OWASP LLM risks: what IAM teams need to control now

TL;DR: OWASP’s updated 2025 Top 10 for LLM applications elevates prompt injection, sensitive information disclosure, supply chain exposure, and excessive agency as the most relevant risks for copilots, chatbots, and agents, according to Pomerium. Identity-aware, policy-backed access is now the control layer that determines whether prompt-driven systems can reach data or tools safely.

NHIMG editorial — based on content published by Pomerium: The OWASP Top 10 for LLMs and How to Defend Against Them

By the numbers:

• The OWASP Top 10 for LLMs names 10 distinct risk categories, including prompt injection, sensitive information disclosure, and excessive agency.
• OWASP published the first LLM-specific risk list in 2023, giving teams a baseline for prompt-driven application threats.

Questions worth separating out

Q: How should security teams control prompt injection in LLM applications?

A: Security teams should control prompt injection by restricting what the model can reach, not only what it can say.

Q: Why does sensitive information disclosure become an identity problem in LLM systems?

A: Sensitive information disclosure becomes an identity problem because the model can only expose what its connected accounts and routes allow it to access.

Q: What do security teams get wrong about LLM access control?

A: Many teams focus on the model output and miss the privilege scope behind the workflow.

Practitioner guidance

• Constrain every LLM route with explicit authorization Map each prompt-driven workflow to the exact data sources, APIs, and tools it may reach, then block all other paths at the access layer.
• Replace static secrets with short-lived, identity-bound access Use ephemeral credentials for model-connected services and avoid long-lived API keys in copilots, agents, and retrieval pipelines.
• Separate read, write, and action privileges in AI workflows Assign different permissions to retrieval, summarization, and execution steps so the model cannot move from reading content to changing state without a distinct control decision.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

• Identity-aware proxy setup for securing AI routes and internal applications
• Per-route policy examples for restricting tools and data sources by user or group
• Logging and monitoring details for denied attempts that may indicate prompt injection
• Step-by-step guidance for connecting an identity provider such as Okta or Azure AD

👉 Read Pomerium's analysis of the OWASP Top 10 for LLM security risks →

OWASP LLM risks: what IAM teams need to control now?

Explore further

View Full Forum →  |  NHI Foundation Course →