Agentshield

OWASP Top 10 for LLM Applications, Explained

Dana Whitfield, Security·Jun 23, 2026·10 min read

The OWASP Top 10 for LLM Applications is the canonical list of the most important security risks for systems built on large language models. If you run AI agents in production, it is the taxonomy your security team and your auditors will reference. This guide explains each risk in plain language and maps it to the runtime control that addresses it.

Why it matters for agents

The list was created because LLM apps introduce risks that traditional appsec checklists do not cover. For agents, which read untrusted text and then take actions, several of these risks become severe, because the consequence is no longer a bad answer but a real action with real credentials.

The risks and the controls

Prompt injection

The top risk: untrusted content carrying instructions that hijack the model. For agents this can lead to exfiltration or destructive actions. Control: a runtime prompt-injection firewall that inspects every input.

Sensitive information disclosure

The model leaks secrets, PII, or proprietary data in its output. Control: data-loss prevention that classifies and blocks sensitive data on egress.

Supply chain risks

Compromised models, plugins, or tools. For agents this includes MCP tool poisoning. Control: inspect tool outputs and restrict the agent to an allowlist of approved tools and servers.

Improper output handling

Trusting model output and passing it unchecked into downstream systems. Control: treat agent actions as untrusted and enforce tool and data permissions at the boundary.

Excessive agency

Giving an agent more capability, permissions, or autonomy than it needs, so a single failure has a large blast radius. Control: least privilege plus human-approval gates on high-risk actions.

System prompt leakage

Attackers extracting the system prompt, including any secrets or rules embedded in it. Control: never rely on the prompt for security; enforce controls in the action path and keep secrets out of the prompt.

Vector and embedding weaknesses

Attacks on the retrieval layer of RAG systems, including poisoned documents. Control: secure the RAG pipeline by inspecting retrieved content.

Misinformation

Confident but wrong output, including hallucinated actions. Control: monitoring and human approval on consequential actions, plus an audit trail to catch patterns.

Unbounded consumption

Runaway loops and resource exhaustion. Control: rate and velocity limits on tool calls, enforced by the control plane.

Missing accountability

No record of what the model or agent did. Control: an immutable audit trail tying every action to the agent, tool, resource, and verdict.

How the list maps to one control plane

Read together, the OWASP LLM Top 10 describes a system that needs to inspect untrusted input, constrain what the model can do, keep a human on the risky actions, and record everything. That is precisely the shape of a runtime control plane. Agentshield implements these controls in one product, and its audit trail is the evidence that proves the controls were enforced, which is what frameworks and the EU AI Act increasingly require.

Next: read about AI compliance evidence, or get started.

See the firewall block an attack live.

Drive the Threat Console and watch a real prompt injection get stopped, then put Agentshield in front of your own agents.

Open the console