The OWASP Top 10 for LLM Applications is the industry reference list of the most critical security risks in AI applications, from prompt injection to excessive agency. A list of risks is not a control. This checklist turns each OWASP risk into a specific enforcement point, a named owner, and the audit evidence that proves the control ran, across AI usage, applications, agents, data, and runtime.

Last updated: June 2026.

What the OWASP Top 10 for LLM Applications Covers

The OWASP Top 10 for LLM Applications is a community built list of the ten most critical security risks for software that uses AI models. The OWASP Foundation published the current edition in November 2024 and labels the risks LLM01 through LLM10 (OWASP, 2025). It is a risk awareness baseline, not a law or a certification, and it pairs with frameworks such as the NIST AI Risk Management Framework and ISO/IEC 42001 that ask you to evidence each control.

The ten risks span how AI handles prompts, data, supply chain, output, agent autonomy, and resource use:

• LLM01 Prompt Injection: crafted input that overrides the intended instructions.
• LLM02 Sensitive Information Disclosure: confidential data exposed in prompts or responses.
• LLM03 Supply Chain: risk inherited from third party models, data, and components.
• LLM04 Data and Model Poisoning: tampered training or fine tuning data that corrupts behavior.
• LLM05 Improper Output Handling: unchecked model output that triggers downstream exploits.
• LLM06 Excessive Agency: too much autonomy, permission, or tool access for an agent.
• LLM07 System Prompt Leakage: internal instructions and configuration exposed to users.
• LLM08 Vector and Embedding Weaknesses: flaws in the retrieval and embeddings behind retrieval augmented generation (RAG).
• LLM09 Misinformation: confident but wrong output that misleads a decision.
• LLM10 Unbounded Consumption: runaway resource use, cost, or denial of service.

Knowing the risks is step one. Enterprise security has to turn each one into an enforced control with an owner and a record.

A Policy Names the Risk. A Control Enforces It.

Adoption has outrun governance. The 2026 AI Index reports that 88% of organizations now use AI in at least one business function, even as documented incidents rise and oversight falls behind (Stanford HAI, 2026).

Policy has not kept pace, and the policies that exist are often not built to be enforced. Only 44% of organizations have a policy for employee use of generative AI, up from 10% the year before, and among those that do, many offer guidelines rather than enforced requirements (Littler, 2024). A written rule in a wiki does not inspect a prompt, redact a record, or block a tool call. A control does. The rest of this checklist is about controls: where they fire, who owns them, and what evidence they leave.

The Enterprise Control Checklist

Use this checklist to translate the OWASP Top 10 for LLM Applications into controls you can enforce and evidence. Aurascape applies these controls inline across AI usage, applications, agents, and data on one architecture (Aurascape, 2026). Discovery is the foundation, and the AI discovery guide covers it in depth.

1. Inventory every AI app and agent. Maintain a complete catalog across the network, on endpoints, and at the application programming interface (API) layer, including shadow AI and agents running locally. Only 21% of organizations keep a real time inventory of their active agents (Cloud Security Alliance, 2026), and inventory is the base control behind LLM03 Supply Chain. Owner: security operations.
2. Enforce sanctioned access and tenant control. Tell an approved enterprise tenant from a personal account, and act on the difference, so regulated data stays inside licensed tools. This addresses LLM02 Sensitive Information Disclosure and keeps a growing long tail of AI under control without blocking work. Owner: security and IT.
3. Inspect prompts and responses with full conversation context. Read both legs of every interaction, not just the prompt or the destination. Context separates a clinician summarizing a record from a developer pasting a test identifier, and it covers LLM01 Prompt Injection, LLM02, and LLM05 Improper Output Handling. Owner: security.
4. Classify and protect sensitive data inline. Detect regulated data on the prompt and the response, then apply policy before data leaves. Match the data type to the business, whether that is protected health information, cardholder data, or proprietary source code. Owner: data security.
5. Apply context aware policy actions. Allow, coach, warn, block, or redact based on identity, intention, data, and outcome, in the interaction path. The right action depends on the mode: summarize, upload, generate code, or agent mode. Owner: security.
6. Govern agent tool execution with zero bypass control. Sign approved tool calls, block unsigned ones, and track data across chained actions, so an agent cannot route around the control point where the architecture applies. This is the control for LLM06 Excessive Agency. Owner: security and platform engineering.
7. Gate AI outputs before they act. Inspect generated content, links, and agent initiated actions before they reach users or downstream systems, which addresses LLM05 Improper Output Handling. Owner: application security.
8. Decode modern AI protocols. Cover WebSockets, QUIC, Protobuf, JSON, remote procedure calls, and the Model Context Protocol (MCP), plus thick client and command line paths, so traffic stays in view of the control. Owner: security architecture.
9. Keep audit evidence under access control. Retain decoded interaction and policy decision records, governed by role based access control (RBAC) for privacy, so teams can show each control ran for audit and effectiveness, not merely that a policy existed. Owner: governance, risk, and compliance.
10. Set exceptions and map controls to frameworks. Grant scoped, limited time exceptions that expire, and map each control to the NIST AI Risk Management Framework, ISO/IEC 42001, and the EU AI Act for examiner ready evidence. Owner: governance, risk, and compliance.

Map Each OWASP Risk to a Control and Audit Evidence

Audit and compliance teams need more than a control list. They need to show which control addresses which risk and what record proves it. The table below maps the load bearing OWASP risks to an enforcement point and the evidence it produces. Concrete incidents show why the mapping matters: EchoLeak, a zero click flaw in Microsoft 365 Copilot, let an attacker exfiltrate data through an indirect prompt injection with no user action (NVD, 2025), which is LLM01 and LLM02 in one chain.

Three of these risks have their own playbooks. Go deeper on prompt injection in the prompt injection guide, on data exposure in the AI data leakage guide, and on the regulatory side in the AI compliance frameworks guide.

Govern Agent Execution, Not Just Prompts

Agents change the control problem. They do not just answer, they act: they call tools, retrieve data, and chain steps across systems. Only one in five companies has a mature model for governing autonomous agents (Deloitte, 2026), and OWASP captures the exposure as LLM06 Excessive Agency: too much autonomy, permission, or tool access.

Prompt inspection alone misses the action. The Model Context Protocol (MCP) that connects agents to tools does not authenticate tool calls by default, so the control point has to move to the tool call itself. Aurascape secures both legs of an agent interaction. The AI Proxy inspects the intelligence channel, the prompts and responses. The Zero-Bypass MCP Gateway secures the tool execution channel, cryptographically signs approved tool calls, and blocks unsigned ones, with cross call data lineage across chained actions.

The threat is real and current. Aura Labs found SilentBridge, a class of zero click indirect prompt injection in an autonomous agent that could take it over through page, search, and document content, with three variants each rated 9.8 out of 10 and fixed before disclosure (Aurascape, 2026). A control that reads the prompt but not the tool call would not stop that chain.

Where Legacy Controls Stop Short on OWASP Risks

Most enterprises already run a Security Service Edge (SSE), a Cloud Access Security Broker (CASB), and Data Loss Prevention (DLP). These tools extend web and software as a service (SaaS) controls into AI, and they stay in place. The gap is architectural: they were built for destinations and file transfers, while OWASP risks live in the AI interaction and the agent action. Aurascape was built around AI interactions and agent execution, and runs alongside the existing stack, not in place of it.

Closing these gaps speeds adoption rather than slowing it. In one Aurascape deployment, a Fortune 100 insurance and financial enterprise tripled its AI agent integrations with no unauthorized data access and protected more than 20,000 users (Aurascape, 2026). The point is not to replace the incumbent stack. It is to add the interaction level and agent level control the incumbents were not built to provide. For a capability by capability view, see the AI compliance software guide.

Frequently Asked Questions

Is the OWASP Top 10 for LLM Applications a compliance standard?

No. It is a voluntary risk awareness framework from the OWASP Foundation, not a law or a certification. To turn it into compliance, map each risk to a regulated requirement under the NIST AI Risk Management Framework, ISO/IEC 42001, or the EU AI Act, and keep the evidence each control produces. The AI compliance frameworks guide walks through that mapping.

Which risks in the OWASP Top 10 for LLM Applications matter most for data protection?

OWASP ranks Prompt Injection first as LLM01. For data protection specifically, weight LLM02 Sensitive Information Disclosure and LLM05 Improper Output Handling, since both govern what data enters and leaves the model. Classify and redact sensitive data on the prompt and the response, not just at the destination.

How do you turn the OWASP Top 10 into audit evidence?

Map each OWASP risk to a control, then keep the record that control produces. A signed tool call log proves LLM06 enforcement. A classification and redaction record proves LLM02. Keep these decoded interaction and policy decision records under role based access control for privacy, so an auditor sees that the control ran, not just that a policy existed.

Does the OWASP Top 10 for LLM Applications cover AI agents?

Partly. LLM06 Excessive Agency is the agent specific risk, covering autonomy, permissions, and tool access. Full agent coverage goes further: govern every tool call, sign approved calls, block unsigned ones, and track data across chained actions. The agentic AI security architecture guide details the two channel model for agents.

Aurascape turns the OWASP Top 10 for LLM Applications from a list of risks into enforced controls with named owners and audit evidence. It discovers every AI app and agent, inspects prompts and responses with full conversation context, classifies sensitive data inline, governs every tool call through the Zero-Bypass MCP Gateway, and keeps decoded interaction records under role based access control for privacy. It runs alongside your existing SSE, CASB, and DLP stack, not in place of it. Book a demo to see your own AI estate mapped to OWASP risks and the controls that close them.

See how Aurascape turns OWASP risks into enforced controls →