OWASP LLM top 10: what IAM and appsec teams need to know

TL;DR: The OWASP Top 10 for LLM Applications 2025 maps how prompt injection, data leakage, supply-chain tampering, and excessive agency turn language-model features into enterprise security risks, according to WorkOS. The core issue is that classical app security assumes deterministic inputs and outputs, while LLM-enabled systems break that assumption at the model, retrieval, and authorization layers.

NHIMG editorial — based on content published by WorkOS: The OWASP Top 10 for LLM applications and what developers need to know

By the numbers:

• The OWASP Top 10 for LLM Applications 2025 is the industry's current consensus on what breaks.
• The article cites three new entries and reworkings of several others in the 2025 update.

Questions worth separating out

Q: How should security teams govern LLM applications that call tools and data sources?

A: Security teams should govern LLM applications as identity-rich systems, not as isolated models.

Q: Why do LLMs complicate traditional access control models?

A: LLMs complicate access control because they can transform a valid user request into unsafe data exposure or action execution after the initial login check has already passed.

Q: What breaks when prompt instructions are used as a security control?

A: Prompt instructions fail when they are treated as the source of truth for permissions, data boundaries, or action approval.

Practitioner guidance

• Move authorization out of prompts Implement access checks in application code before retrieval or tool invocation, and keep role logic out of system prompt text so a prompt leak does not expose your policy model.
• Scope model tools to the authorizing user Use per-request or per-session credentials for tools, with the narrowest permissions needed for the task and no shared high-privilege service account as the default execution path.
• Enforce permission-aware retrieval Apply tenant, document, and session-level filtering at the vector store or data layer before content reaches the model, especially in multi-tenant RAG systems.

What's in the full article

WorkOS's full article covers the operational detail this post intentionally leaves for the source:

• A walkthrough of each OWASP LLM Top 10 risk with concrete examples from production deployments.
• Control guidance for prompt injection, data leakage, supply-chain integrity, and unsafe tool execution.
• Implementation detail on where authorization should sit in LLM applications and RAG pipelines.
• The article's mapping between LLM risks and WorkOS identity and authorization primitives.

👉 Read WorkOS's analysis of the OWASP Top 10 for LLM applications →

OWASP LLM top 10: what IAM and appsec teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →