When we talk about building with AI, security is often mentioned, yet it is too often treated as an afterthought. But it shouldn't be this way.

We should prioritize security from day 1, starting with the OWASP Top 10 list.

What is OWASP?

OWASP (Open Web Application Security Project) is known for its "top 10" lists of the most critical security risks for web applications.

SQL injection, cross-site scripting, broken authentication. As developers, we learned those risks, mitigated them, and moved on.

LLM Security Vulnerabilities

AI changes the classic way of thinking about security compared to traditional software. We cannot just patch a vulnerability and call it a day. LLMs can be manipulated through clever text inputs. They can leak sensitive data. They can produce harmful outputs.

The attack surface and the risks are different.

  1. Prompt Injection: attackers craft inputs that trick the AI into ignoring its instructions, like an SQL injection, but for conversations.
  2. Sensitive Information Disclosure: the LLM accidentally reveals private data from its training or context.
  3. Insecure Output Handling: AI-generated content that is not properly validated can lead to code-execution vulnerabilities.
  4. Excessive Agency: giving the AI too much power to take actions without proper safeguards.

Agentic AI Challenges

In December 2025, OWASP released a new list. This time specifically for agentic AI systems. These are not simple chatbots. These are AI agents that act autonomously: they use tools, browse the web, execute code, and collaborate with other agents.

Let's think of the difference this way: a chatbot simply answers our questions, but an agent can write, for example, code on our behalf.

Here is the OWASP Top 10:

  1. Agent Goal Hijack: attackers redirect agent objectives by manipulating instructions or injecting malicious content
  2. Tool Misuse and Exploitation: agents misuse legitimate tools due to prompt injection or unsafe delegation
  3. Identity and Privilege Abuse: attackers exploit inherited credentials, delegated permissions, or agent-to-agent trust
  4. Agentic Supply Chain Vulnerabilities: malicious or tampered tools, models, or agent components compromise execution
  5. Unexpected Code Execution (RCE): agents generate or execute attacker-controlled code
  6. Memory & Context Poisoning: persistent corruption of agent memory, knowledge bases, or contextual data
  7. Insecure Inter-Agent Communication: spoofed messages between agents misdirect entire systems
  8. Cascading Failures: small errors compound across multi-step agent chains, causing system-wide problems
  9. Human-Agent Trust Exploitation: attackers exploit human tendency to over-trust AI outputs
  10. Rogue Agents: compromised or misaligned agents diverge from intended behavior

Source: OWASP Top 10 for Agentic Applications 2026

The Principle of Least Agency

OWASP introduces a simple but powerful concept: give agents only the minimum power they need.

We must not grant broad permissions "just in case." If an agent only needs to read files, we must not give it write access. This limits the damage when something goes wrong. And in security, something always goes wrong.

Conclusion

Here is my advice list:

  • Read the official OWASP lists.
  • Thoroughly check the permissions your AI tools currently have.
  • Implement input validation and output filtering.
  • Monitor your agents for unusual behavior.

To conclude: Security is not an option. It is part of our craft.

Sources: