2 per validation, which makes testing the full list continuously viable at production scale.

Runtime control closes the loop in Protect and Enforce. Guardrails score live output, enforce policy on every agent decision, and detect topic-adherence drift, with explainability on every blocked action. That is where excessive agency and overreliance become a control: the agent is held to what it may do, the moment it acts.

The results become evidence in Prove and Comply. Every test, block, and escalation lands in a tamper-evident audit trail, mapped to EU AI Act articles and to FCA, SEC, and ISO/IEC 42001 alignment, so your OWASP testing coverage becomes standing audit-readiness rather than a one-off report. Regulated customers, including tier-one UK, Irish, and US banks, run it this way. [PROOF PLACEHOLDER]

Frequently asked questions

What is the OWASP Top 10 for LLM Applications?

The OWASP Top 10 for LLM Applications is a community security standard from OWASP that lists the ten most critical security risks in applications built on large language models, from prompt injection and insecure output handling to excessive agency, overreliance, and model theft.

Can you be certified against the OWASP LLM Top 10?

No. OWASP publishes guidance, it is not an accreditation body, so there is no "OWASP certification" and no formal audit against the list. You test against the risks it names, reduce the ones that apply, and keep evidence, which supports audit-readiness for ISO/IEC 42001 and the EU AI Act.

What is the most critical risk on the list?

Prompt injection is treated as the defining LLM risk, because the model's flexibility lets anyone whose text reaches it steer its behaviour. As applications become agentic, excessive agency and insecure tool design rise alongside it.

How does the OWASP LLM Top 10 relate to the EU AI Act, ISO/IEC 42001, and NIST AI RMF?

It complements them. OWASP names the security failure modes to test for; NIST AI RMF and ISO/IEC 42001 give you the structure to test inside; the EU AI Act makes proving that risk a legal duty for high-risk AI.

How do you test an application against the OWASP LLM Top 10?

You run targeted tests for each category that applies, prompt injection and jailbreak attempts, output handling checks, data-disclosure probes, and agent-permission limits, continuously rather than once. Disseqt does this through 65 ML-based validators and 84 jailbreak techniques in Test and Detect, with results feeding tamper-evident evidence in Prove and Comply.

Bottom line

The OWASP Top 10 for LLM Applications is the security list every AI team quotes, but quoting it is not testing against it. Real risk reduction comes from covering every category continuously, then proving the coverage. Disseqt is the Assurance Layer built to do both: test the full list in Test and Detect, and turn results into evidence regulators accept in Prove and Comply. To see it on your systems, book a demo.