OWASP LLM risks: what IAM and AI teams need to fix first

TL;DR: Enterprises are adopting LLMs quickly, with 72% expecting increased spending and about 40% already investing more than $250,000 a year, while OWASP’s LLM Top 10 highlights prompt injection, data poisoning, and uncontrolled resource use as core risks, according to Kong. Traditional application security does not map cleanly to stochastic AI systems, so governance now has to cover prompts, data flow, and runtime observability.

NHIMG editorial — based on content published by Kong: Securing Enterprise AI: OWASP Top 10 LLM Vulnerabilities Guide

By the numbers:

• 72% anticipate increased LLM spending in the coming year.
• OWASP’s Top 10 for LLM Applications 2025 was released in November 2024.

Questions worth separating out

Q: How should security teams control prompt injection in enterprise LLMs?

A: Security teams should control prompt injection by treating prompts as untrusted input, filtering malicious patterns before model execution, templating system instructions separately from user content, and constraining what external data the model can ingest.

Q: Why does retrieval-augmented generation create new governance risk?

A: Retrieval-augmented generation creates new governance risk because the model can only be as trustworthy as the knowledge sources it retrieves from.

Q: What do organisations get wrong about AI security monitoring?

A: Organisations often monitor only model output and miss the upstream signals that show abuse, such as repeated retries, unusual token consumption, or changes to retrieval sources.

Practitioner guidance

• Map LLM trust boundaries end to end Document where user prompts, retrieved content, system prompts, tool calls, and model outputs cross security boundaries.
• Enforce gateway-level prompt and content controls Apply filtering, templating, and policy checks before prompts reach the model and before model output reaches business workflows.
• Treat retrieval sources as governed assets Limit which vector databases, documents, and embedding sources can feed production models, then track changes to those sources with audit trails.

What's in the full article

Kong's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step examples of how Kong AI Gateway applies specific plugins to prompt injection, sensitive information disclosure, and vector database access.
• Architecture detail on how runtime observability, logs, metrics, and traces are used to monitor AI traffic across multiple providers.
• Implementation guidance for pairing OIDC, ACLs, rate limiting, and AI-specific guards in production workflows.
• Environment-specific deployment considerations for cloud, hybrid, on-premises, and air-gapped AI use cases.

👉 Read Kong's analysis of OWASP Top 10 LLM vulnerabilities and AI gateway controls →

OWASP LLM risks: what IAM and AI teams need to fix first?

Explore further

View Full Forum →  |  NHI Foundation Course →