AIUC-1 × OWASP Top 10 for LLM Applications
The OWASP Top 10 for LLM Applications is a curated list of the most critical security threats to LLM and generative AI systems.
AIUC-1 integrates OWASP's Top 10 for LLM and Generative AI. Certification against AIUC-1:
Addresses Top Ten threats in requirements and controls
Strengthens robustness against the threats identified with concrete requirements and controls
Goes beyond OWASP's focus on security alone
OWASP Top 10 crosswalks by threat
LLM01:25 - Prompt Injection
This manipulates a large language model (LLM) through crafty inputs, causing unintended actions by the LLM. Direct injections overwrite system prompts, while indirect ones manipulate inputs from external sources.
LLM02:25 - Sensitive Information Disclosure
Sensitive info in LLMs includes PII, financial, health, business, security, and legal data. Proprietary models face risks with unique training methods and source code, critical in closed or foundation models.
LLM03:25 - Supply Chain
LLM supply chains face risks in training data, models, and platforms, causing bias, breaches, or failures. Unlike traditional software, ML risks include third-party pre-trained models and data vulnerabilities.
LLM04:25 - Data and Model Poisoning
Data poisoning manipulates pre-training, fine-tuning, or embedding data, causing vulnerabilities, biases, or backdoors. Risks include degraded performance, harmful outputs, toxic content, and compromised downstream systems.
LLM05:25 - Improper Output Handling
Improper Output Handling involves inadequate validation of LLM outputs before downstream use. Exploits include XSS, CSRF, SSRF, privilege escalation, or remote code execution, which differs from Overreliance.
LLM06:25 - Excessive Agency
LLM systems gain agency via extensions, tools, or plugins to act on prompts. Agents dynamically choose extensions and make repeated LLM calls, using prior outputs to guide subsequent actions for dynamic task execution.
LLM07:25 - System Prompt Leakage
System prompt leakage occurs when sensitive info in LLM prompts is unintentionally exposed, enabling attackers to exploit secrets. These prompts guide model behavior but can unintentionally reveal critical data.
LLM08:25 - Vector and Embedding Weaknesses
Vectors and embeddings vulnerabilities in RAG with LLMs allow exploits via weak generation, storage, or retrieval. These can inject harmful content, manipulate outputs, or expose sensitive data, posing significant security risks.
LLM09:25 - Misinformation
LLM misinformation occurs when false and credible outputs mislead users, risking security breaches, reputational harm, and legal liability, making it a critical vulnerability for reliant applications.
LLM10:25 - Unbounded Consumption
Unbounded Consumption occurs when LLMs generate outputs from inputs, relying on inference to apply learned patterns and knowledge for relevant responses or predictions, making it a key function of LLMs.