TL;DR: Enterprises are adopting LLMs quickly, with 72% expecting increased spending and about 40% already investing more than $250,000 a year, while OWASP’s LLM Top 10 highlights prompt injection, data poisoning, and uncontrolled resource use as core risks, according to Kong. Traditional application security does not map cleanly to stochastic AI systems, so governance now has to cover prompts, data flow, and runtime observability.
NHIMG editorial — based on content published by Kong: Securing Enterprise AI: OWASP Top 10 LLM Vulnerabilities Guide
By the numbers:
- 72% anticipate increased LLM spending in the coming year.
- OWASP’s Top 10 for LLM Applications 2025 was released in November 2024.
Questions worth separating out
Q: How should security teams control prompt injection in enterprise LLMs?
A: Security teams should control prompt injection by treating prompts as untrusted input, filtering malicious patterns before model execution, templating system instructions separately from user content, and constraining what external data the model can ingest.
Q: Why does retrieval-augmented generation create new governance risk?
A: Retrieval-augmented generation creates new governance risk because the model can only be as trustworthy as the knowledge sources it retrieves from.
Q: What do organisations get wrong about AI security monitoring?
A: Organisations often monitor only model output and miss the upstream signals that show abuse, such as repeated retries, unusual token consumption, or changes to retrieval sources.
Practitioner guidance
- Map LLM trust boundaries end to end Document where user prompts, retrieved content, system prompts, tool calls, and model outputs cross security boundaries.
- Enforce gateway-level prompt and content controls Apply filtering, templating, and policy checks before prompts reach the model and before model output reaches business workflows.
- Treat retrieval sources as governed assets Limit which vector databases, documents, and embedding sources can feed production models, then track changes to those sources with audit trails.
What's in the full article
Kong's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of how Kong AI Gateway applies specific plugins to prompt injection, sensitive information disclosure, and vector database access.
- Architecture detail on how runtime observability, logs, metrics, and traces are used to monitor AI traffic across multiple providers.
- Implementation guidance for pairing OIDC, ACLs, rate limiting, and AI-specific guards in production workflows.
- Environment-specific deployment considerations for cloud, hybrid, on-premises, and air-gapped AI use cases.
👉 Read Kong's analysis of OWASP Top 10 LLM vulnerabilities and AI gateway controls →
OWASP LLM risks: what IAM and AI teams need to fix first?
Explore further
LLM security is now an identity governance problem, not just an application security problem. Once a model can consume prompts, context, and external data, the governance question becomes who or what is authorised to influence that decision path. That is why prompt injection, retrieval poisoning, and uncontrolled resource use should be read as access-control failures in disguise. Practitioner conclusion: model security programmes need identity boundaries around inputs as well as outputs.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How can teams decide whether to prioritise AI guardrails or traditional app controls?
A: Teams should prioritise AI guardrails when the model can influence decisions through natural language, external retrieval, or tool use, because traditional app controls do not reliably separate safe input from malicious instruction in that environment. Standard application security still matters, but it is insufficient on its own once the model becomes part of the decision path.
👉 Read our full editorial: OWASP LLM vulnerabilities expose gaps in enterprise AI governance