OWASP LLM Top 10 — Control Map
The OWASP Top 10 for LLM Applications names the risks. This spreadsheet maps each one to the controls that close it, the lifecycle gate where each control must be in place, and the evidence required to verify it. 40 rows. Ready to paste into your AI Committee review template.
Free spreadsheet
Excel · .xlsx · 2 sheets
Download free
Enter your work email. Includes a how-to guide tab and working columns for status, owner, and gap tracking. Opens in Excel, Google Sheets, or any spreadsheet tool. You'll also receive new blog posts when they publish.
Who it's for
Security architects, AppSec leads, and AI governance teams preparing an LLM application for pilot or production review.
Use it per system — one copy per LLM application under review. It feeds directly into the control plan and evidence gap sections of a Drel clearance review.
How to use it
- 1Identify the LLM application: model, prompts, tools, data flows.
- 2Filter by Lifecycle Gate — focus on Before pilot controls first.
- 3Mark each row: Covered / Partial / Missing / Not applicable / Unknown.
- 4Assign an owner and add an evidence link where evidence exists.
- 5Treat Missing rows at the relevant gate as review blockers.
- 6Use the completed map as input to a security review or AI Committee submission.
How LLM01–LLM10 map to your architecture
The OWASP LLM Top 10 groups risks by the layer of the application stack where the attack surface lives. Each category applies differently depending on your architecture.
Layer: Input
Applies to any system that accepts untrusted user input and passes it to a model. Severity increases significantly in agentic systems with tool access.
Layer: Output
Applies when training data or context window contains sensitive information. Also covers system prompt extraction.
Layer: Model / Dependencies
Applies to any deployment using a third-party model, fine-tuning pipeline, or inference provider. Review every external dependency.
Layer: Integration
Applies only to systems with tool access or actions. The over-provisioned permissions risk — the core of the Agentic Top 10's A3 and A6.
Layer: Retrieval
Applies specifically to RAG pipelines. Controls overlap significantly with the RAG Security Checklist.
Layer: Infrastructure
Applies to any production deployment without rate limiting or cost controls. Often omitted from security reviews but is a real operational risk.
If your system uses tools, agents, or multi-step reasoning, also use the OWASP Agentic Top 10 Control Map — agentic risks are not fully covered by the LLM Top 10.
What's in the file
Seven columns per row. Each control is specific enough to assign to an owner and verify — not a category label.
| Column | Contents |
|---|---|
| Risk ID | LLM01–LLM10 per OWASP Top 10 for LLM Applications 2025 |
| Risk name | Prompt Injection, Insecure Output Handling, Training Data Poisoning… |
| Attack surface layer | Input / Output / Training / Model / Integration / Supply chain |
| Required control | Specific, actionable — not a category |
| Lifecycle gate | Before pilot / Before production / Ongoing |
| Evidence required | What you show an auditor to prove the control is working |
| Framework tags | OWASP LLM, NIST AI RMF, ISO 42001, EU AI Act article |
Sample row — LLM01 Prompt Injection
Risk ID
LLM01
Risk name
Prompt Injection
Attack surface layer
Input
Required control
System prompt and user input separated at the model gateway
Lifecycle gate
Before pilot
Evidence required
Architecture review showing gateway separation
Framework tags
OWASP, NIST AI RMF
From control map to review pack
Spreadsheets are the starting point.
This control map helps identify which LLM application controls are in place and which are missing. Drel turns that gap analysis into a guided AI security review — mapping controls to findings, generating a risk disposition, and producing a review-ready clearance record your AI Committee can approve or reject.
Frequently asked
Frequently asked questions
- Is the OWASP LLM Top 10 a compliance framework?
- No. It is a community risk taxonomy maintained by OWASP. Mapping a system against it produces design-time evidence that you considered LLM-specific risk categories. It does not by itself satisfy any regulatory or certification requirement.
- How does this differ from the OWASP Agentic Top 10?
- The LLM Top 10 covers risks in LLM applications generally — prompt injection, insecure output, training data poisoning. The Agentic Top 10 covers risks that emerge specifically from agentic behavior — tool use, delegation, lateral movement. An agentic AI system should be assessed against both.
- Is the 2025 version covered?
- Yes. The control map reflects the OWASP Top 10 for LLM Applications 2025 — including LLM07 (System Prompt Leakage), LLM08 (Vector and Embedding Weaknesses), and LLM10 (Unbounded Consumption), which evolved meaningfully from the 2023 version.
- What is a lifecycle gate?
- A lifecycle gate is the point in an LLM application's lifecycle at which a control should be in place. The control map uses three gates: before pilot, before production, and ongoing. Each control row names the gate at which it applies.
- How do I use the status columns?
- Each row has a status column (covered / partial / missing / N/A / unknown) and an owner column. Use the spreadsheet as a working tracker: fill in current status, identify gaps, assign owners, and re-review when the system changes.
- Does this replace a security review?
- No. The control map is an input to a security review, not the review itself. The review combines the control map with system-specific threat modelling, residual risk acceptance, and a clearance decision.