OWASP LLM Top 10 (2026) mapped to tools
The OWASP LLM Top 10 is a community-built list of the ten most critical security risks for applications using large language models. Each risk, from prompt injection (LLM01) to unbounded consumption (LLM10), maps to specific defences: input filtering, output encoding, least-privilege tool scoping, human-in-the-loop gates, sandboxing, and continuous logging.
OWASP LLM Top 10 (2026) mapped to tools
TL;DR:
- The OWASP LLM Top 10 is the canonical risk list for LLM-powered applications, maintained by the OWASP GenAI Security Project.
- Every risk maps to named, testable defences: input/output controls, least-privilege tool scoping, sandboxing, human-in-the-loop, and logging.
- Prompt injection (LLM01) and excessive agency (LLM06) are the two risks most relevant to AI agents and MCP servers.
- Use this hub as your map, then drill into prompt injection explained and MCP security best practices.
What is the OWASP LLM Top 10?
The OWASP LLM Top 10 is a prioritised list of the ten most critical security risks in applications that use large language models. It is published and maintained by the OWASP GenAI Security Project, the same organisation behind the original OWASP Top 10 for web applications. The list exists to give builders a shared vocabulary and a starting checklist for securing LLM systems. Each entry carries an identifier (LLM01 to LLM10), a definition, example attack scenarios, and recommended mitigations. You can read the canonical source at the OWASP LLM Top 10 page.
The list is a prioritisation framework, not a certification. It pairs naturally with the AI agent hardening checklist and with least-privilege for AI agents, which translate these risks into operational controls.
How does each OWASP LLM risk map to a defence?
Each of the ten risks maps to one or more concrete tools or controls. The table below pairs every risk with its short definition, a realistic example, and the defences that mitigate it. The numbers in any example are illustrative, not measured benchmarks.
| Risk | Definition (one claim) | Example | Defensive tools / controls |
|---|---|---|---|
| LLM01 Prompt Injection | Untrusted text overrides the model’s intended instructions. | A web page hidden text tells an agent to email its secrets. | Input filtering, prompt/data separation, output gating, spotlighting, allow-listed tools. See prompt injection explained. |
| LLM02 Sensitive Information Disclosure | The model reveals secrets, PII, or proprietary data in its output. | A chatbot leaks another user’s order history. | Output filtering, data minimisation, retrieval scoping, PII redaction, DLP gateways. |
| LLM03 Supply Chain | A compromised model, dataset, or dependency introduces risk. | A backdoored model pulled from a public hub. | SBOMs, model provenance checks, signed artefacts, dependency scanning, pinned versions. |
| LLM04 Data and Model Poisoning | Tampered training or fine-tuning data corrupts model behaviour. | Poisoned documents seed a biased or unsafe response. | Data validation, source vetting, anomaly detection, isolated fine-tuning pipelines. |
| LLM05 Improper Output Handling | Downstream systems trust model output without validation. | Model output is run as a shell command or SQL query. | Output encoding, parameterised queries, schema validation, treat output as untrusted. |
| LLM06 Excessive Agency | An agent has more permissions, tools, or autonomy than the task needs. | An agent with delete rights wipes a production table. | Least-privilege scoping, tool allow-listing, human-in-the-loop, read-only defaults. See least-privilege for AI agents. |
| LLM07 System Prompt Leakage | Secrets embedded in the system prompt are extracted by a user. | An attacker coaxes out an API key placed in the prompt. | Never store secrets in prompts, server-side secret stores, output guardrails. |
| LLM08 Vector and Embedding Weaknesses | Flaws in RAG retrieval or embeddings enable injection or leakage. | A poisoned document in a vector store hijacks retrieval. | Source authentication, retrieval permissioning, embedding integrity checks. |
| LLM09 Misinformation | The model produces confident but false or fabricated output. | A legal agent cites a non-existent case. | Grounding/RAG with trusted sources, citation requirements, human review of high-stakes output. |
| LLM10 Unbounded Consumption | Uncontrolled usage drives cost, denial of service, or model extraction. | A loop of agent calls exhausts the API budget. | Rate limiting, token quotas, cost caps, timeouts, circuit breakers. |
For the authoritative definitions of each item, always check the OWASP GenAI Security Project directly, because wording and ordering are revised periodically.
Which OWASP LLM risks matter most for AI agents?
For autonomous agents, LLM01 (Prompt Injection), LLM06 (Excessive Agency), and LLM05 (Improper Output Handling) are the highest-priority risks. Agents act on model output, so a successful prompt injection plus excessive agency equals real-world damage, such as deleted data or exfiltrated credentials. The defensive pattern is layered: separate trusted instructions from untrusted data, scope every tool to the minimum permission, and require a human gate for irreversible actions.
The Model Context Protocol specification is directly relevant here, because MCP servers are the tool layer agents call. Hardening them, as covered in MCP security best practices, is how you close LLM06 in practice.
How do you use this list in a real security programme?
Treat the OWASP LLM Top 10 as a coverage map, then verify each control with tests. A risk is only mitigated when you can demonstrate the control works, not when you have merely named it. A practical sequence:
- Inventory every LLM, agent, and MCP server in your stack.
- Map each component to the relevant LLM01 to LLM10 risks.
- Assign a named control to each mapped risk using the table above.
- Test each control against a realistic attack, including indirect prompt injection.
- Log and monitor continuously, because new attack patterns appear faster than annual list revisions.
National guidance reinforces this layered approach. The joint NSA and CISA work on AI system security, available via the CISA AI resources hub, stresses supply-chain integrity (LLM03), data protection (LLM02), and continuous monitoring (LLM10).
Where to go next
Start with the deep-dive companions to this hub: prompt injection explained for the LLM01 attack taxonomy, and MCP security best practices for closing LLM06 at the tool layer. From there, browse the full tools directory, the step-by-step guides library, and the practical checklists collection to operationalise every defence above. You can also return to the site home for the latest tested research.
This hub is maintained against primary sources: the OWASP LLM Top 10, the Anthropic and Claude documentation, and the Model Context Protocol specification.
In this hub
- Prompt injection explained: direct, indirect, and how to defend A definition-dense explainer of prompt injection: what it is, the direct versus indirect taxonomy, real attack examples, and the layered defences that actually reduce it.
- MCP security best practices for hardening tool servers Hands-on MCP security best practices: authentication, tool allow-listing, permission scoping, human-in-the-loop, and logging for hardening Model Context Protocol servers.
- Excessive Agency explained: OWASP LLM06 and how to contain it A definition-dense explainer of OWASP LLM06 Excessive Agency: what it means, the three sub-types of functionality, permissions, and autonomy, real examples, and the least-privilege defences that work.
- What is an AI agent? Definition, how it works, and why it is a security risk A clear definition of an AI agent: software that uses an LLM to plan and call tools autonomously. Covers how it works, AI agent vs chatbot vs LLM, examples, and why agents are a security concern.
- What is Model Context Protocol (MCP)? A plain-English explainer A definition-dense explainer of the Model Context Protocol: what MCP is, who created it, how its client-server architecture works, how it compares to plugins and APIs, and why it matters for AI security.
- The confused deputy problem in AI agents and MCP A definition-dense explainer of the confused deputy problem for AI agents and MCP servers: how an agent holding broad credentials is tricked via prompt injection or a malicious tool into misusing its authority, and the capability-based, least-privilege controls that contain it.
- Data exfiltration risks for AI agents How sensitive data leaks out through an autonomous AI agent: prompt-injection-driven exfiltration, tool calls to attacker endpoints, beaconing markdown images, over-broad data access, and log leakage, plus the egress controls that stop it.
- NIST AI RMF and ISO 42001 vs the OWASP LLM Top 10 How the NIST AI Risk Management Framework and ISO/IEC 42001 differ from the OWASP LLM Top 10, with a mapping table linking each LLM risk to NIST functions and ISO 42001 management controls.
- Supply-chain security for MCP servers: where the risk enters and how to control it A hands-on guide to supply-chain risk for MCP servers and models: where it enters through third-party servers, model provenance, and transitive dependencies, how a compromised server attacks an agent, and the controls that reduce the blast radius.
- LLM Security Risks: The OWASP LLM Top 10 Explained A pillar guide to LLM security and the main LLM security risks, mapping each threat to the OWASP LLM Top 10 with primary-source citations and links to deeper defensive guides.
Frequently asked questions
What is the OWASP LLM Top 10?
It is a standardised list, published by the OWASP GenAI Security Project, of the ten highest-impact security risks affecting applications built on large language models, each with example attacks and recommended mitigations.
What is the most critical risk on the OWASP LLM Top 10?
LLM01: Prompt Injection is consistently ranked first because it is the root cause of many downstream failures, including data exfiltration, unauthorised tool calls, and agent hijacking.
Does the OWASP LLM Top 10 cover AI agents and MCP servers?
Yes. Agent and tool risks map directly onto LLM01 (Prompt Injection), LLM06 (Excessive Agency), and LLM08 (Vector and Embedding Weaknesses), which is why agent hardening and MCP scoping are core defences.
How often is the OWASP LLM Top 10 updated?
The list is revised roughly annually by the OWASP GenAI Security Project as attack patterns evolve, with the latest revision reflecting agentic and retrieval-augmented architectures.
Is the OWASP LLM Top 10 a compliance standard?
No. It is a prioritisation framework, not a certifiable standard, but it is widely referenced alongside NIST and ISO guidance to structure AI security programmes.