// GLOSSARY -- AI AGENT SECURITY

What is the OWASP Top 10 for LLM Applications?

2 min read Updated

The Open Web Application Security Project's list of the ten most critical security risks for applications built with large language models. The standard framework for understanding and mitigating LLM-specific vulnerabilities.

WHY IT MATTERS

OWASP has been the authoritative source for web application security since 2001. Their Top 10 lists have shaped how organisations prioritise security investments across every technology generation. The OWASP Top 10 for LLM Applications applies this same rigorous, community-driven methodology to the security challenges unique to large language models.

The list covers risks that are directly relevant to MCP-based agent systems: prompt injection (LLM01), insecure output handling (LLM02), training data poisoning (LLM03), model denial of service (LLM04), supply chain vulnerabilities (LLM05), sensitive information disclosure (LLM06), insecure plugin design (LLM07), excessive agency (LLM08), overreliance (LLM09), and model theft (LLM10). Several of these — particularly prompt injection, excessive agency, insecure plugin design, and sensitive information disclosure — map directly to MCP tool security concerns.

For security teams evaluating agent deployments, the OWASP Top 10 for LLMs provides a common vocabulary and risk framework. It allows teams to systematically assess their exposure: 'Have we mitigated LLM01? What is our posture on LLM08?' This structured approach is far more effective than ad-hoc security assessments.

The list is updated as the threat landscape evolves. As agents become more capable and MCP adoption grows, the risks shift. Excessive agency (LLM08) — which directly concerns agents with too many tool permissions — has become increasingly critical as tool-using agents move from experimental to production.

HOW POLICYLAYER USES THIS

Intercept addresses several OWASP Top 10 LLM risks directly. Prompt injection (LLM01) is mitigated by infrastructure-level policy enforcement that the LLM cannot bypass. Excessive agency (LLM08) is addressed through tool allowlists and argument constraints. Insecure plugin/tool design (LLM07) is mitigated by enforcing policies regardless of how individual tools are built. Sensitive information disclosure (LLM06) is addressed through output filtering and PII detection. Intercept provides the infrastructure layer that makes OWASP LLM compliance practical for agent deployments.

FREQUENTLY ASKED QUESTIONS

How does the OWASP Top 10 for LLMs relate to the traditional OWASP Top 10?
They are complementary. The traditional OWASP Top 10 covers web application risks (injection, broken auth, XSS). The LLM Top 10 covers risks specific to LLM-powered applications. An agent-based system may be exposed to risks from both lists — traditional web vulnerabilities in its APIs and LLM-specific risks in its agent layer.
Which OWASP LLM risks are most relevant to MCP agents?
LLM01 (Prompt Injection), LLM07 (Insecure Plugin Design — directly maps to MCP tools), LLM08 (Excessive Agency), and LLM06 (Sensitive Information Disclosure). These four risks are directly addressed by proxy-level policy enforcement.
Is OWASP Top 10 LLM compliance required by regulators?
Not yet mandated, but increasingly referenced in regulatory guidance and industry frameworks. The EU AI Act and various sector-specific regulations are aligning with OWASP's categorisation. Adopting it now positions organisations ahead of regulatory requirements.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.