OWASP LLM risks in 2025: what changes for security teams?

TL;DR: OWASP’s 2025 update to the Top 10 for LLM applications elevates prompt injection, sensitive information disclosure, excessive agency, RAG and embedding risks, misinformation, and unbounded consumption as core GenAI security concerns. The shift shows that AI governance now has to cover runtime behaviour, data leakage, and decision scope, not just model deployment.

NHIMG editorial — based on content published by Lasso Security: OWASP Top 10 for LLM Applications and Generative AI, key updates for 2025

By the numbers:

• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.

Questions worth separating out

Q: How should security teams reduce prompt injection risk in LLM applications?

A: Security teams should separate system instructions from user-controlled content, constrain what the model can treat as authoritative, and sanitise retrieved data before it reaches the context window.

Q: When does excessive agency become a governance problem for AI systems?

A: Excessive agency becomes a governance problem when the model can trigger actions, select tools, or move data without sufficient human or policy oversight.

Q: What do teams get wrong about system prompt leakage?

A: Teams often assume hidden prompts are protected because users cannot see them directly, but any text the application exposes to the model can potentially be recovered through crafted interactions.

Practitioner guidance

• Separate instructions from untrusted content Keep system instructions, policy text, and retrieved user content in distinct handling paths so attacker-controlled material cannot masquerade as governance text.
• Remove secrets from prompts and retrieval outputs Do not place API keys, tokens, or confidential policy data into prompt templates, memory, or retrieval results.
• Bound model tool access and action scope Limit what model-driven workflows can do, which tools they can call, and which retrieval sources they can use.

What's in the full article

Lasso Security's full analysis covers the operational detail this post intentionally leaves for the source:

• The article breaks down each OWASP LLM category with implementation context for teams already deploying GenAI.
• It highlights the specific risks behind prompt injection, sensitive disclosure, excessive agency, RAG, and unbounded consumption.
• It gives readers the vendor’s framing of why the 2025 update matters for GenAI security programmes.
• It points to the earlier OWASP LLM Top 10 so practitioners can compare the evolution of the risk model.

👉 Read Lasso Security’s analysis of the OWASP 2025 LLM Top 10 updates →

OWASP LLM risks in 2025: what changes for security teams?

Explore further

View Full Forum →  |  NHI Foundation Course →