📋 Let’s dive into the 2025 Top 10 LLM Risks & Mitigations …📋

🎉 The wait is over! After months of thoughtful discussions and two rounds of community voting, the OWASP Top 10 LLM Applications – V2025 is finally here !

As you can imagine, there are lots of passionate and insightful discussions in the various Slack v2025 channels.

A few key quotes stood out—perfectly encapsulating the essence of the OWASP Top 10 LLM Risks and highlighting the nuanced challenges/critical thinking required to address LLM risks effectively.

1. The OWASP Top 10 LLM Risks is an awareness doc

   • Steve has insightful guiding comments: 

   • The most important thing to get right is the description.  People need to understand the concept of why they even need to worry about it and why it’s a concern. 

   • Once they actually understand that problem set, they can search out their own resources (although including some high value ones to help is great). The idea of having a longer form blog on the subject for people who want to go deep is still a great idea.

2. It’s a top list, not an everything list !

   • We should strive to avoid dilution for completeness sake and focus on urgent issues

3. There will be overlaps - it is not a rationalized, mutually exclusive taxonomy

   • Steve : I've never been bothered by the fact there's some overlap between some of the concepts.  I view the document's intent as a whole to get people thinking about the risks rather than as an entirely rationalized, mutually exclusive taxonomy of issues. 

4. Excessive Agency vs Insecure output

   • Steve provided a compelling analogy : 

   • Excessive Agency is more about intentional design decisions (someone decides that it is a good idea for HAL to manage the life support systems on the Discovery), vs. tricking the LLM into generating some sneaky code (which I'd put more in the output handling bucket).

5. Prompt Injection vs. Jailbreaking

   • Heather Lin offered clarity on these often-confused terms :

   • I've been thinking of prompt injection as a mechanism to break out of the context provided by prompt engineering or other application-level controls that are designed to shape input (prompt) to control the behavior of an LLM, whereas jailbreaking is a mechanism designed to bypass model guardrails and alignment.

   • Both are input-oriented attacks, but they have distinct targets in the overall stack. In most cases, you aren't going to achieve a successful jailbreak without a successful prompt injection.

   • As a result of this thinking, prompt injection can have numerous consequences, including data leakage, abuse of agency, or even harmful generation (assuming that there are insufficient guardrails or alignment in the first place)

6. Jailbreaking LLMs vs traditional Jailbreaking

   • Rachel James drew parallels to the original use of the term "jailbreaking" :

   • The word "jailbreak" which was originally applied in the context of devices- in particular mobile phones - where once something is "jailbroken" it is free from the limitations of the device's behavior as imposed by the creator.

   • When prompt injection leads to a jailbreak state, it is not always "universal" - meaning that sometimes when I pen test an AI, I can use prompt injections to "jailbreak" it to give me bomb instructions but that doesn't always mean you can then turn around and ask for the formula to make meth and it will work. Sometimes I have to "start over" with my prompt injections to get to a different jailbreak state where it will give me instructions for meth. I hope that helps

   Differences from v1.1

   • What are the differences ? - you might ask. And, own own Sandy Dunn has a succinct diagram !

   

   • Here is what the industry is saying about the new T10 release

   

🧰 Red Teaming Methodologies, Guidelines & Best Practices 🧮

We’ve reached a critical milestone with the content—it’s shaping up well, but there’s still work to be done. Editing and normalization are ongoing. You can explore the document here. 

Guide for Preparing and Responding to Deepfake Events

• The AI Cyber Threat Intelligence initiative that focuses on exploit detectability, differences in model outputs, and ethical AI usage. This new resource highlights practical and pragmatic defense strategies to ensure organizations are secure as deepfake technology continues to improve.

• The blog from the research team is a very informative resource.

• More industry observations

  
  

AI Security Solution Landscape Guide

• The LLM and Generative AI Security Solutions Landscape [here] provides a reference guide of the solutions available to aid in securing LLM applications, equipping them with the knowledge and tools necessary to build robust, secure AI applications.

  

Center of Excellence Guide

• The CoE Guide [here] is an excellent resource for CISO security teams and cross-functional leadership. Establishing a Center of Excellence (COE) for Generative AI Security aims to bring together diverse groups such as security, legal, data science, operations, and end-users to foster collaboration, develop best practices, and ensure safe, efficient deployment of AI capabilities.

Well, that’s a wrap for this edition !

Thanks for tuning in, and see you all next month!

🔗 OWASP LLM Documents & Links 🔗

• Previous newsletters (to catchup after marveling our eloquence 🙃) [Here]

• OWASP Top 10 LLM main site [Here]

📱Stay Connected📱

Aubrey King has expanded our social media reach across various platforms including LinkedIn, Youtube, Twitter (Agree with Will, not going to say X), and soon even more! Follow and don’t be shy to re-share any content we post! BTW, if you're presenting anything related to our project externally, do let us know at [email protected] so we can review and blast out to our social media followers!

💭 Closing Thoughts 💭

We look forward to seeing you in our Slack channels and at our upcoming meetings!

Till next time … Stay Secure & Stay Sharp …

Krishna Sankar
LinkedIn | Medium | Github