Notifications
Clear all
Topic starter
06/06/2026 11:23 am
TL;DR: OWASP’s 2025 Top 10 for LLM Applications adds new categories for excessive agency, system prompt leakage, vector weaknesses and unbounded consumption, while reworking earlier risks around prompt injection, disclosure and supply chain exposure. The update shows that AI security now hinges on identity, access and control boundaries rather than model quality alone, according to Aembit. Access review assumptions break when nonhuman actors can act, leak and chain decisions inside a single session.
NHIMG editorial — based on content published by Aembit: the 2025 OWASP Top 10 for LLM applications and what changed
Questions worth separating out
Q: How should security teams handle trust assumptions in LLM and AI agent workflows?
A: Treat the model as an untrusted decision layer and keep security enforcement in external systems.
Q: Why do LLMs and AI agents create new identity governance problems?
A: Because they can consume data, call tools and act on behalf of the organisation without fitting the old human request-response model.
Q: What breaks when system prompts are used as security controls?
A: The control becomes visible to the attacker the moment the model can reveal or infer it.
Practitioner guidance
- Separate instruction, data and retrieval paths Keep user input, system instructions and retrieved content in distinct control planes so a poisoned document cannot become a hidden command channel.
- Move authorization outside the model Enforce access decisions in deterministic external systems rather than in system prompts or model-generated reasoning.
- Constrain agent tool access by task Review every tool, connector and API an agent can reach, then remove anything not required for the specific workflow.
What's in the full article
Aembit’s full article covers the operational detail this post intentionally leaves for the source:
- Side-by-side explanations of all 10 OWASP LLM categories and how each changed in the 2025 update.
- Practical mitigation examples for prompt injection, output handling and excessive agency in agentic workflows.
- Specific guidance on system prompt design, retrieval hygiene and tool permission scoping for AI applications.
- The article’s commentary on why security teams are still catching up to the pace of AI adoption.
👉 Read Aembit’s analysis of the 2025 OWASP Top 10 for LLM applications →
OWASP top 10 for LLMs: what IAM teams need to know?
Explore further
06/06/2026 12:10 pm
OWASP’s LLM risk model now reads like an identity control map, not just an application checklist. Prompt injection, output abuse and prompt leakage all become governance problems once the model can influence tools, data paths and business actions. That means the decisive question is no longer whether the model is accurate enough, but whether its identity boundaries are narrow, external and enforceable. Practitioners should treat the framework as a blueprint for runtime trust decisions, not a static testing list.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving nearly half of organisations without a complete compliance or breach-investigation view.
A question worth separating out:
Q: How can organisations reduce excessive agency in AI agents?
A: Limit the tool set to what each workflow actually needs, require approvals for high-impact steps and verify every sensitive action in a system that is independent of the model. If an agent can act broadly, the problem is not just model behaviour but over-assigned privilege. Scope reduction is the first line of defence.
👉 Read our full editorial: OWASP top 10 for LLMs shows identity gaps in agentic AI
