Notifications
Clear all
Topic starter
10/06/2026 12:53 am
TL;DR: OWASP’s 2025 update to the Top 10 for LLM applications elevates prompt injection, sensitive information disclosure, excessive agency, RAG and embedding risks, misinformation, and unbounded consumption as core GenAI security concerns. The shift shows that AI governance now has to cover runtime behaviour, data leakage, and decision scope, not just model deployment.
NHIMG editorial — based on content published by Lasso Security: OWASP Top 10 for LLM Applications and Generative AI, key updates for 2025
By the numbers:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
Questions worth separating out
Q: How should security teams reduce prompt injection risk in LLM applications?
A: Security teams should separate system instructions from user-controlled content, constrain what the model can treat as authoritative, and sanitise retrieved data before it reaches the context window.
Q: When does excessive agency become a governance problem for AI systems?
A: Excessive agency becomes a governance problem when the model can trigger actions, select tools, or move data without sufficient human or policy oversight.
Q: What do teams get wrong about system prompt leakage?
A: Teams often assume hidden prompts are protected because users cannot see them directly, but any text the application exposes to the model can potentially be recovered through crafted interactions.
Practitioner guidance
- Separate instructions from untrusted content Keep system instructions, policy text, and retrieved user content in distinct handling paths so attacker-controlled material cannot masquerade as governance text.
- Remove secrets from prompts and retrieval outputs Do not place API keys, tokens, or confidential policy data into prompt templates, memory, or retrieval results.
- Bound model tool access and action scope Limit what model-driven workflows can do, which tools they can call, and which retrieval sources they can use.
What's in the full article
Lasso Security's full analysis covers the operational detail this post intentionally leaves for the source:
- The article breaks down each OWASP LLM category with implementation context for teams already deploying GenAI.
- It highlights the specific risks behind prompt injection, sensitive disclosure, excessive agency, RAG, and unbounded consumption.
- It gives readers the vendor’s framing of why the 2025 update matters for GenAI security programmes.
- It points to the earlier OWASP LLM Top 10 so practitioners can compare the evolution of the risk model.
👉 Read Lasso Security’s analysis of the OWASP 2025 LLM Top 10 updates →
OWASP LLM risks in 2025: what changes for security teams?
Explore further
11/06/2026 2:27 am
Prompt injection is now an identity control problem as much as an application security problem. Once a model can be steered through untrusted input, the real failure is that the system accepted attacker-authored language inside a trusted decision path. That makes input trust, instruction separation, and retrieval hygiene governance issues, not just model-tuning issues. Practitioners should treat prompt handling as part of access control design.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 44% of organisations have implemented any policies to govern AI agents, even though 92% say that governing them is critical to enterprise security.
A question worth separating out:
Q: How should organisations govern RAG-based AI workflows?
A: Organisations should govern retrieval sources, indexing pipelines, and embedding stores as part of the application’s trust chain. If malicious or low-quality content can enter retrieval, it can steer model outputs and downstream decisions. The practical test is whether the model can be influenced by content it should never have trusted in the first place.
👉 Read our full editorial: OWASP's 2025 LLM risk update raises the bar on AI governance
12/06/2026 4:01 am
Prompt injection is now an identity control problem as much as an application security problem. Once a model can be steered through untrusted input, the real failure is that the system accepted attacker-authored language inside a trusted decision path. That makes input trust, instruction separation, and retrieval hygiene governance issues, not just model-tuning issues. Practitioners should treat prompt handling as part of access control design.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 44% of organisations have implemented any policies to govern AI agents, even though 92% say that governing them is critical to enterprise security.
A question worth separating out:
Q: How should organisations govern RAG-based AI workflows?
A: Organisations should govern retrieval sources, indexing pipelines, and embedding stores as part of the application’s trust chain. If malicious or low-quality content can enter retrieval, it can steer model outputs and downstream decisions. The practical test is whether the model can be influenced by content it should never have trusted in the first place.
👉 Read our full editorial: OWASP's 2025 LLM risk update raises the bar on AI governance
