30 Days Gen AI Risk Trial -Start Now
Book a demo
Free Template · LLM Security

OWASP LLM Top 10 Security ChecklistOne Review for Every LLM System You Build or Buy

The OWASP Top 10 for LLM Applications (2025 edition) defines the most critical security risks in LLM-powered systems. This checklist turns all ten into a practical review: plain-English descriptions, 66 concrete review items, evidence to collect for each risk, and a summary scorecard. Every item is tagged for teams building LLM features and teams assessing vendor AI products.

The Ten Risks at a Glance

The checklist dedicates a full section to each OWASP risk: a plain-English description, 5 to 8 review items with checkboxes, an evidence list, and a severity and status field.

LLM01
Prompt Injection
Crafted or hidden instructions make the model ignore its rules and act against your intent.
LLM02
Sensitive Information Disclosure
The model reveals personal data, secrets, or other users' content through outputs, logs, or training data.
LLM03
Supply Chain
Compromised models, datasets, or dependencies undermine every control layered on top of them.
LLM04
Data and Model Poisoning
Tampered training or embedding data plants backdoors, bias, or hidden triggers in model behavior.
LLM05
Improper Output Handling
Blindly trusted model output becomes an injection engine for XSS, SQL injection, and code execution.
LLM06
Excessive Agency
AI that can do more than it needs turns one bad decision into real-world damage.
LLM07
System Prompt Leakage
Extracted system prompts expose secrets and business rules, and defeat guardrails that only live in the prompt.
LLM08
Vector and Embedding Weaknesses
Weak controls in RAG retrieval layers let attackers read or influence what the model sees.
LLM09
Misinformation
Confident but wrong output feeds decisions and publications without review.
LLM10
Unbounded Consumption
Uncapped usage leads to runaway costs, degraded service, and model extraction.

Built for Builders and Buyers

Most organizations both build LLM features and buy products with embedded AI. Every checklist item is tagged Build, Buy, or Both, so one pass covers your whole estate.

If you build LLM features

Engineering and security teams shipping chatbots, copilots, RAG pipelines, or agents.

  • Design review items for trust boundaries, output handling, and least privilege
  • Adversarial testing checks for direct and indirect prompt injection
  • Pipeline controls for training data provenance and model evaluation
  • Operational limits: rate caps, budgets, kill switches, and logging

If you assess vendor AI products

Security, GRC, and procurement teams reviewing SaaS tools with embedded LLM capabilities.

  • Questions to put to vendors on injection defenses, data use, and retention
  • Contract checks: no training on your data, deletion rights, consumption caps
  • Due diligence on sub-processors and upstream model providers
  • Controls you can configure: permissions, approvals, and audit logs

How to Run the Review

A structured pass takes a focused team a few hours per system. The checklist walks you through it step by step.

1
Scope your LLM estate
List every system where an LLM handles untrusted input, touches sensitive data, or takes actions: built, bought, and embedded AI features.
2
Work through the ten risks
Mark each review item Pass, Fail, or N/A, skipping items that do not match your Build or Buy relationship to the system.
3
Collect evidence as you go
Each section lists the artifacts that turn a Pass into a defensible finding: test reports, configurations, contracts, and logs.
4
Score and assign owners
Record severity and status per risk in the summary scorecard, and raise an action with an owner and target date for every Fail.
5
Repeat on change
Re-run the review after remediation, when a system changes materially, and at least annually. Watch for vendor products that quietly gain AI features.
Get started

Know every LLM system before you secure it

A checklist only covers the systems you know about. Aona AI discovers every AI tool in use across your organization, monitors what data flows into them, and keeps your review scope complete.