TL;DR: The GenAI security landscape is being mapped to the OWASP Top 10 for LLM Applications (2025), highlighting runtime and development-stage coverage for prompt injection, sensitive data disclosure, excessive agency, and output-handling risks, according to Lakera. The deeper lesson is that AI security now spans lifecycle governance, not just model filtering.
NHIMG editorial — based on content published by Lakera: Aligning with the OWASP Top 10 for LLMs (2025): How Lakera Secures GenAI Applications
Questions worth separating out
Q: How should security teams govern LLM applications that can call tools and access data?
A: Treat the LLM application as a delegated identity with bounded authority.
Q: Why do generative AI systems create more risk than simple chatbots?
A: Because many GenAI systems do more than generate text.
Q: What do security teams get wrong about prompt injection?
A: They often treat prompt injection as a pure content filtering problem.
Practitioner guidance
- Separate model access from execution rights Do not let the same identity handle prompt ingestion, tool invocation, and outbound action approval.
- Red-team for prompt and output abuse Test for direct injection, indirect injection, system prompt leakage, unsafe output handling, and data exfiltration before production.
- Treat retrieval layers as governed identity surfaces Inventory which sources the model can query, which principals can influence retrieval, and which datasets are exposed through embeddings, plugins, or memory.
What's in the full article
Lakera's full article covers the operational detail this post intentionally leaves for the source:
- The per-risk coverage table showing which OWASP LLM issues Lakera Guard addresses strongly, partially, or not at all.
- The distinction between Lakera Red testing and Lakera Guard runtime protection across the AI lifecycle.
- The product-specific examples of prompt attack detection, content filtering, and custom guardrail design.
- The article's detailed mapping of supply chain, poisoning, and output-handling gaps to specific controls.
👉 Read Lakera's analysis of OWASP Top 10 for LLMs coverage in GenAI applications →
OWASP LLM risks in production: what IAM teams need to know?
Explore further
LLM security is now an identity and privilege problem, not only a content problem. The article’s core value is that it maps generative AI risk to controls across the full lifecycle, including prompt attack detection, data-leak detection, and behaviour evaluation. That is the right framing for practitioners because the most damaging failures occur when a model can access something it should not, not merely when it produces a bad answer. The implication is that GenAI governance must be tied to authorisation boundaries, not just moderation rules.
A few things that frame the scale:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
- Only 44% have implemented policies to govern AI agents, according to SailPoint research, even though 92% say governance is critical.
A question worth separating out:
Q: How do you know if AI guardrails are actually working?
A: Guardrails are working when they block harmful behaviour without breaking legitimate workflows and when test results match runtime outcomes. Measure denied injections, blocked data leakage attempts, unsafe output rates, and whether privileged actions still require explicit policy approval. If the model can still cross trust boundaries silently, the guardrail is cosmetic.
👉 Read our full editorial: OWASP Top 10 for LLMs: what Lakera’s coverage changes