OWASP LLM Top 10 — Control Map
The OWASP Top 10 for LLM Applications names the risks. This spreadsheet maps each one to the controls that close it, the lifecycle gate where each control must be in place, and the evidence required to verify it. 40 rows. Ready to paste into your AI Committee review template.
Free spreadsheet
Excel · .xlsx · 2 sheets
Download free
Enter your work email. Includes a how-to guide tab and working columns for status, owner, and gap tracking. Opens in Excel, Google Sheets, or any spreadsheet tool. You'll also receive new blog posts when they publish.
Who it's for
Security architects, AppSec leads, and AI governance teams preparing an LLM application for pilot or production review.
Use it per system — one copy per LLM application under review. It feeds directly into the control plan and evidence gap sections of a Drel clearance review.
How to use it
- 1Identify the LLM application: model, prompts, tools, data flows.
- 2Filter by Lifecycle Gate — focus on Before pilot controls first.
- 3Mark each row: Covered / Partial / Missing / Not applicable / Unknown.
- 4Assign an owner and add an evidence link where evidence exists.
- 5Treat Missing rows at the relevant gate as review blockers.
- 6Use the completed map as input to a security review or AI Committee submission.
What's in the file
Seven columns per row. Each control is specific enough to assign to an owner and verify — not a category label.
| Column | Contents |
|---|---|
| Risk ID | LLM01–LLM10 per OWASP Top 10 for LLM Applications 2025 |
| Risk name | Prompt Injection, Insecure Output Handling, Training Data Poisoning… |
| Attack surface layer | Input / Output / Training / Model / Integration / Supply chain |
| Required control | Specific, actionable — not a category |
| Lifecycle gate | Before pilot / Before production / Ongoing |
| Evidence required | What you show an auditor to prove the control is working |
| Framework tags | OWASP LLM, NIST AI RMF, ISO 42001, EU AI Act article |
Sample row — LLM01 Prompt Injection
Risk ID
LLM01
Risk name
Prompt Injection
Attack surface layer
Input
Required control
System prompt and user input separated at the model gateway
Lifecycle gate
Before pilot
Evidence required
Architecture review showing gateway separation
Framework tags
OWASP, NIST AI RMF
From control map to review pack
Spreadsheets are the starting point.
This control map helps identify which LLM application controls are in place and which are missing. Drel turns that gap analysis into a guided AI security review — mapping controls to findings, generating a risk disposition, and producing a review-ready dossier your AI Committee can actually approve or reject.
Frequently asked
Frequently asked questions
- Is the OWASP LLM Top 10 a compliance framework?
- No. It is a community risk taxonomy maintained by OWASP. Mapping a system against it produces design-time evidence that you considered LLM-specific risk categories. It does not by itself satisfy any regulatory or certification requirement.
- How does this differ from the OWASP Agentic Top 10?
- The LLM Top 10 covers risks in LLM applications generally — prompt injection, insecure output, training data poisoning. The Agentic Top 10 covers risks that emerge specifically from agentic behavior — tool use, delegation, lateral movement. An agentic AI system should be assessed against both.
- Is the 2025 version covered?
- Yes. The control map reflects the OWASP Top 10 for LLM Applications 2025 — including LLM07 (System Prompt Leakage), LLM08 (Vector and Embedding Weaknesses), and LLM10 (Unbounded Consumption), which evolved meaningfully from the 2023 version.
- What is a lifecycle gate?
- A lifecycle gate is the point in an LLM application's lifecycle at which a control should be in place. The control map uses three gates: before pilot, before production, and ongoing. Each control row names the gate at which it applies.
- How do I use the status columns?
- Each row has a status column (covered / partial / missing / N/A / unknown) and an owner column. Use the spreadsheet as a working tracker: fill in current status, identify gaps, assign owners, and re-review when the system changes.
- Does this replace a security review?
- No. The control map is an input to a security review, not the review itself. The review combines the control map with system-specific threat modelling, residual risk acceptance, and a clearance decision.