Skip to content

AI Leaders' Guide to LLM Top 10 Risks - Updated for 2025

AI Security Breaches Header

In this article, we will discuss the OWASP Top 10 for Large Language Models (LLMs) which has just been updated for 2025, and if you're deploying AI systems, you need to understand what's changed. This is not to provoke fear, but to highlight practical risks that are actively affecting businesses today.

McDonald's discovered this when a security oversight in their AI chatbot exposed over 64 million job applicants' personal information in 2025¹. Meanwhile, cybercriminals are hijacking cloud hosted LLMs in "LLMjacking" attacks through operations like Storm-2139, which Microsoft exposed in February 2025². These aren't theoretical risks; they're happening right now.

What is the OWASP Top 10 for LLMs?

The OWASP Top 10 for LLMs is a comprehensive security framework that identifies and ranks the most critical security risks specific to Large Language Model applications. It serves as an industry standard guide for developers, security professionals, and organisations deploying AI systems to understand, prioritise, and mitigate LLM-specific vulnerabilities.

The framework covers risks ranging from prompt injection attacks and data poisoning to supply chain vulnerabilities and excessive AI agency, providing practical guidance for building secure AI applications.

➜ learn more here: OWASP Top 10 for LLMs 2025

What's in the 2025 Update?

The 2025 update reflects how quickly the AI threat landscape is evolving. Four completely new risks have made it into the top 10: System Prompt Leakage, Vector and Embedding Weaknesses, Misinformation, and Unbounded Consumption. At the same time, Model Theft has dropped out of the top 10, showing how priorities have shifted as we've learned more about securing AI systems.

This evolution tells us something important: AI security is moving fast, and what worked last year might not protect you today.

Let me walk you through each of these risks without the jargon using real world examples.

LLM01: Prompt Injection

What it is: This is when someone tricks your AI system into ignoring its original instructions and doing something else entirely.

Real world example: In 2024, researchers discovered a "copy paste injection exploit" where hidden prompts embedded in copied text allowed attackers to exfiltrate chat history and sensitive user data once pasted into ChatGPT³. More recently, attackers exploited CVE-2024-5184 in an LLM powered email assistant to inject malicious prompts, allowing access to sensitive information and manipulation of email content.

Why it matters: Prompt injection is like social engineering for AI systems. If your AI has access to databases, APIs, or can take actions on behalf of users, a successful prompt injection could lead to data theft, unauthorised transactions, or system compromise.

LLM02: Sensitive Information Disclosure

What it is: Your AI accidentally reveals information it shouldn't. This could be training data, user conversations, internal business logic, or confidential details.

Real world example: In September 2024, security researcher Johann Rehberger demonstrated the "SpAIware" exploit, where attackers could use prompt injection to plant malicious instructions in ChatGPT's memory feature, enabling continuous data exfiltration across multiple conversations. OpenAI patched this vulnerability in ChatGPT version 1.2024.247. Additionally, research published in June 2024 showed how ChatGPT 4 and 4o were susceptible to prompt injection attacks that could exfiltrate users' personal data by exploiting the memory feature.

Why it matters: Unlike traditional data breaches where hackers break in, here your AI is voluntarily sharing information through normal conversation. The risk increases when employees use public AI services for business purposes without proper controls.

LLM03: Supply Chain Vulnerabilities

What it is: Security risks in the AI models, tools, or datasets you're using from third parties. This includes open source models, APIs, or pre-trained systems.

Real world example: CVE-2024-34359 affected the popular llama_cpp_python package, potentially compromising over 6,000 AI models on Hugging Face. Additionally, JarkaStealer malware was disguised as an AI chatbot tool and downloaded over 1,700 times across more than 30 countries, while Ultralytics YOLO AI was compromised with cryptomining malware.

Why it matters: Just like software supply chain attacks, AI supply chains can be compromised. If you're using third party models or datasets, you need to verify their integrity and provenance.

LLM04: Data and Model Poisoning

What it is: Attackers manipulate your AI's training data or learning process to influence its behaviour. This can happen during initial training, fine tuning, or ongoing learning.

Real world example: Researchers have demonstrated how injecting specific phrases into training data can create hidden "backdoors" that activate when triggered, causing the AI to behave maliciously while appearing normal during testing. These attacks are particularly concerning in federated learning environments where multiple parties contribute to model training.

Why it matters: If your AI learns from user interactions or external data sources, it can be deliberately influenced to provide biased, incorrect, or harmful outputs. This is particularly concerning for AI systems that make automated decisions.

LLM05: Improper Output Handling

What it is: Treating AI generated content as safe without proper validation. This happens when AI outputs are used directly in web applications, databases, or system commands.

Real world example: An AI system generates SQL queries based on user requests, but doesn't sanitise the output. An attacker uses prompt injection to make the AI generate a malicious SQL query that gets executed directly, leading to database compromise.

