UnifAI Policies
UnifAI policies are your built-in guardrails for AI security and compliance. Instead of manually tracking complex regulations, UnifAI automates policy enforcement across your AI ecosystem, so you can innovate without risk.
Every policy is mapped to global standards like OWASP and EU AI Act, ensuring your AI systems stay compliant and resilient.
Lineaje Policies
Lineaje provides out-of-the-box policies across four categories:
AI Threats and Exploits
Data Security and Privacy
Identity and Access Control
Vulnerability
In UnifAI, enter the prompt View all policies to see your AI Assets.
AI Threats and Exploits
Blocks prompt injection, adversarial inputs, and unsafe model behavior before they reach your AI apps.
Do not allow malicious content via hidden prompts
AI_APP_SEC_001
Violation Summary
Hidden or non-visible prompts detected in the system introduce risks of prompt injection, bypass of safety controls, and untraceable model behavior.
Affected Assets
LLM
AI Agent
Severity
Critical
Technical Details
Hidden prompts introduce several risks including:
Undetectable prompt injection
Unpredictable, unsafe or incorrect output
Bypass safety and governance controls
Unsafe or inconsistent agent behavior
Regulatory and Ethical exposure
Attack Vector: Prompt
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Confidentially Impact: High
Integrity Impact: High
Availability Impact: Low
Framework
Nov 18, 2024 - OWASP-LLM: LLM01, LLM02, LLM04, LLM08
March 2025 - OWASP-ASI: ASI-01, ASI-04, ASI-07, ASI-09
Aug 1, 2024 - EU AI Act: 1.11, 2.12, 3.13, 4.50
References
https://genai.owasp.org/llm-top-10/
https://genai.owasp.org/initiatives/agentic-security-initiative/
Do not allow malicious content via encoded prompts
AI_APP_SEC_002
Violation Summary
Encoded prompts are instructions hidden inside obfuscated text, Base64, hex, zero-width characters, steganographic patterns, metadata, or structured payloads. They allow attackers or internal actors to bypass oversight, evade filters, or manipulate an AI system without detection.
Affected Assets
LLM
AI Agent
Severity
Critical
Technical Details
Hidden prompts introduce several risks including:
Invisible prompt injection leading to unauthorized system behavior
Safety bypass (toxicity, policy evasion, jailbreaks)
Leakage of sensitive data or internal system instructions
Corruption of downstream workflows due to manipulated outputs
Violations of transparency, record-keeping, and explainability requirements
Attack Vector: Prompt
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Confidentially Impact: High
Integrity Impact: High
Availability Impact: Low
Framework
Nov 18, 2024 - OWASP-LLM: LLM01, LLM04, LLM05, LLM08
March 2025 - OWASP-ASI: ASI-01, ASI-04, ASI-07, ASI-09
Aug 1, 2024 - EU AI Act: 1.11, 2.12, 3.13, 4.50
References
https://genai.owasp.org/llm-top-10/
https://genai.owasp.org/initiatives/agentic-security-initiative/
Use only LLMs from the organization’s approved list
AI_APP_SEC_006
Violation Summary Using an LLM that is not on the organization’s approved list introduces uncontrolled security, privacy, compliance, and operational risks. Unapproved LLMs may have unknown data handling practices, insufficient security controls, unclear training or retention policies, weak contractual protections, or unvetted model behavior. This bypasses governance, procurement, and risk management processes, exposing the organization to data leakage, regulatory violations, vendor lock-in, and unpredictable AI behavior across agentic and automated workflows.
Affected Assets
LLM
AI Agent
Severity
High/Critical
Technical Details
Using an unapproved LLM introduces several risks including:
Uncontrolled processing, retention, or reuse of sensitive data and prompts
Unknown security posture, access controls, and logging practices
Potential training on proprietary or regulated data without consent
Incompatibility with organizational guardrails, monitoring, or audit tooling
Increased exposure to prompt injection, data leakage, or unsafe outputs
Breach of contractual, legal, or regulatory obligations
Loss of centralized governance, visibility, and incident response capability
Attack Vector: LLM selection / API usage outside approved platforms Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: Critical Integrity Impact: High Availability Impact: Medium (instability or service changes)
Frameworks
Nov 18, 2024 – OWASP-LLM: LLM03, LLM05, LLM08 March 2025 – OWASP-ASI: ASI-04, ASI-05, ASI-09, ASI-12 Aug 1, 2024 – EU AI Act: Articles 11, 12, 13, 50, obligations for GPAI risk management and provider accountability
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
MCP server must validate and sanitize all input
AI_APP_SEC_014
Violation Summary
If an MCP server accepts input from clients, agents, or LLMs without validation or sanitization, it becomes vulnerable to malformed payloads, injection attacks, unauthorized tool invocation, unsafe command execution, and data corruption. Because MCP servers often expose high-privilege operations (file access, API calls, system actions), unvalidated input can be weaponized to manipulate workflows, escalate privileges, or deliver malicious instructions that compromise both the server environment and downstream systems.
Affected Assets
MCP Server
Severity
Critical
Input Validation
Validation ensures that input conforms to expected structure, type, length, format, and policy constraints before it is processed by the LLM. It answers the question if the input is allowed to be processed.
Examples of Validation
Rejecting prompts longer than a defined maximum length
Enforcing schema compliance (e.g., JSON with specific fields only)
Blocking inputs containing disallowed patterns (e.g., ignore previous instructions, system override)
Restricting input sources to authenticated or trusted origins
Ensuring prompts match an approved task or intent category
Input Sanitization
Sanitization transforms input to remove, neutralize, or normalize unsafe elements while preserving legitimate intent. Sanitization ensures that the input is made safe before processing.
Examples of Sanitization
Normalizing Unicode to remove obfuscation (e.g., leetspeak, homoglyphs)
Stripping zero-width or invisible characters
Decoding and inspecting encoded content (Base64, hex) before use
Escaping or isolating untrusted text so it cannot be interpreted as instructions
Removing or redacting sensitive data (PII, secrets)
Technical Details
Not validating or sanitizing MCP server input introduces several risks including:
Injection of malicious commands, payloads, or structured data into tools or system functions
Execution of unsafe or hallucinated instructions originating from LLM output
Unauthorized access or misuse of server-side capabilities and sensitive APIs
Corruption of data, resources, or operational workflows through malformed input
Increased attack surface for prompt-to-system escalation attacks
Loss of governance, auditability, and explainability of server-driven actions
Violations of integrity, safety, and regulatory obligations for high-risk functions
Attack Vector: MCP client → server input channel Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: High Integrity Impact: Critical Availability Impact: Medium to High (depending on server capabilities)
Timeline
Nov 18, 2024 – OWASP-LLM: LLM01 (Prompt/Instruction Injection), LLM04 (Behavior Manipulation), LLM05 (Sensitive Information Disclosure), LLM06 (Hallucination Risks), LLM08 (Transparency & Audit Failures)
March 2025 – OWASP-ASI: ASI-01 (Input/Output Integrity), ASI-05 (Safe Handling), ASI-07 (Reliability), ASI-09 (Traceability), ASI-12 (Operational Monitoring)
Aug 1, 2024 – EU AI Act: Articles 11 (Documentation), 12 (Record-Keeping), 13 (Transparency), 50 (Transparency Obligations), plus Annex III robustness & safety requirements
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
MCP clients must log all interactions with the MCP server
AI_APP_SEC_022
Violation Summary A missing or incomplete logging mechanism between the MCP client and MCP server creates a critical visibility and governance gap. MCP interactions often trigger high-privilege actions (tool execution, data access, workflow modification). Without proper logs, misuse, anomalies, attacks, or unauthorized system changes cannot be detected, investigated, or attributed. This results in opaque AI behavior, broken audit trails, and non-compliance with required traceability and transparency obligations.
