OWASP top 10 for LLMs shows identity gaps in agentic AI

At a glance

What this is: OWASP’s 2025 LLM Top 10 reframes AI security around prompt injection, disclosure, supply chain and agentic access risk.

Why it matters: IAM, PAM and NHI teams have to treat LLMs and agents as governed actors, because identity, privilege and execution boundaries now shape the primary attack surface.

By the numbers:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.

👉 Read Aembit’s analysis of the 2025 OWASP Top 10 for LLM applications

Context

OWASP’s 2025 update matters because the primary keyword here is no longer just LLM security, it is governed identity for nonhuman actors. The article argues that prompt injection, leakage, poisoning and excessive agency expose control assumptions that traditional application security did not build for, especially once models can call tools and take actions.

For identity teams, the practical shift is from protecting outputs to controlling what the model is allowed to see, infer and do. That puts workload identity, least privilege, human approval for consequential actions and external authorization controls into the same conversation as AI guardrails.

Key questions

Q: How should security teams handle trust assumptions in LLM and AI agent workflows?

A: Treat the model as an untrusted decision layer and keep security enforcement in external systems. Separate instructions from data, restrict retrieval sources, scope tool access to the task and require human approval for actions that can create business impact. The goal is to prevent the model from becoming the place where trust is assumed instead of verified.

Q: Why do LLMs and AI agents create new identity governance problems?

A: Because they can consume data, call tools and act on behalf of the organisation without fitting the old human request-response model. Traditional IAM assumes a stable subject, a clear request and a reviewable entitlement. AI agents blur those boundaries, so identity governance must cover runtime authority, not just login or token issuance.

Q: What breaks when system prompts are used as security controls?

A: The control becomes visible to the attacker the moment the model can reveal or infer it. Prompts are not deterministic enforcement points, so they cannot reliably separate privilege, authorise actions or hide policy logic. If a critical rule only exists in the prompt, it is brittle by design and easy to bypass.

Q: How can organisations reduce excessive agency in AI agents?

A: Limit the tool set to what each workflow actually needs, require approvals for high-impact steps and verify every sensitive action in a system that is independent of the model. If an agent can act broadly, the problem is not just model behaviour but over-assigned privilege. Scope reduction is the first line of defence.

Technical breakdown

Prompt injection and instruction collision in LLMs

Prompt injection works because many LLM systems do not cleanly separate instructions from data. A malicious string in a user prompt, web page or document can be interpreted as an instruction rather than content, especially when the application passes untrusted material directly into the model context. Indirect injection is harder to see because the attacker hides the payload in something the model later retrieves or summarizes. Multimodal systems widen the problem by letting malicious instructions arrive through images or other nontext inputs. The issue is architectural, not just operational, because the model cannot reliably distinguish intent from content without external controls.

Practical implication: treat all retrieved or user-supplied context as untrusted and enforce instruction boundaries outside the model.

Excessive agency, autonomy and system prompt leakage

Excessive agency is the point where an AI agent can reach more tools, broader permissions or more consequential actions than the task requires. That risk becomes sharper when the agent can act without human approval, because the security boundary moves from a passive response model to a runtime decision model. System prompt leakage compounds the problem by exposing internal rules, routing logic and security assumptions that teams may have embedded in prompts. Once leaked, those prompts help attackers bypass guardrails, target approvals and understand where privilege is enforced. The control failure is not just access breadth, but where authorization actually lives.

Practical implication: keep authorization in deterministic external systems and scope every agent permission to the specific task.

Vector stores, poisoning and unbounded consumption

RAG architectures introduce a retrieval layer that is now part of the attack surface. If a vector store accepts poisoned content, the model can retrieve and amplify attacker-controlled material during normal queries. Weak tenant boundaries can also expose data across projects or customers, while unbounded consumption lets adversaries drive up inference costs or exhaust token budgets. These are not model-only problems. They are identity, data and resource governance issues because the application is effectively trusting retrieved context, stored embeddings and per-user usage limits to behave as intended. That trust must be verified continuously.

Practical implication: harden vector-store access, monitor retrieval quality and apply quotas and rate limits to model usage.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

OWASP’s LLM risk model now reads like an identity control map, not just an application checklist. Prompt injection, output abuse and prompt leakage all become governance problems once the model can influence tools, data paths and business actions. That means the decisive question is no longer whether the model is accurate enough, but whether its identity boundaries are narrow, external and enforceable. Practitioners should treat the framework as a blueprint for runtime trust decisions, not a static testing list.

Excessive agency is the category that most clearly exposes the weakness of conventional IAM assumptions. Identity controls were built for subjects whose requests, timing and scope are externally initiated. When a model can decide what tool to use, when to act and whether to proceed without approval, those assumptions stop holding cleanly. The implication is that authorisation can no longer be inferred from prompt context or developer intent alone.

System prompt leakage shows why security logic does not belong inside the prompt. Prompts are operational instructions, not access-control engines, and attackers now know how to mine them for guardrail logic and hidden trust assumptions. The control gap is structural: if a critical policy exists only as text the model can reveal, it was never a control in the first place. Practitioners should regard prompt content as exposed architecture, not a confidential enforcement layer.

Vector weakness and unbounded consumption turn AI supply chains into governance surfaces. Retrieval paths, embedding stores and inference quotas all carry identity and trust decisions that can be manipulated or exhausted. That connects LLM risk directly to workload identity, service-account scoping and runtime monitoring. The field should stop treating AI security as an overlay and start treating it as a governed execution environment.

Runtime authorization for nonhuman actors is now the named concept practitioners should use for this category. The article’s real lesson is that LLM and agent security depends on where approval lives, how context is separated and what can be acted on without a human gate. Teams that can name those runtime boundaries clearly will govern agentic AI more effectively than teams that only add model filters after the fact.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving nearly half of organisations without a complete compliance or breach-investigation view.
• For a broader identity lens, the OWASP Agentic AI Top 10 shows how runtime agent risk maps to practical control design.

What this signals

Runtime authorization for nonhuman actors: as LLMs move from chat to action, the governance challenge shifts to where decisions are enforced and who can approve them. Teams should expect AI security reviews to converge with workload identity, PAM and zero trust design, because the same actor can now read, reason and act within one session.

The next maturity jump is not better model output filtering, it is tighter control over what agents can reach, what data they can consume and when they can execute. The organisations that separate prompt content from enforcement logic will be better placed to absorb future agentic AI use cases without expanding blast radius.

For practitioners

• Separate instruction, data and retrieval paths Keep user input, system instructions and retrieved content in distinct control planes so a poisoned document cannot become a hidden command channel. Apply filtering before context reaches the model and again before output is executed.
• Move authorization outside the model Enforce access decisions in deterministic external systems rather than in system prompts or model-generated reasoning. Bind each agent action to the minimum scoped entitlement required for that task.
• Constrain agent tool access by task Review every tool, connector and API an agent can reach, then remove anything not required for the specific workflow. Use human approval for consequential actions such as deleting records, sending messages or changing permissions.
• Harden vector stores and usage limits Restrict write access to embedding stores, monitor retrieval anomalies and enforce per-user quotas and token limits. This reduces poisoning risk and makes denial-of-wallet attacks easier to detect.

Key takeaways

• The 2025 OWASP LLM Top 10 makes clear that AI risk is now an identity and control-boundary problem, not only a model-quality problem.
• Prompt injection, system prompt leakage and excessive agency all show that untrusted context can become untrusted action when enforcement lives inside the model.
• Practitioners should externalise authorisation, narrow tool access and monitor retrieval and usage paths before agentic AI expands the attack surface further.

Key terms

• Prompt Injection: A technique that inserts malicious instructions into text, documents or other inputs so an LLM treats them as commands. In practice, the model can no longer reliably separate instruction from content, which makes the surrounding application responsible for enforcing trust boundaries.
• Excessive Agency: A condition where an AI agent can reach too many tools, use broader permissions than its task requires or act without meaningful approval gates. The risk is not model intelligence, but runtime authority that exceeds the business purpose of the workflow.
• System Prompt Leakage: The exposure of hidden prompt text that developers use to steer model behaviour, routing or guardrails. Once leaked, that text can reveal security assumptions, internal logic and control structure, giving attackers a blueprint for targeted bypass or social engineering.
• Vector Store Poisoning: The tampering of retrieval content or embeddings so a RAG system retrieves attacker-influenced context during normal operation. It turns the retrieval layer into a trust boundary that must be protected like any other sensitive data store.

Deepen your knowledge

OWASP Top 10 for LLM Applications and runtime authorization for nonhuman actors are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building AI governance from the same access-control gaps discussed here, it is worth exploring.

This post draws on content published by Aembit: the 2025 OWASP Top 10 for LLM applications and what changed. Read the original.