Give an overview of the OWASP Top 10 for LLM Applications.
Short answer
The OWASP Top 10 for LLM Applications is the consensus list of the most critical risks when building with large language models. The 2025 edition covers prompt injection, sensitive information disclosure, supply chain, data and model poisoning, improper output handling, excessive agency, system prompt leakage, vector and embedding weaknesses, misinformation, and unbounded consumption. It exists because traditional appsec lists don't capture LLM-specific failure modes, and it gives teams a shared vocabulary and a checklist to prioritize controls.
The OWASP Top 10 for LLM Applications is the field's reference list of the highest-impact, most common security risks when shipping software built on large language models. It exists because the classic OWASP Top 10 for web apps doesn't describe failure modes unique to LLMs — like a model obeying instructions hidden in its input, or an over-empowered agent taking destructive actions.
The risk categories
The 2025 edition covers:
- Prompt injection — adversarial input overriding intended instructions, directly or indirectly.
- Sensitive information disclosure — leaking PII, secrets, or proprietary data via model output.
- Supply chain — risks in third-party models, datasets, plugins, and weights.
- Data and model poisoning — tampering with training or fine-tuning data to plant backdoors or bias.
- Improper output handling — trusting model output downstream, leading to XSS, SSRF, or command injection.
- Excessive agency — agents with too much permission, autonomy, or tool access.
- System prompt leakage — exposure of system prompts that hold secrets or logic.
- Vector and embedding weaknesses — attacks on RAG embeddings and vector stores.
- Misinformation — overreliance on confident but wrong output (hallucination).
- Unbounded consumption — denial-of-wallet and resource exhaustion.
Why it matters
It gives teams a shared vocabulary, a prioritization checklist, and a bridge between appsec and ML practitioners. It pairs naturally with governance frameworks like the NIST AI RMF for the program-level view.
What interviewers look for
You don't need to recite all ten verbatim, but you should name the headline risks, explain why LLMs need their own list, and connect a couple of items to concrete mitigations.
Likely follow-ups
- Which OWASP LLM risk do you think is hardest to mitigate, and why?
- How does 'excessive agency' show up in agentic systems?
- How would you map these risks to a threat model for a RAG chatbot?