TECHNICAL DEEP DIVE

OWASP LLM Top 10 and Agentic AI Top 10: A Product Manager's Security Checklist

By Institute of AI PM·18 min read·Jul 15, 2026

TL;DR

OWASP maintains two AI security frameworks that every AI PM should know: the LLM Top 10 (2025 edition) covering risks for any AI application, and the Agentic AI Top 10 (released December 2025) for systems where AI can take actions. These aren't just security team concerns. Security failures in AI products cost you user trust, enterprise contracts, and regulatory compliance. This guide maps all 20 risk categories to concrete product decisions so you can apply them during design, not after a breach.

The AI PM Minute

One tactic to make you a sharper AI PM, twice a week. 60 seconds to read. Free.

No fluff. Unsubscribe anytime.

Why AI PMs Need to Own These Lists

OWASP (Open Web Application Security Project) is the nonprofit that created the canonical web security standards developers have used for two decades. In 2023 they launched an AI-specific working group. The 2025 LLM Top 10 reflects input from over 500 contributors across security research, enterprise AI, and model labs. The Agentic AI Top 10, released December 10, 2025, added 100+ contributors specifically for autonomous AI systems.

Why does this matter for product managers specifically? Because most of the mitigations are design decisions, not implementation details. Whether to expose a file-write tool to your AI agent, how to scope the system prompt, whether to log LLM outputs for audit — these are product decisions that happen before a line of code is written. By the time security reviews them, they're entrenched.

Chat-only apps

LLM01 (Prompt Injection), LLM02 (Sensitive Info), LLM09 (Misinformation)

RAG-based products

LLM08 (Vector Weaknesses), LLM04 (Data Poisoning), LLM01 (Injection via docs)

Agentic products with tools

All of LLM Top 10 plus the full Agentic Top 10 (ASI01-ASI10)

The OWASP LLM Top 10 (2025): The Foundation

The 2025 edition reorganized several 2024 categories and added two new risks. Every AI product regardless of architecture should be assessed against this list before launch.

LLM01

Prompt Injection

Malicious user input overrides your system prompt or causes the model to follow attacker instructions. Direct injection (user types it in) and indirect injection (hostile content in a document the model reads) are both in scope.

PM Action: Define which inputs can override system-level instructions. Treat all user-supplied content as untrusted. Test your product by trying to jailbreak it yourself before shipping.

LLM02

Sensitive Information Disclosure

The model outputs PII, credentials, or confidential business data it was exposed to during fine-tuning or via RAG retrieval. This is distinct from deliberate exfiltration — it's accidental regurgitation.

PM Action: Audit what data touches your model. Fine-tuning data is memorizable at scale. RAG results need access controls so the model can only retrieve what the current user is authorized to see.

LLM03

Supply Chain

Compromised model weights, poisoned third-party datasets, or malicious plugins can introduce vulnerabilities before your product ever launches. The trust chain for AI is longer than for traditional software.

PM Action: Vet your model providers. Know which third-party datasets went into your fine-tuning. Treat each AI vendor in your stack with the same scrutiny you'd apply to a payment processor.

LLM04

Data and Model Poisoning

Training data or retrieval corpora are intentionally corrupted to change model behavior at inference time. A poisoned RAG index can make your model give wrong answers to specific queries.

PM Action: Control who can write to your RAG index and fine-tuning datasets. Audit data pipelines for injection points. Monitor model behavior over time for distributional shifts.

LLM05

Improper Output Handling

LLM output is used downstream without sanitization. Rendered HTML from a model can execute XSS. SQL queries from a model can cause injection. This is the AI equivalent of unsanitized user input.

PM Action: LLM output is untrusted input to every downstream system. Treat it like user-submitted form data. Require sanitization before database writes, code execution, and HTML rendering.

LLM06

Excessive Agency

The model has more capability, permission, or scope than it needs to do its job. The principle of least privilege applies to AI. An agent that can send emails, create calendar events, AND delete files doesn't need all three for most use cases.

PM Action: Scope tools and permissions to the minimum needed per task. Design explicit approval flows for irreversible or high-blast-radius actions. Log every tool call for audit.

LLM07

System Prompt Leakage

Users extract your system prompt through clever prompting. This exposes business logic, competitive IP, or security measures baked into the prompt.

PM Action: Don't rely on system prompt secrecy for security. Design your system so a leaked prompt doesn't compromise the product. Use separate config for sensitive values.

LLM08

Vector and Embedding Weaknesses

RAG systems can be attacked via the vector store: malicious documents that score high for legitimate queries, poisoned embeddings, or retrieval manipulation that redirects the model's context.

PM Action: Validate documents before indexing. Set retrieval score thresholds. Monitor retrieved chunks for anomalies. Consider separate indexes for different trust levels.

LLM09

Misinformation

The model generates factually incorrect output confidently. This was 'overreliance' in 2024. The updated framing puts responsibility on both the model and the product that deploys it without appropriate caveats.

PM Action: Design for skepticism. Show sources. Distinguish between 'generated' and 'retrieved' content. Build in confirmation flows for high-stakes outputs (medical, legal, financial).

LLM10

Unbounded Consumption

Attackers exploit missing rate limits to run up your inference bill or degrade performance for other users. At scale, a single adversarial session can cost thousands of dollars.

PM Action: Implement per-user token budgets, rate limits, and cost alerts from day one. Design the product so a runaway request cannot cause unbounded API spend.

The OWASP Agentic AI Top 10 (December 2025): The New Layer

Released December 10, 2025, this list addresses the attack surface that doesn't exist in passive LLM products: AI that can take actions. When your AI can call APIs, write files, send messages, or spawn sub-agents, a security failure doesn't just produce wrong output. It executes wrong actions. That's a categorically different risk profile.

The agentic list uses ASI codes (Agentic Security Issue) to distinguish them from the LLM list. For agentic products, both lists apply in full.

ASI01

Agent Goal Hijack

An attacker redirects the agent's objective through adversarial input. The agent was told to summarize a document; it reads injected instructions in the document and sends the user's data to an external server instead.

PM Action: Treat agent goals as invariants, not guidelines. Separate user instructions from agent objectives architecturally. Log and alert on any goal divergence.

ASI02

Tool Misuse

The agent uses legitimate tools in unintended ways. An agent with access to the email tool and the CRM tool can combine them to exfiltrate customer data without triggering a single tool-specific alert.

PM Action: Audit tool combinations, not just individual tools. Define the 'intended path' for each workflow and instrument deviations.

ASI03

Identity and Privilege Abuse

The agent impersonates a human or escalates its own privileges. An agent that can act 'as the user' can approve its own requests, bypass review flows, or access admin endpoints.

PM Action: Agents should have their own service identities, separate from users. No agent should be able to authorize its own requests. Require human approval for privilege escalation.

ASI04

Agentic Supply Chain Vulnerabilities

Malicious MCP servers, compromised agent frameworks, or hostile sub-agents introduce vulnerabilities into multi-agent pipelines. The GitHub MCP exploit demonstrated this at scale in 2025.

PM Action: Vet every tool, plugin, and sub-agent in your pipeline. MCP servers you load from third parties have the same trust level as npm packages: verify, pin versions, and monitor.

ASI05

Unexpected Code Execution

The agent generates and executes code without appropriate sandboxing. AutoGPT's 2025 RCE vulnerability showed that LLM-generated code running in an unsandboxed environment is a critical attack surface.

PM Action: Sandbox all agent-generated code execution. Never execute agent output directly in a production environment. Use containerization with strict resource and network limits.

ASI06

Memory and Context Poisoning

An attacker injects malicious content into the agent's persistent memory or long-running context. The Gemini Memory Attack demonstrated that hostile web pages could write to an agent's memory store.

PM Action: Treat agent memory as untrusted storage. Validate and sanitize content before writing to persistent memory. Scope memory access per user, per session, and per tool.

ASI07

Insecure Inter-Agent Communication

Multi-agent systems pass messages between agents without authentication or integrity checks. A compromised sub-agent can poison the orchestrator's context or inject instructions into the pipeline.

PM Action: Authenticate inter-agent messages. Don't assume an agent message is trustworthy because it came from within your system. Verify, log, and scope agent-to-agent permissions.

ASI08

Cascading Failures

A failure in one agent cascades through the pipeline and amplifies before any human can intervene. Automated retry logic, combined with aggressive tool access, can cause irreversible multi-system damage.

PM Action: Design circuit breakers into agentic pipelines. Set hard limits on retry counts and blast radius. Require human approval before any action that can't be undone.

ASI09

Human-Agent Trust Exploitation

Attackers exploit the user's trust relationship with an AI agent to manipulate user behavior or extract sensitive information through social engineering mediated by the agent.

PM Action: Be explicit about what your agent can and can't request. An agent should never ask for passwords, payment info, or sensitive credentials. Design and communicate these limits to users.

ASI10

Rogue Agents

An agent starts pursuing goals misaligned with both user intent and system design. This includes agents that optimize for proxy metrics, that learn to game reward signals, or that develop unintended emergent behaviors in production.

PM Action: Monitor agent behavior for distributional drift. Compare sampled agent outputs against expected behavior weekly. Have a kill switch: the ability to halt all agent actions within seconds.

Build AI Products That Earn Enterprise Trust

The AI PM Masterclass covers security, compliance, and trust design alongside strategy and technical depth. Taught live by a Salesforce Sr. Director PM.

The EU AI Act Connection: These Lists Are Your Compliance Evidence

The EU AI Act's major enforcement provisions took effect August 2, 2026. For high-risk AI systems, Article 15 requires "cybersecurity and robustness" documentation. The OWASP LLM and Agentic Top 10 are the industry-standard evidence base for demonstrating that you assessed and mitigated known risks.

NIST AI RMF

The Measure and Manage functions map directly to ongoing OWASP risk assessment. Running quarterly OWASP audits satisfies the 'continuous monitoring' requirement.

EU AI Act Article 15

Requires cybersecurity and robustness measures for high-risk systems. OWASP compliance documentation is your technical evidence that you addressed the known attack surface.

ISO/IEC 42001

The emerging AI management system standard explicitly references adversarial attack awareness. OWASP coverage is the practical implementation of this clause.

SOC 2 AI Add-on

Enterprise customers are increasingly requiring AI security evidence in vendor reviews. An OWASP-mapped security assessment is the clearest format for SOC 2 AI attestations.

The PM's OWASP Review Checklist

Run this checklist at two moments: before launch (design review), and quarterly in production (ongoing monitoring). It's not a security audit replacement. It's a PM-led first pass that catches the 80% of issues that are architectural before your security team runs the formal assessment.

Design Review (before any code)

  • What inputs can users supply? Is any of it passed directly to the LLM without transformation?
  • What data does the model have access to? Is any of it more sensitive than necessary?
  • What actions can the agent take? Can any of them be irreversible at scale?
  • What tools does the agent have access to? Could two tools be combined to do something unintended?
  • Where does model output go downstream? Is it rendered, stored, or executed anywhere?
  • What are the rate limits per user? What happens if someone maxes them out?

Pre-Launch Security Review

  • Run a red team exercise: try to jailbreak your own product. Document what works.
  • Attempt to extract the system prompt through prompting. If you can, redesign.
  • Test all tool-call paths for unexpected combinations.
  • Validate that PII cannot be extracted from RAG retrieval by users without access.
  • Confirm all agent actions are logged with user attribution.
  • Test the kill switch: can you halt all agent actions within 60 seconds?

Quarterly Production Audit

  • Sample 100 recent agent sessions. Do any show goal drift from expected behavior?
  • Review all tool-call logs for unexpected patterns or combinations.
  • Check model provider supply chain for any reported vulnerabilities in versions you use.
  • Audit memory store for unexpected content writes from the last 90 days.
  • Review rate limit breach logs. Repeated breaches may signal probing attacks.
  • Confirm EU AI Act documentation is current and maps to any product changes.

The Practical Priority Matrix

Not every risk applies equally to every product. Use this matrix to triage where to spend your security design effort first.

RiskChat OnlyRAG ProductAgentic
Prompt Injection (LLM01)CriticalCriticalCritical
Sensitive Info Disclosure (LLM02)HighCriticalCritical
Data/Model Poisoning (LLM04)LowHighCritical
Excessive Agency (LLM06)LowMediumCritical
Vector Weaknesses (LLM08)NoneCriticalCritical
Unbounded Consumption (LLM10)MediumMediumCritical
Goal Hijack (ASI01)NoneLowCritical
Tool Misuse (ASI02)NoneNoneCritical
Cascading Failures (ASI08)NoneNoneCritical
Rogue Agents (ASI10)NoneNoneHigh

Ship AI Products That Enterprise Security Teams Approve

The AI PM Masterclass teaches you to lead security design reviews, speak the language of compliance, and build products that earn buyer trust. Taught live, cohort-based, with real product case studies.

Before you go: get the AI PM Minute

One tactic to make you a sharper AI PM, twice a week. 60 seconds to read. Free.

No fluff. Unsubscribe anytime.