Why it matters: AI outputs can contain code, scripts, or malicious content. If you execute or display AI generated content without validation, you're essentially giving attackers a new way to inject malicious code into your systems.

LLM06: Excessive Agency

What it is: Giving your AI too much autonomy or access to functions it doesn't need. This includes permissions to access sensitive systems, make financial transactions, or modify important data.

Real world example: Air Canada's chatbot was given authority to provide refund information, but without proper constraints. In February 2024, a customer manipulated the chatbot to obtain a refund larger than expected, leading to financial losses for the airline.

Why it matters: AI systems don't understand context the way humans do. If you give them broad permissions, they'll use them when prompted, even if it's not what you intended. Principle of least privilege applies to AI just as much as human users.

LLM07: System Prompt Leakage

What it is: Your AI's system instructions, the behind the scenes prompts that define its behaviour, get revealed to users. These often contain sensitive business logic, credentials, or strategic information.

Real world example: In 2024, many custom OpenAI GPTs were found to be vulnerable to prompt injection, causing them to disclose proprietary system instructions and API keys when users crafted specific queries to extract the underlying system prompts¹⁰.

Why it matters: System prompts are like configuration files for your AI. They often contain information about your business processes, security controls, and strategic decisions that you wouldn't want competitors or attackers to see.

LLM08: Vector and Embedding Weaknesses

What it is: Security flaws in RAG (Retrieval Augmented Generation) systems where AI searches through your company's documents and data to answer questions.

Real world example: An attacker crafts specific queries that exploit how the vector database searches for relevant documents, allowing them to access information they shouldn't have permission to see, or to manipulate the search results to influence the AI's responses.

Why it matters: If you're using AI to query your knowledge base or documents, vulnerabilities in the search mechanism could lead to unauthorised data access or manipulation of the information your AI uses to make decisions.

LLM09: Misinformation

What it is: Your AI generates false information that appears credible. This isn't just about "hallucinations" but about the security implications when false information affects business decisions or user actions.

Real world example: An AI system used for code review confidently suggests a "security best practice" that actually contains a vulnerability. Developers trust the AI recommendation and implement the flawed code, creating security holes in production systems.

Why it matters: AI misinformation becomes a security vulnerability when it influences critical decisions, especially in areas like security recommendations, compliance advice, or system configurations where wrong information could create real vulnerabilities.

LLM10: Unbounded Consumption

What it is: Your AI systems consume excessive computational resources, either through attack or poor design, leading to service disruptions and unexpected costs.

Real world example: Microsoft's Digital Crimes Unit identified the Storm-2139 operation in February 2025, where four individuals were selling unauthorised access to Azure AI services. The attackers used stolen API keys to run LLM workloads for generating explicit content, effectively hijacking cloud resources and passing costs to victim organisations².

Why it matters: LLM operations are expensive. Without proper controls, attackers can weaponise your AI infrastructure against you, creating denial of service conditions while driving up your operational costs.

What this means for your organisation

The OWASP Top 10 for LLMs isn't just a technical checklist but a business risk framework. Each of these vulnerabilities can impact your organisation differently depending on how you're using AI.

If you're using AI for customer service, focus on prompt injection and excessive agency controls. If you're building internal AI tools, pay special attention to sensitive information disclosure and system prompt leakage. If you're using RAG systems, vector and embedding weaknesses should be a priority.

The key takeaway? AI security isn't something you can bolt on later. It needs to be built into your AI strategy from the start, just like any other business critical technology.

Start by inventorying your AI usage, both official and shadow AI. Many organisations discover they have more AI exposure than they realised. Then work through the OWASP Top 10 systematically, assessing your risks and implementing appropriate controls.

The good news is that awareness is the first step towards better security. Now that you understand these risks, you can make informed decisions about how to protect your organisation while still getting the benefits that AI can offer.

Need help securing your AI systems?

💡 Book a FREE 30‑minute consultation with me to review your AI security posture, assess vulnerabilities in your LLM deployments, and develop a comprehensive AI security strategy.

References
  1. AI chatbot security error exposes 64 million McDonald's job applicants' data | Tech.co
  2. Microsoft Exposes LLMjacking Cybercriminals Behind Azure AI Abuse Scheme | The Hacker News
  3. Copy-Paste Injection Exploit and GPT-Store Bots Leaking Pre-Prompts | Lakera
  4. LLM01:2025 Prompt Injection | OWASP Gen AI Security Project
  5. ChatGPT macOS Flaw Could've Enabled Long-Term Spyware via Memory Function | The Hacker News
  6. Exfiltration of personal information from ChatGPT via prompt injection | arXiv
  7. CVE-2024-34359 Vulnerability Threatening Your Software Supply Chain | Checkmarx
  8. AI Supply Chain Attacks Are A Pervasive Threat | Brian D. Colwell
  9. Air Canada chatbot incident | 8 Real World Incidents Related to AI
  10. GPT-Store Bots Leaking Pre-Prompts | Lakera

Share post: