ResourcesSpreadsheet

OWASP LLM Top 10 — Control Map

The OWASP Top 10 for LLM Applications names the risks. This spreadsheet maps each one to the controls that close it, the lifecycle gate where each control must be in place, and the evidence required to verify it. 40 rows. Ready to paste into your AI Committee review template.

40controls
10risk categories
3lifecycle gates
5framework tags

Free spreadsheet

Excel · .xlsx · 2 sheets

Download free

Enter your work email. Includes a how-to guide tab and working columns for status, owner, and gap tracking. Opens in Excel, Google Sheets, or any spreadsheet tool. You'll also receive new blog posts when they publish.

Free. No credit card.

Who it's for

Security architects, AppSec leads, and AI governance teams preparing an LLM application for pilot or production review.

Use it per system — one copy per LLM application under review. It feeds directly into the control plan and evidence gap sections of a Drel clearance review.

How to use it

  1. 1Identify the LLM application: model, prompts, tools, data flows.
  2. 2Filter by Lifecycle Gate — focus on Before pilot controls first.
  3. 3Mark each row: Covered / Partial / Missing / Not applicable / Unknown.
  4. 4Assign an owner and add an evidence link where evidence exists.
  5. 5Treat Missing rows at the relevant gate as review blockers.
  6. 6Use the completed map as input to a security review or AI Committee submission.

How LLM01–LLM10 map to your architecture

The OWASP LLM Top 10 groups risks by the layer of the application stack where the attack surface lives. Each category applies differently depending on your architecture.

LLM01Prompt Injection

Layer: Input

Applies to any system that accepts untrusted user input and passes it to a model. Severity increases significantly in agentic systems with tool access.

LLM02Sensitive Information Disclosure

Layer: Output

Applies when training data or context window contains sensitive information. Also covers system prompt extraction.

LLM03Supply Chain

Layer: Model / Dependencies

Applies to any deployment using a third-party model, fine-tuning pipeline, or inference provider. Review every external dependency.

LLM06Excessive Agency

Layer: Integration

Applies only to systems with tool access or actions. The over-provisioned permissions risk — the core of the Agentic Top 10's A3 and A6.

LLM08Vector and Embedding Weaknesses

Layer: Retrieval

Applies specifically to RAG pipelines. Controls overlap significantly with the RAG Security Checklist.

LLM10Unbounded Consumption

Layer: Infrastructure

Applies to any production deployment without rate limiting or cost controls. Often omitted from security reviews but is a real operational risk.

If your system uses tools, agents, or multi-step reasoning, also use the OWASP Agentic Top 10 Control Map — agentic risks are not fully covered by the LLM Top 10.

What's in the file

Seven columns per row. Each control is specific enough to assign to an owner and verify — not a category label.

ColumnContents
Risk IDLLM01–LLM10 per OWASP Top 10 for LLM Applications 2025
Risk namePrompt Injection, Insecure Output Handling, Training Data Poisoning…
Attack surface layerInput / Output / Training / Model / Integration / Supply chain
Required controlSpecific, actionable — not a category
Lifecycle gateBefore pilot / Before production / Ongoing
Evidence requiredWhat you show an auditor to prove the control is working
Framework tagsOWASP LLM, NIST AI RMF, ISO 42001, EU AI Act article

Sample row — LLM01 Prompt Injection

Risk ID

LLM01

Risk name

Prompt Injection

Attack surface layer

Input

Required control

System prompt and user input separated at the model gateway

Lifecycle gate

Before pilot

Evidence required

Architecture review showing gateway separation

Framework tags

OWASP, NIST AI RMF

From control map to review pack

Spreadsheets are the starting point.

This control map helps identify which LLM application controls are in place and which are missing. Drel turns that gap analysis into a guided AI security review — mapping controls to findings, generating a risk disposition, and producing a review-ready clearance record your AI Committee can approve or reject.

Frequently asked

Frequently asked questions

Is the OWASP LLM Top 10 a compliance framework?
No. It is a community risk taxonomy maintained by OWASP. Mapping a system against it produces design-time evidence that you considered LLM-specific risk categories. It does not by itself satisfy any regulatory or certification requirement.
How does this differ from the OWASP Agentic Top 10?
The LLM Top 10 covers risks in LLM applications generally — prompt injection, insecure output, training data poisoning. The Agentic Top 10 covers risks that emerge specifically from agentic behavior — tool use, delegation, lateral movement. An agentic AI system should be assessed against both.
Is the 2025 version covered?
Yes. The control map reflects the OWASP Top 10 for LLM Applications 2025 — including LLM07 (System Prompt Leakage), LLM08 (Vector and Embedding Weaknesses), and LLM10 (Unbounded Consumption), which evolved meaningfully from the 2023 version.
What is a lifecycle gate?
A lifecycle gate is the point in an LLM application's lifecycle at which a control should be in place. The control map uses three gates: before pilot, before production, and ongoing. Each control row names the gate at which it applies.
How do I use the status columns?
Each row has a status column (covered / partial / missing / N/A / unknown) and an owner column. Use the spreadsheet as a working tracker: fill in current status, identify gaps, assign owners, and re-review when the system changes.
Does this replace a security review?
No. The control map is an input to a security review, not the review itself. The review combines the control map with system-specific threat modelling, residual risk acceptance, and a clearance decision.