Affected Assets
MCP Client
MCP Server
Severity
Critical
Technical Details
Failure to log MCP interactions introduces several risks including:
Undetectable misuse or abuse of MCP server tools
Inability to perform forensic investigation during an incident
Loss of accountability for AI-driven actions and decisions
Exposure to covert prompt injection or unauthorized system manipulation
Violations of traceability, transparency, and record-keeping requirements
Difficulty detecting anomalous behavior or lateral movement
Corruption of downstream workflows due to hidden actions
Attack Vector: MCP tool invocation / API interaction Attack Complexity: Low Privileges Required: None, when exploited via LLM-driven tool calls. User Interaction: None Confidentiality Impact: High Integrity Impact: High Availability Impact: Low
Framework
Nov 18, 2024 – OWASP-LLM: LLM01, LLM04, LLM05, LLM08 March 2025 – OWASP-ASI: ASI-01, ASI-04, ASI-07, ASI-09 Aug 1, 2024 – EU AI Act: 1.11, 2.12, 3.13, 4.50
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Client must validate and sanitize any output from a MCP server
AI_APP_SEC_023
Violation Summary
When an MCP client consumes output from an MCP server without validation or sanitization, it exposes the AI system and downstream components to malformed data, malicious payloads, injection attacks, hallucinated instructions, and unsafe tool execution. MCP server output may include structured data, commands, untrusted text, or model-generated content. Without safeguards, unvalidated output can drive unsafe automated actions, corrupt workflows, or leak sensitive information.
Affected Assets
AI Agent
MCP Client
Severity
Critical
Input Validation
Validation ensures that input conforms to expected structure, type, length, format, and policy constraints before it is processed by the LLM. It answers the question if the input is allowed to be processed.
Examples of validation
Rejecting prompts longer than a defined maximum length
Enforcing schema compliance (e.g., JSON with specific fields only)
Blocking inputs containing disallowed patterns (e.g., ignore previous instructions, system override)
Restricting input sources to authenticated or trusted origins
Ensuring prompts match an approved task or intent category
Input Sanitization
Sanitization transforms input to remove, neutralize, or normalize unsafe elements while preserving legitimate intent. Sanitization ensures that the input is made safe before processing.
Examples of sanitization
Normalizing Unicode to remove obfuscation (e.g., leetspeak, homoglyphs)
Stripping zero-width or invisible characters
Decoding and inspecting encoded content (Base64, hex) before use
Escaping or isolating untrusted text so it cannot be interpreted as instructions
Removing or redacting sensitive data (PII, secrets)
Affected Assets
AI Agent
MCP Client
Technical Details
Lack of output validation introduces several risks including:
Execution of harmful or unintended actions triggered by malformed MCP output
Injection of unsafe code, commands, or control sequences into downstream systems
Propagation of hallucinated, incorrect, or manipulated data
Leakage of sensitive information through unfiltered server responses
Corruption of business workflows or agent decision chains
Evasion of safety controls due to unmonitored tool responses
Violations of auditability, reliability, and compliance requirements
Attack Vector: MCP response / server-generated output Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: High Integrity Impact: High Availability Impact: Medium (via cascading workflow corruption)
Timeline
Nov 18, 2024 – OWASP-LLM: LLM01, LLM03, LLM04, LLM06, LLM08
March 2025 – OWASP-ASI: ASI-01, ASI-05, ASI-07, ASI-09
Aug 1, 2024 – EU AI Act: 1.11, 2.12, 3.13, 4.50
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Do not use LLMs from the organization's disallowed list
AI_APP_SEC_028
Violation Summary Using an LLM that is explicitly on the organization’s block list represents a deliberate bypass of governance, security, and risk controls. Block-listed LLMs are typically prohibited due to known deficiencies such as unsafe data handling, unacceptable training or retention practices, lack of contractual protections, regulatory exposure, weak security posture, or demonstrated unsafe behavior. Their use introduces severe security, privacy, compliance, and reputational risks and undermines centralized AI governance.
Affected Assets
LLM
AI Agent
Severity
Critical
Technical Details
Using a block-listed LLM introduces several risks including:
Known or previously identified data leakage, retention, or misuse risks
Exposure of sensitive, proprietary, or regulated data to untrusted providers
Circumvention of organizational security, legal, and compliance controls
Lack of auditability, logging, or incident response visibility
Increased likelihood of unsafe, biased, or non-compliant model behavior
Breach of regulatory, contractual, or internal policy obligations
Loss of trust in AI governance and enforcement mechanisms
Attack Vector: Unauthorized LLM selection / direct API or UI usage Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: Critical Integrity Impact: High Availability Impact: Medium
Frameworks
Nov 18, 2024 – OWASP-LLM: LLM03, LLM05, LLM08
March 2025 – OWASP-ASI: ASI-04, ASI-05, ASI-09, ASI-12
Aug 1, 2024 – EU AI Act: Articles 11, 12, 13, 50, GPAI risk-management and provider accountability requirements
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Agent must validate, sanitize LLM output including for presence of eval or any dynamic code execution primitive in LLM output
AI_APP_SEC_029
Affected Assets
AI Agent
Severity
Critical
Violation Summary
When LLM outputs are consumed without validation or sanitization, the system becomes vulnerable to unsafe instructions, hallucinated commands, malicious payloads, and untrusted code. This risk becomes critical when the LLM output may contain eval, shell commands, SQL statements, or other dynamic execution primitives. If such outputs pass directly into an interpreter, agent tool, or workflow engine, they can lead to arbitrary code execution, data exfiltration, workflow corruption, or full system compromise.
Input Validation
Validation ensures that input conforms to expected structure, type, length, format, and policy constraints before it is processed by the LLM. It answers the question if the input is allowed to be processed.
Examples of Validation
Rejecting prompts longer than a defined maximum length
Enforcing schema compliance (e.g., JSON with specific fields only)
Blocking inputs containing disallowed patterns (e.g., ignore previous instructions, system override)
Restricting input sources to authenticated or trusted origins
Ensuring prompts match an approved task or intent category
Input Sanitization
Sanitization transforms input to remove, neutralize, or normalize unsafe elements while preserving legitimate intent. Sanitization ensures that the input is made safe before processing.
Examples of Sanitization
Normalizing Unicode to remove obfuscation (e.g., leetspeak, homoglyphs)
Stripping zero-width or invisible characters
Decoding and inspecting encoded content (Base64, hex) before use
Escaping or isolating untrusted text so it cannot be interpreted as instructions
Removing or redacting sensitive data (PII, secrets)
Affected Assets
AI Agent
Technical Details
Failure to validate LLM output introduces several risks including:
Accidental or malicious execution of model-generated code (e.g., eval, exec, Function, subprocess calls)
Injection of harmful commands or payloads into tools, agents, or downstream applications
Execution of hallucinated instructions that modify resources, corrupt data, or trigger destructive operations
Leakage of internal or sensitive information through improperly filtered responses
Exploitation of agents that automatically convert LLM output into actions (“AI code injection”)
Loss of safety, explainability, reliability, and auditability in automated pipelines
Violations of governance, logging, and traceability requirements
Attack Vector: LLM output → downstream interpreter / agent tool Attack Complexity: Low (LLM can be tricked into generating dangerous primitives) Privileges Required: None User Interaction: None (fully autonomous execution paths are most at risk) Confidentiality Impact: High Integrity Impact: Critical Availability Impact: Medium to High
Timeline
Nov 18, 2024 – OWASP-LLM: LLM01, LLM03, LLM04, LLM06, LLM08
March 2025 – OWASP-ASI: ASI-01, ASI-05, ASI-07, ASI-09, ASI-12
Aug 1, 2024 – EU AI Act: 1.11, 2.12, 3.13, 4.50
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Do not allow malicious content via hidden prompts written in leetspeak
AI_APP_SEC_032
Violation Summary Allowing prompts written in leetspeak (e.g., h4x0r, 3v4l, 1nj3ct, byp4ss) or similar obfuscated language enables attackers to evade input validation, safety filters, and policy enforcement mechanisms. Leetspeak transforms malicious intent into visually altered but semantically equivalent text, allowing prompt injection, jailbreak attempts, encoded instructions, and policy bypasses to slip past keyword-based detection and moderation layers. This weakens the integrity and reliability of LLM-driven systems, especially in agentic and autonomous workflows.
Affected Assets
LLM
AI Agent
Severity
Critical
Technical Details
Allowing leetspeak introduces several risks including:
Bypass of keyword-based safety, moderation, and policy filters
Injection of malicious or unsafe instructions disguised as benign input
Increased success of encoded or obfuscated prompt attacks
Manipulation of agent reasoning or tool invocation logic
Reduced auditability and explainability due to obfuscated intent
Amplification of downstream risks when leetspeak-generated outputs drive actions
Attack Vector: LLM input prompt (user, agent, or external system) Attack Complexity: Low Privileges Required: None User Interaction: None (especially in automated or agent-driven scenarios) Confidentiality Impact: High Integrity Impact: High to Critical Availability Impact: Low
Reference Frameworks
Nov 18, 2024 – OWASP-LLM: LLM01, LLM04, LLM06, LLM08
March 2025 – OWASP-ASI: ASI-01, ASI-04, ASI-07, ASI-09), ASI-12
Aug 1, 2024 – EU AI Act: Articles 11, 12, 13, 50, plus Annex III robustness and risk-management requirements
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
MCP server must not interact directly with an LLM
AI_APP_SEC_033
Violation Summary When an MCP server directly interacts with an LLM—rather than operating only through an authenticated, validated, policy-enforcing MCP client—it collapses the trust boundary between system capabilities and untrusted model output. This allows an LLM to influence, manipulate, or trigger server-side actions without authorization or validation. Direct LLM-to-server interaction bypasses safety controls, authentication layers, input validation, output filtering, logging standards, and audit requirements. This exposes the environment to unbounded prompt injection, unsafe tool execution, data leakage, and full-system compromise.
Affected Assets
LLM
MCP Server
Severity
Critical
Technical Details Allowing an MCP server to directly interact with an LLM introduces several risks including:
Execution of unsafe, hallucinated, or malicious LLM-generated instructions on high-privilege server tools
Prompt injection attacks gaining direct access to server capabilities
Bypassing client-side authentication, authorization, validation, and logging layers
Data leakage through uncontrolled LLM requests or responses
Inability to enforce least-privilege and zero-trust boundaries between model and system operations
Loss of auditability because actions occur without the MCP client as an intermediary
Violations of governance, safety, and regulatory obligations for high-risk AI systems
Attack Vector: LLM output → server action path Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: High Integrity Impact: Critical Availability Impact: Medium to High
Framework
Nov 18, 2024 – OWASP-LLM: LLM01 (Prompt/Instruction Injection), LLM04 (Behavior Manipulation), LLM05 (Data Disclosure), LLM06 (Hallucination Risks), LLM08 (Transparency & Audit Failures)
Mar 2025 – OWASP-ASI: ASI-01 (Input/Output Integrity), ASI-04 (Governance), ASI-05 (Safe Handling), ASI-09 (Traceability), ASI-12 (Monitoring)
Aug 1, 2024 – EU AI Act: Articles 11 (Documentation), 12 (Record-Keeping), 13 (Transparency), 50 (Transparency Obligations), plus Annex III robustness & safety controls for high-risk systems
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Clear exit or termination criteria must exist for the agent to consider its task complete and stop executing
AI_APP_SEC_034
Violation Summary When an AI agent is not given explicit, enforceable exit or termination criteria, it may continue executing indefinitely, escalate actions beyond intended scope, repeatedly invoke tools, consume excessive compute, or enter unsafe operational loops. Lack of defined stopping conditions increases the risk of runaway behavior, unintended system modifications, resource exhaustion, privacy violations, and unbounded interaction with external systems or MCP tools. Agents without termination logic become unpredictable, ungovernable, and potentially harmful.
Affected Assets
AI Agent
Severity
High/Critical
Technical Details Missing termination criteria introduces several risks including:
Infinite or runaway task execution that triggers unnecessary or harmful actions
Repeated tool invocation (MCP or external APIs), leading to data exposure or workflow corruption
Accidental escalation of privileges as the agent searches endlessly for ways to complete the task
Hallucination-driven decisions due to self-reinforcing reasoning loops
Excessive resource consumption or uncontrolled cost
Increased attack surface for prompt injection that pushes the agent into unsafe recursive behavior
Violations of safety, oversight, and accountability requirements
Attack Vector: Agent reasoning cycle / task execution loop Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: Medium to High (depending on tool access) Integrity Impact: High Availability Impact: Medium to High
Framework
Nov 18, 2024 – OWASP-LLM: LLM01 (Injection), LLM04 (Behavior Manipulation), LLM06 (Hallucination Risks), LLM08 (Transparency & Audit Failures)
Mar 2025 – OWASP-ASI: ASI-01 (Integrity), ASI-04 (Governance), ASI-07 (Reliability), ASI-09 (Traceability), ASI-12 (Monitoring)
Aug 1, 2024 – EU AI Act: Articles 11 (Documentation), 12 (Record-Keeping), 13 (Transparency), 50 (Transparency Obligations), Annex III requirements for safe, predictable operation of high-risk systems
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Agents must log all interactions with an LLM
AI_APP_SEC_035
Violation Summary If agents do not log their interactions with an LLM, including prompts, responses, tool requests, and reasoning triggers, organizations lose visibility into how decisions were made, what data was exchanged, and whether harmful or unauthorized actions occurred. Missing LLM interaction logs break auditability, hinder incident response, obscure the source of incorrect or unsafe outputs, and prevent compliance verification. Lack of logging also enables attackers to exploit the agent–LLM channel without detection.
Affected Assets
LLM
AI Agent
Severity
Critical
Technical Details Not logging agent ↔LLM interactions introduces several risks including:
Inability to reconstruct how the agent reached a decision or triggered an action
Loss of forensic evidence needed for incident response or regulatory review
Undetected prompt injection, harmful outputs, or unsafe tool invocations
Unmonitored leakage of sensitive data or PII through prompts or responses
Difficulty identifying hallucination-driven failures or behavioral drift
Loss of traceability required for governance, transparency, and safety assurance
Violations of logging, documentation, and accountability requirements
Attack Vector: Agent ↔ LLM communication channel Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: High Integrity Impact: High Availability Impact: Low
Framework
Nov 18, 2024 – OWASP-LLM: LLM01 (Injection), LLM03 (Data Leakage), LLM04 (Behavior Manipulation), LLM08 (Transparency & Audit Failures)
Mar 2025 – OWASP-ASI: ASI-01 (Integrity), ASI-05 (Data Handling), ASI-09 (Traceability), ASI-12 (Monitoring)
Aug 1, 2024 – EU AI Act: Articles 11 (Documentation), 12 (Record-Keeping), 13 (Transparency), 50 (Transparency Obligations), with Annex III traceability requirements for high-risk systems
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
The AI Model must validate and sanitize any input before processing
AI_APP_SEC_038
Violation Summary
When AI Model accepts input without proper validation and sanitization, it becomes highly susceptible to prompt injection, encoded or hidden instructions, malicious payloads, and adversarial manipulation. Unsanitized inputs—originating from users, agents, tools, MCP servers, or external systems—can override system instructions, bypass guardrails, contaminate reasoning, and trigger unsafe downstream actions. This risk is amplified in agentic and tool-enabled environments where AI Model output directly influences real systems.
Affected Assets
LLM
Severity
Critical
Input Validation
Validation ensures that input conforms to expected structure, type, length, format, and policy constraints before it is processed by the AI Model. It answers the question if the input is allowed to be processed.
Examples of Validation
Rejecting prompts longer than a defined maximum length
Enforcing schema compliance (e.g., JSON with specific fields only)
Blocking inputs containing disallowed patterns (e.g., ignore previous instructions, system override)
Restricting input sources to authenticated or trusted origins
Ensuring prompts match an approved task or intent category
Input Sanitization
Sanitization transforms input to remove, neutralize, or normalize unsafe elements while preserving legitimate intent. Sanitization ensures that the input is made safe before processing.
Examples of Sanitization
Normalizing Unicode to remove obfuscation (e.g., leetspeak, homoglyphs)
Stripping zero-width or invisible characters
Decoding and inspecting encoded content (Base64, hex) before use
Escaping or isolating untrusted text so it cannot be interpreted as instructions
Removing or redacting sensitive data (PII, secrets)
Affected Assets
LLM
Technical Details
Failure to validate and sanitize AI Model input introduces several risks including:
Prompt injection that overrides system and developer intent
Encoded, obfuscated, or hidden instructions bypassing safety controls
Injection of malicious content that manipulates tool usage or agent behavior
Leakage of sensitive data caused by adversarial prompt construction
Hallucination amplification driven by malformed or hostile inputs
Propagation of unsafe or untrusted instructions to downstream systems
Loss of transparency, auditability, and policy enforcement across AI workflows
Attack Vector: AI Model input channel (user, agent, tool, MCP, external system) Attack Complexity: Low Privileges Required: None User Interaction: None (especially in autonomous or agent-driven flows) Confidentiality Impact: High Integrity Impact: Critical Availability Impact: Medium
Timeline
Nov 18, 2024 – OWASP-LLM: LLM01 (Prompt Injection), LLM04 (Model Behavior Manipulation), LLM05 (Sensitive Information Disclosure), LLM08 (Insufficient Transparency & Auditability)
March 2025 – OWASP-ASI: ASI-01 (Input Integrity), ASI-04 (Governance), ASI-07 (Reliability), ASI-09 (Traceability), ASI-12 (Operational Monitoring)
Aug 1, 2024 – EU AI Act: Articles 11 (Technical Documentation), 12 (Record-Keeping), 13 (Transparency), 50 (Transparency Obligations), plus Annex III robustness, safety, and risk-management requirements
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Sanitize and validate all input to the AI Model
AI_APP_SEC_039
Violation Summary If input sent to an LLM is not validated and sanitized, the system becomes vulnerable to prompt injection, obfuscated or encoded instructions, malformed payloads, and adversarial manipulation. Unchecked inputs originating from users, agents, tools, uploaded files, MCP services, or external systems can override system intent, bypass safety controls, contaminate reasoning, and trigger unsafe downstream actions. This risk is amplified in agentic, tool-enabled, and autonomous workflows where LLM output directly influences real systems.
Affected Assets
LLM
AI Agent
Severity
Critical
Technical Details
Failure to validate and sanitize input before sending it to an LLM introduces several risks including:
Prompt injection that overrides system and developer intent
Encoded, hidden, or obfuscated instructions (Base64, leetspeak, zero-width characters) bypassing guardrails
Injection of malicious content that manipulates tool usage or agent behavior
Leakage of sensitive data caused by adversarial prompt construction
Hallucination amplification driven by malformed or hostile inputs
Propagation of unsafe or untrusted instructions to downstream systems
Loss of transparency, auditability, and policy enforcement across AI workflows
Attack Vector: Input channel → LLM (user, agent, tool, file ingestion, MCP, external system) Attack Complexity: Low Privileges Required: None User Interaction: None (especially in autonomous or agent-driven flows) Confidentiality Impact: High Integrity Impact: Critical Availability Impact: Medium
Framework
OWASP-LLM: LLM01, LLM04, LLM05, LLM08
OWASP-ASI: ASI-01 (Input Integrity), ASI-04, ASI-07, ASI-09, ASI-12
EU AI Act: Articles 11, 12, 13, 50, plus Annex III robustness, safety, and risk-management requirements
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Do not allow malicious content via prompts included in uploaded files
AI_APP_SEC_040
Violation Summary If uploaded files (documents, PDFs, spreadsheets, images with OCR, code files, logs) are ingested by an LLM or agent without inspection for malicious prompts, attackers can embed hidden, encoded, or context-manipulating instructions that influence model behavior. These “prompt-in-files” attacks allow adversaries to bypass input controls, poison agent reasoning, extract sensitive data, or trigger unauthorized tool actions—often without any visible user prompt.
Affected Assets
AI Agent
Severity
Critical
Technical Details
Failing to scan uploaded files for malicious prompts introduces several risks including:
Hidden prompt injection embedded in document text, comments, metadata, or OCR layers
Encoded or obfuscated instructions (Base64, leetspeak, zero-width characters) evading detection Cross-context contamination where file content overrides system or developer instructions
Unauthorized tool invocation or workflow manipulation driven by file-based prompts
Leakage of sensitive data due to adversarial instructions embedded in files
Loss of explainability when behavior is influenced by unseen file content
Violations of transparency, auditability, and policy enforcement requirements
Attack Vector: File upload > document ingestion / OCR / parsing pipeline Attack Complexity: Low Privileges Required: None User Interaction: None, especially in automated ingestion or agent workflows. Confidentiality Impact: High Integrity Impact: Critical Availability Impact: Medium
Framework
OWASP-LLM: LLM01, LLM04, LLM05, LLM08
OWASP-ASI: ASI-01, ASI-04, ASI-07, ASI-09, ASI-12
EU AI Act: Articles 11, 12, 13, 50, plus Annex III robustness, safety, and risk-management requirements
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Do not allow prompts that can execute malicious commands at runtime
AI_APP_SEC_059
Violation Summary If prompts are not checked for content that may trigger runtime command execution, attackers can inject malicious instructions that cause the system to execute shell commands, file operations, or other high-privilege actions. In agentic or tool-enabled environments, LLM outputs can directly influence interpreters, orchestration engines, or automation pipelines. Without execution safeguards, prompt injection can escalate from text manipulation to full system compromise.
Affected Assets
AI Agent
Severity
Critical
Technical Details
Failing to enforce checks on prompts that may execute commands introduces several risks including:
Command injection through prompts that trigger shell operations
Execution of malicious primitives such as eval, exec, subprocess calls, or dynamic interpreters
Corruption of files, configurations, or operational state
Loss of integrity and trust in AI-driven automation
Violations of secure coding, governance, and runtime safety controls
Attack Vector: Prompt → runtime interpreter Attack Complexity: Low Privileges Required: None User Interaction: None (especially in autonomous or agent-driven workflows) Confidentiality Impact: Critical Integrity Impact: Critical Availability Impact: High
Frameworks
OWASP LLM: LLM01, LLM04, LLM05, LLM08
OWASP ASI: ASI-01, ASI-04, ASI-05
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/
Enforce synthetic content provenance, labeling, and watermarking for AI-generated outputs
AI_APP_SEC_064
Violation Summary
AI systems that generate text, images, audio, video, or code without provenance metadata, content labels, or embedded watermarks enable disinformation, impersonation, and undetectable forgery. AI risk management transparency and accountability expectations and content authenticity guidance require disclosed origin, machine-readable provenance, and tamper-evident markers on all synthetic outputs.
Affected Assets
AI Model
AI Agent
LLM
Severity
Critical
Technical Details
Missing or weak synthetic content provenance, labeling, and watermarking for ai-generated outputs controls introduces risks including:
Returning AI-generated content without machine-readable provenance metadata, such as model identifiers, timestamps, or content origin tags.
Serving AI-generated content without a clear label indicating its synthetic origin.
Producing AI-generated images, audio, or video without embedding a steganographic or cryptographic watermark.
Utilizing unsigned provenance metadata, which allows the origin information to be silently removed or tampered with.
Accepting externally supplied content claimed as human-authored without verifying the absence of AI provenance markers upon ingestion.
Failing open when labeling or watermarking errors occur, resulting in the delivery of unlabeled synthetic content instead of safely blocking the request.
Attack Vector: Network / Application
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
Timeline
Jan 26, 2023 — NIST AI RMF: GOVERN 4.1 (Accountability), MEASURE 2.11 (Transparency & Traceability) and NIST AI 100-4 (Digital Content Transparency)
Aug 1, 2024 — EU AI Act: Obligations for transparency and content authenticity (Art. 52), and requirements for high-risk AI systems regarding technical security, auditability, and human oversight (Art. 15, 14, 9)
Nov 18, 2024 — OWASP-LLM: LLM09 (Misinformation), LLM02 (Insecure Output Handling), LLM05 (Supply Chain Vulnerabilities)
References
https://genai.owasp.org/llm-top-10/
Do not allow prompts with high-risk system commands
AI_APP_SEC_066
Violation Summary If prompts are not inspected for high-risk system or shell commands, attackers can embed instructions that lead to execution of destructive or unauthorized operations. In agentic and tool-enabled environments, LLM outputs may be interpreted as executable instructions, allowing prompt content to directly trigger command execution. Without detection and filtering of high-risk commands, prompt injection can escalate into command execution, system compromise, data destruction, or unauthorized access.
Affected Assets
AI Agent
Severity
Critical
Technical Details
Failing to check prompts for high-risk system and shell commands introduces several risks including:
Execution of dangerous commands such as file deletion, privilege escalation, or system modification
Command injection through prompts interpreted by shell, scripting engines, or automation tools
Unauthorized access to system resources, environment variables, or sensitive files
Data exfiltration via command-line utilities or scripted API calls
Lateral movement across systems using injected commands
Corruption or deletion of critical data and configurations
Abuse of automation pipelines and agent toolchains
Loss of integrity, reliability, and control over AI-driven operations
Attack Vector: Prompt → shell / system interpreter / agent tool execution Attack Complexity: Low Privileges Required: None User Interaction: None (especially in automated or agent-driven workflows) Confidentiality Impact: Critical Integrity Impact: Critical Availability Impact: High
Frameworks
OWASP LLM: LLM01, LLM04, LLM05, LLM08
OWASP ASI: ASI-01, ASI-04, ASI-05, ASI-09, ASI-12
EU AI Act: Article 11, 12, 13, 50
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Detect direct string interpolation of untrusted input into LLM prompts
AI_APP_SEC_067
Violation Summary
Direct embedding of unvalidated, unsensitized, or unescaped user-controlled data into LLM prompt strings via f-strings, str.format(), string concatenation, or template substitution allows adversaries to inject instructions that override system context, hijack agent behavior, or exfiltrate sensitive information. Code must enforce structural separation between prompt templates and untrusted data so that user input is never interpreted as instructions by the model.
Affected Assets
AI Agent
MCP Server
AI Model
Severity
Critical
Technical Details Direct string interpolation introduces several risks including:
Undetectable prompt injection, unpredictable, unsafe or incorrect output
Bypass safety and governance controls
Unsafe or inconsistent agent behavior, data exfiltration and, system context overrides
Attack Vector: Prompt
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Confidentially Impact: High
Integrity Impact: High
Availability Impact: Low
Timeline
Nov 18, 2024 - OWASP-LLM: LLM01 Jan 26, 2023 - NIST AI RMF: MAP 1.5, MEASURE 2.4 Oct 31, 2023 MITRE ATLAS: AML.T0051
References
Detect LLM output used directly in security-sensitive decisions without Human-in-the-Loop (HITL) validation
AI_APP_SEC_068
Violation Summary:
Detects and prevents the direct use of unvalidated LLM outputs in security-sensitive decisions without Human-in-the-Loop (HITL) validation. LLM output is probabilistic and may hallucinate or be adversarially manipulated, so it must never be the sole authority for a security decision.
Affected Assets:
AI Agent
LLM Application
AI Model
Technical Details:
Missing or weak Human-in-the-Loop (HITL) validation or rule-based check controls introduces risks including:
Relying on raw LLM output as the sole condition in an access, authentication, or permission check without a HITL gate or rule-based check.
Feeding LLM output directly into a function enforcing security policy or classification without a HITL gate or rule-based check.
Granting elevated privileges or expanded scope based on LLM output without a HITL gate or rule-based check.
Failing to implement a deterministic validation step (like an allowlist or schema enforcement) between the LLM response and a security-sensitive operation.
Attack Vector: Network / Application
Attack Complexity: Low
Privileges Required: None to Low
User Interaction: None to Limited
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
Timeline:
Oct 2023 — OWASP-LLM (v1.1): LLM09 (Overreliance).
Jan 26, 2023 — NIST AI RMF 1.0: MANAGE, GOVERN
Oct 2020 — MITRE ATLAS
Aug 2024 — EU AI Act
References:
https://genai.owasp.org/llm-top-10/
AI Agent must implement Human-in-the-Loop (HITL) approval flow for risky operations like delete, purge, destroy
AI_APP_SEC_069
Violation Summary If high-risk operations (e.g., delete, purge, destroy, move, export) are executed without Human-in-the-Loop (HITL) oversight, AI agents and automated systems can perform destructive or unauthorized actions without validation. In agentic and tool-enabled environments, LLM outputs can directly trigger these operations, and prompt injection, hallucination, or misinterpretation can lead to irreversible damage. Absence of HITL removes a critical control layer needed to prevent catastrophic system, data, or business impact.
Affected Assets
AI Agent
Technical Details
Not implementing HITL for high-risk operations introduces several risks including:
Accidental or malicious deletion, purge, or destruction of critical data or resources
Execution of irreversible actions triggered by prompt injection or adversarial inputs
Hallucination-driven decisions resulting in destructive operations
Unauthorized changes due to compromised agents or misconfigured permissions
Inability to detect or stop harmful actions before execution
Lack of accountability and validation for critical system changes
Increased blast radius in automated workflows without human checkpoint
Violations of governance, risk management, and safety requirements
Attack Vector: LLM output → agent tool execution / automation pipeline Attack Complexity: Low Privileges Required: None User Interaction: None (in absence of HITL controls) Confidentiality Impact: Medium Integrity Impact: Critical Availability Impact: Critical
Frameworks
OWASP LLM: LLM01, LLM06, LLM08
OWASP ASI: ASI-02, ASI-10
EU AI Act: Article 13, Article 50, Annex III requirements for human oversight, safety, and risk management in high-risk systems
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Do not allow use of MALICIOUS skills
AI_SKILL_SEC_001
Violation Summary:
Use of malicious or untrusted skills introduces risks of unauthorized actions, data theft, remote command execution, privilege abuse, and compromise of AI agent integrity.
Affected Assets:
LLM
AI Agent
Technical Details:
Malicious skills introduce several risks including:
Unauthorized execution of privileged actions
Data exfiltration through tool or API access
Remote code execution through unsafe tool invocation
Abuse of implicit trust between agent and skill
Credential theft or token misuse
Manipulation of agent reasoning and decision-making
Persistence through malicious extensions or runtime modifications
Supply chain compromise through third-party skills
Bypass of governance, policy, or approval controls
Unsafe autonomous behavior and unintended tool chaining
Attack Vector: Skill Extension
Attack Complexity: Low
Privileges Required: Low to None
User Interaction: Required
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Medium
Timeline:
Nov 18, 2024 - OWASP-LLM: LLM01, LLM02, LLM03
Mar 2025 - OWASP-ASI: ASI-01, ASI-02, ASI-04, ASI-05, ASI-06
Mar 31, 2026 – OWASP Skills Top 10: AST01, AST02
Aug 1, 2024 - EU AI Act: 1.11, 2.12, 3.13, 4.50
Jan 26, 2023 - NIST AI RMF 1.0 : GOVERN 1.6, GOVERN 3.2, MAP 4.1, MANAGE 2.1, MANAGE 4.1
References:
Do not allow use of SUSPICIOUS skills
AI_SKILL_SEC_002
Violation Summary:
Use of malicious or untrusted skills introduces risks of unauthorized actions, data theft, remote command execution, privilege abuse, and compromise of AI agent integrity.
Affected Assets:
LLM
AI Agent
Technical Details:
Malicious skills introduce several risks including:
Unauthorized execution of privileged actions
Data exfiltration through tool or API access
Remote code execution through unsafe tool invocation
Abuse of implicit trust between agent and skill
Credential theft or token misuse
Manipulation of agent reasoning and decision-making
Persistence through malicious extensions or runtime modifications
Supply chain compromise through third-party skills
Bypass of governance, policy, or approval controls
Unsafe autonomous behavior and unintended tool chaining
Attack Vector: Skill Extension
Attack Complexity: Low
Privileges Required: Low to None
User Interaction: Required
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Medium
Timeline:
Nov 18, 2024 - OWASP-LLM: LLM01, LLM02, LLM03
Mar 2025 - OWASP-ASI: ASI-01, ASI-02, ASI-04, ASI-05, ASI-06
Mar 31, 2026 – OWASP Skills Top 10: AST01, AST02
Aug 1, 2024 - EU AI Act: 1.11, 2.12, 3.13, 4.50
Jan 26, 2023 - NIST AI RMF 1.0 : GOVERN 1.6, GOVERN 3.2, MAP 4.1, MANAGE 2.1, MANAGE 4.1
References:
Do not allow use of UNKNOWN skills
AI_SKILL_SEC_003
Violation Summary:
Use of malicious or untrusted skills introduces risks of unauthorized actions, data theft, remote command execution, privilege abuse, and compromise of AI agent integrity.
Affected Assets:
LLM
AI Agent
Technical Details:
Malicious skills introduce several risks including:
Unauthorized execution of privileged actions
Data exfiltration through tool or API access
Remote code execution through unsafe tool invocation
Abuse of implicit trust between agent and skill
Credential theft or token misuse
Manipulation of agent reasoning and decision-making
Persistence through malicious extensions or runtime modifications
Supply chain compromise through third-party skills
Bypass of governance, policy, or approval controls
Unsafe autonomous behavior and unintended tool chaining
Attack Vector: Skill Extension
Attack Complexity: Low
Privileges Required: Low to None
User Interaction: Required
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Medium
Timeline:
Nov 18, 2024 - OWASP-LLM: LLM01, LLM02, LLM03
Mar 2025 - OWASP-ASI: ASI-01, ASI-02, ASI-04, ASI-05, ASI-06
Mar 31, 2026 – OWASP Skills Top 10: AST01, AST02
Aug 1, 2024 - EU AI Act: 1.11, 2.12, 3.13, 4.50
Jan 26, 2023 - NIST AI RMF 1.0 : GOVERN 1.6, GOVERN 3.2, MAP 4.1, MANAGE 2.1, MANAGE 4.1
References:
Data Security and Privacy
Protects PII, prevents data leakage, and enforces privacy controls across AI models and agents.
Do not store secrets in code
AI_DAT_SEC_001
Violation Summary Storing secrets, such as API keys, access tokens, service credentials, MCP tokens, encryption keys, or database passwords, directly in code, configuration files, or agent prompt templates introduces an immediate and critical security vulnerability. Hard-coded secrets are easily exposed through source control, logs, error messages, LLM interactions, and dependency analysis. Once leaked, these credentials can be used to impersonate services, manipulate AI agent behavior, exfiltrate data, or compromise entire environments.
Affected Assets
LLM
AI Agent
MCP Server
Severity
Critical
Technical Details Storing secrets in code introduces several risks including:
Unauthorized access to internal systems, APIs, and third-party services
Full environment compromise if privileged keys (e.g., root tokens) are exposed
Impersonation of agents, MCP clients, or downstream services
Lateral movement enabled through leaked credentials
Leakage via LLM outputs, agent error messages, or repository scans
Irreversible compromise of production systems due to difficult secret rotation
Violations of governance, transparency, and credential-handling requirements
Attack Vector: Source code / repository / agent configuration Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: Critical Integrity Impact: Critical Availability Impact: Medium
Framework
Nov 18, 2024 – OWASP-LLM: LLM01, LLM03, LLM05, LLM08
March 2025 – OWASP-ASI: ASI-01, ASI-04, ASI-09, ASI-12
Aug 1, 2024 – EU AI Act: 1.11, 2.12, 3.13, 4.50
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
If PII data must be shared, it must be encrypted
AI_DAT_SEC_009
Violation Summary Transmitting personally identifiable information (PII) without encryption exposes sensitive user data to interception, tampering, unauthorized access, and regulatory non-compliance. Unencrypted PII flowing between AI agents, MCP clients and servers, microservices, or external APIs can be harvested by attackers or internal adversaries through network sniffing, logging systems, or compromised intermediaries. Such exposure creates severe privacy, legal, operational, and reputational risks.
Affected Assets
LLM
AI Agent
MCP Server
Severity
Critical
Technical Details Transmitting unencrypted PII introduces several risks including:
Exposure of sensitive user information through network interception
Unauthorized access to identity data, enabling fraud or impersonation
Regulatory violations (GDPR, EU AI Act, state privacy laws)
Inability to ensure integrity or authenticity of transmitted data
Leakage through LLM logs, telemetry, or debugging outputs
Lateral movement or privilege escalation through harvested identity data
Failure to meet encryption, security, and risk-management obligations
Attack Vector: Network transit / API calls / agent communication Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: Critical Integrity Impact: High Availability Impact: Low
Framework
Nov 18, 2024 – OWASP-LLM: LLM03 (Data Leakage), LLM05 (Sensitive Information Disclosure), LLM08 (Insufficient Transparency & Auditability)
March 2025 – OWASP-ASI: ASI-01 (Input/Output Integrity), ASI-05 (Data Security & Handling), ASI-09 (Audit & Traceability), ASI-12 (Operational Monitoring)
Aug 1, 2024 – EU AI Act: Articles 1.11 (Technical Documentation), 2.12 (Record-Keeping), 3.13 (Transparency), 4.50 (General Transparency Obligations), plus GDPR-aligned data protection expectations reflected across the Act
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Do not log PII
AI_DAT_SEC_010
Violation Summary Logging personally identifiable information (PII) exposes sensitive user data to unauthorized access, replication, and long-term retention in unsecured or low-visibility systems. Log files are frequently accessible to broader engineering, operations, analytics, or third-party tools and often persist indefinitely. Once PII enters logs, it becomes extremely difficult to control, delete, audit, or protect—creating severe privacy, compliance, and security risks across all AI and MCP-enabled environments.
Affected Assets
LLM
AI Agent
MCP Server
Severity
Critical
Technical Details
Logging PII introduces several risks including:
Unauthorized internal access or external compromise of sensitive information
Accidental disclosure through debugging tools, telemetry pipelines, or log aggregators
Persistent exposure that violates data minimization and retention requirements
Inability to satisfy deletion, correction, or subject rights requests
Propagation of PII through downstream systems (LLM training data, observability tools, backups)
Legal and regulatory violations under GDPR, state privacy laws, and the EU AI Act
Loss of trust and reputational damage due to preventable data leakage
Attack Vector: Logging systems / telemetry pipelines / observability tooling Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: Critical Integrity Impact: Medium Availability Impact: Low
Framework
Nov 18, 2024 - OWASP-LLM: LLM03 (Data Leakage), LLM05 (Sensitive Information Disclosure), LLM08 (Insufficient Transparency & Auditability)
March, 2025 - OWASP-ASI: ASI-01 (Integrity), ASI-05 (Data Handling), ASI-09 (Traceability), ASI-12 (Monitoring)
Aug, 1, 2024 - EU AI Act: Articles 11 (Documentation), 12 (Record-Keeping), 13 (Transparency), 50 (Transparency Obligations), GDPR-aligned data-minimization principles
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Do not send PII to AI Models
AI_DAT_SEC_011
Violation Summary Sending personally identifiable information (PII) to an AI Model exposes sensitive data to uncontrolled processing, persistence, training retention, unauthorized internal access, and unintended disclosure. AI Models are not guaranteed to handle PII according to data-minimization or privacy-by-design principles, and model outputs may inadvertently reveal, transform, or propagate sensitive information. This creates severe privacy, regulatory, and security risks across all AI-driven workflows.
Affected Assets
AI Agent
Severity
Critical
Technical Details Sending PII to an AI Model introduces several risks including:
Leakage of sensitive user information through outputs or indirect inference
Inclusion of PII in model logs, telemetry, or monitoring systems
Potential model retention or memorization of PII, enabling future extraction
Non-compliance with privacy regulations due to uncontrolled third-party processing
Exposure through prompt injection attacks that pull stored or inferred PII
Inability to enforce deletion, consent, or data subject rights
Violations of transparency, purpose limitation, and privacy-by-design obligations
Attack Vector: AI Model input channel Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: Critical Integrity Impact: Medium Availability Impact: Low
Framework
Nov 18, 2024 – OWASP-LLM: LLM03 (Data Leakage), LLM05 (Sensitive Information Disclosure), LLM08 (Insufficient Transparency & Auditability)
Mar 2025 – OWASP-ASI: ASI-01 (Integrity), ASI-05 (Data Handling), ASI-09 (Traceability), ASI-12 (Monitoring)
Aug 1, 2024 – EU AI Act: Articles 11 (Documentation), 12 (Record-Keeping), 13 (Transparency), 50 (Transparency Obligations), plus GDPR-aligned data-minimization and purpose-limitation requirements
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Mask PII on user interfaces
AI_DAT_SEC_012
Violation Summary Displaying unmasked personally identifiable information (PII) on user interfaces exposes sensitive data to unauthorized viewing, shoulder surfing, screen sharing leaks, and over-privileged internal access. Any UI that renders full PII—names, addresses, SSNs, phone numbers, emails, financial data, or identifiers—creates a high risk of accidental disclosure and non-compliance. Unmasked PII can also be captured in screenshots, monitoring tools, session replay systems, or logs, further amplifying exposure.
Affected Assets
LLM
AI Agent
Severity
Critical
Technical Details Not masking PII on UI introduces several risks including:
Unauthorized access or accidental exposure of sensitive identity information
Violation of least-privilege and data-minimization principles
Increased likelihood of data leakage via screenshots, video recordings, demos, or shared sessions
Compromise through malicious insiders or overexposed customer support tools
Replication of PII into frontend logs, browser telemetry, or third-party analytics
Regulatory violations related to privacy, transparency, and secure data handling
Loss of user trust and potential legal liability
Attack Vector: User interface display layer Attack Complexity: Low Privileges Required: None (visual exposure requires only observation) User Interaction: None Confidentiality Impact: Critical Integrity Impact: Low Availability Impact: Low
Framework
Nov 18, 2024 – OWASP-LLM: LLM03 (Data Leakage), LLM05 (Sensitive Information Disclosure), LLM08 (Insufficient Transparency & Auditability)
March 2025 – OWASP-ASI: ASI-01 (Integrity), ASI-05 (Data Handling), ASI-09 (Traceability), ASI-12 (Monitoring)
Aug 1, 2024 – EU AI Act: Articles 11 (Documentation), 12 (Record-Keeping), 13 (Transparency), 50 (Transparency Obligations), GDPR-aligned principles of data minimization and privacy-by-design
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Redact PII from uploaded files
AI_DAT_SEC_023
Violation Summary If uploaded files (documents, PDFs, spreadsheets, images with OCR, logs, archives) are ingested without redacting personally identifiable information (PII), sensitive data can be unintentionally exposed, propagated, or retained across AI systems. Unredacted PII may be processed by LLMs, logged, cached, embedded in prompts, or transmitted to external services—creating severe privacy, regulatory, and security risks that are difficult to detect and remediate after ingestion.
Affected Assets
AI Agent
Severity
Critical
Technical Details
Failing to redact PII from uploaded files introduces several risks including:
Exposure of sensitive personal data through LLM processing, outputs, or logs
Propagation of PII into prompts, embeddings, vector stores, and downstream systems
Accidental disclosure via summaries, citations, or extracted insights
Inability to honor data minimization, retention limits, or subject rights requests
Increased blast radius when files are shared across agents or external tools
Elevated risk of data leakage through prompt injection or model inference
Violations of privacy-by-design, transparency, and record-keeping requirements
Attack Vector: File upload → parsing / OCR / document ingestion pipeline Attack Complexity: Low Privileges Required: None User Interaction: None, especially in automated ingestion or agent workflows. Confidentiality Impact: Critical Integrity Impact: Medium Availability Impact: Low
Frameworks
OWASP-LLM: LLM03, LLM05, LLM08
OWASP-ASI: ASI-01, ASI-05, ASI-09, ASI-12
EU AI Act: Articles 11, 12, 13, plus GDPR-aligned data-minimization and privacy-by-design principles embedded across the Act
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Uploaded files must not contain PII (Singapore)
AI_DAT_SEC_024
Violation Summary This applies to the information that is considered PII in Singapore. If files uploaded to an AI agent are ingested without redacting PII, sensitive data can be unintentionally exposed, propagated, retained, or disclosed through agent reasoning, LLM prompts, logs, embeddings, or downstream tool calls. Because AI agents often summarize, transform, store, and share file contents across systems, unredacted PII significantly amplifies privacy, compliance, and security risks and makes post-incident remediation extremely difficult.
Affected Assets
AI Agent
Severity
Critical
Technical Details
Failing to redact PII from files uploaded to AI agents introduces several risks including:
Exposure of sensitive personal data through agent outputs, summaries, or citations
Propagation of PII into prompts, vector databases, caches, logs, and telemetry
Uncontrolled sharing of PII with external LLM providers or third-party tools
Inability to comply with data minimization, retention limits, or deletion requests
Increased risk of data leakage via prompt injection or inference attacks
Broader blast radius when agents reuse or redistribute file content
Violations of privacy-by-design, transparency, and record-keeping requirements
Attack Vector: File upload → agent ingestion / parsing Attack Complexity: Low Privileges Required: None User Interaction: None (especially in automated or agent-driven workflows) Confidentiality Impact: Critical Integrity Impact: Medium Availability Impact: Low
Frameworks
OWASP LLM: LLM03, LLM05, LLM08
OWASP ASI: ASI-01, ASI-05, ASI-09, ASI-12
Singapore PDPA: Section 11, 13, 18, 24
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
No file should contain any PII
AI_DAT_SEC_025
Violation Summary If files contain unredacted personally identifiable information (PII), there is risk of sensitive data access to unrestricted access, misuse, and downstream propagation. This increases the likelihood of data leakage, unauthorized scraping, AI training contamination, and regulatory violations. Once exposed, PII can be copied, indexed, cached, or redistributed beyond the organization’s control.
Severity
Critical
Affected Assets
AI Agent
Technical Details
Failing to redact PII from publicly accessible files introduces several risks including:
Unrestricted access to sensitive personal data by internal users, contractors, or the public
Mass data harvesting, scraping, or indexing by automated tools and AI systems
Propagation of PII into LLM prompts, embeddings, search indexes, and external datasets
Inability to enforce consent, purpose limitation, or access controls
Permanent exposure due to caching, backups, screenshots, or mirrors
Increased insider threat and accidental disclosure risk
Severe regulatory, legal, and reputational impact
Attack Vector: Public file access / shared repositories / collaboration platforms Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: Critical Integrity Impact: Medium Availability Impact: Low
Frameworks
OWASP LLM: LLM03, LLM05, LLM08
OWASP ASI: ASI-01, ASI-05, ASI-09, ASI-12
EU AI Act: Article 11, Article 12, Article 13, Article 50, GDPR-aligned data minimization and privacy-by-design principles
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Enforce output data minimization for model, tool, and API responses. - Critical
AI_DAT_SEC_027
Violation Summary
Adversaries and misconfigured pipelines can cause the system to return excessive internal, sensitive, or user-identifying data in completions, tool results, logs, or client payloads. Without minimization, PII, secrets, full records, and operational metadata leak through normal response paths.
Affected Assets
AI Model
AI Agent
LLM
MCP Server
Severity
Critical
Technical Details
Missing or weak output data minimization for model, tool, and API responses controls introduces risks including:
Forwarding entire database rows, user profiles, complete document bodies, or unbounded retrieval sets into model prompts or client responses when only a subset is required.
Exposing raw internal metadata, such as primary keys, session identifiers, stack traces, file paths, or hostnames, to end users without redaction.
Placing secrets, API keys, tokens, passwords, private keys, or connection strings into completion text, tool results, error messages, or logs exposed to clients.
Returning unredacted tool, MCP, or plugin results to the user or upstream LLM without field allowlists, leading to arbitrary keys appearing in final outputs.
Appending full conversation histories, memory dumps, or prior-session transcripts to new responses instead of using a minimal summary or targeted excerpt.
Failing open on minimization or redaction errors, resulting in the return of original unfiltered payloads to the client rather than blocking or returning a safe error message.
Attack Vector: Network / Application
Attack Complexity: Low
Privileges Required: None to Low
User Interaction: None
Confidentiality Impact: High
Integrity Impact: None to Low
Availability Impact: Low
Timeline
Nov 18, 2024 — OWASP-LLM: LLM06 (Sensitive Information Disclosure), LLM02 (Insecure Output Handling)
March 2025 — OWASP-ASI: ASI-05 (Data Leakage & Privacy Violations)
Aug 1, 2024 — EU AI Act: Obligations for high-risk AI systems around data governance, privacy, and security (e.g., Art. 10, Art. 15)
References
https://genai.owasp.org/llm-top-10/
https://genai.owasp.org/initiatives/agentic-security-initiative/
Enforce decision logging, audit trail, and forensic readiness for AI-driven actions
AI_DAT_SEC_029
Violation Summary
AI systems that make or influence decisions affecting people, data, or operations without immutable audit trails and forensic-ready logs create accountability gaps and obstruct incident response. AI risk management accountability, transparency, and post-deployment monitoring expectations require traceable, tamper-evident records of every consequential AI-driven action.
Affected Assets
AI Model
AI Agent
LLM
MCP Server
Severity
Critical
Technical Details
Missing or weak decision logging, audit trail, and forensic readiness for ai-driven actions controls introduces risks including:
Failing to log model identifiers, input hashes, outputs, and acting principals creates significant accountability gaps, making it impossible to trace consequential decisions back to specific origins.
Permitting mutable logs that can be updated, truncated, or deleted compromises the integrity of the audit trail, undermining trust and forensic investigations.
The lack of shared correlation identifiers across multi-step processes prevents administrators from reconstructing the full causal chain of events.
Operating without configured retention or log rotation policies can lead to compliance violations and unmanaged storage.
Catching logging exceptions silently without alerting or failing closed can result in permanent loss of audit data when the logging sink becomes unreachable.
Omitting essential forensic context, such as data lineage and retrieval metadata, makes it impossible to reproduce, explain, or thoroughly investigate AI-driven actions post-deployment.
Attack Vector: Network / Application
Attack Complexity: Low
Privileges Required: None to Low
User Interaction: None
Confidentiality Impact: Low
Integrity Impact: High
Availability Impact: None to Low
Timeline
Jan 26, 2023 — NIST AI RMF: GOVERN 5.2 (Data Privacy & Security), MEASURE 3.1 (Privacy-Enhanced Evaluation)
Nov 18, 2024 — OWASP-LLM: LLM01 (Prompt Injection), LLM06 (Sensitive Information Disclosure), LLM08 (Excessive Agency)
March 2025 — OWASP-ASI: ASI-03 (Identity & Privilege Abuse); related themes ASI-01, ASI-04, ASI-07, ASI-09
References
https://genai.owasp.org/llm-top-10/
https://www.nist.gov/itl/ai-risk-management-framework
https://genai.owasp.org/initiatives/agentic-security-initiative/
Identity and Access Control
Enforces authentication and least-privilege controls between AI agents, MCP servers, and endpoints.
MCP client must authenticate the MCP server
AI_IAC_002
Violation Summary If an MCP client does not authenticate the MCP server, it cannot verify the identity, legitimacy, or trustworthiness of the system providing tool responses, commands, or data. This creates an opportunity for attackers to impersonate the MCP server, intercept or modify traffic, inject malicious tool responses, or deliver falsified data that influences downstream agent reasoning. Without authentication, the MCP trust boundary collapses, enabling man-in-the-middle attacks, data manipulation, workflow corruption, and full compromise of AI-driven operations.
Affected Assets
MCP Server
MCP Client
AI Agent
Severity
Critical
Technical Details Not authenticating the MCP server introduces several risks including:
Server impersonation leading to injection of malicious or misleading responses
Man-in-the-middle interception and modification of MCP traffic
Unauthorized access to sensitive MCP capabilities, tools, and agent operations
Corruption of workflows through falsified output or manipulated data
Leakage of PII or sensitive context exchanged with the illegitimate server
Loss of integrity, trust, and accountability in MCP-driven decisions
Violations of transparency, security, and traceability requirements
Attack Vector: Network/API communication between MCP client and server Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: High Integrity Impact: Critical Availability Impact: Medium
Framework
Nov 18, 2024 – OWASP-LLM: LLM01 (Prompt/Instruction Injection), LLM04 (Model Behavior Manipulation), LLM05 (Sensitive Information Disclosure), LLM08 (Insufficient Transparency & Auditability)
March 2025 – OWASP-ASI: ASI-01 (Integrity), ASI-04 (Governance), ASI-09 (Traceability), ASI-12 (Monitoring)
Aug 1, 2024 – EU AI Act: Articles 11 (Documentation), 12 (Record-Keeping), 13 (Transparency), 50 (Transparency Obligations), plus robustness and security obligations for high-risk systems
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
MCP server must authenticate all clients
AI_IAC_006
Violation Summary If an MCP server does not authenticate the client making requests, any unauthorized entity—including compromised agents, external attackers, or untrusted processes—can impersonate a legitimate client. This allows attackers to invoke privileged tools, access sensitive data, manipulate workflows, or trigger system actions without detection. Lack of client authentication effectively removes all trust boundaries, enabling full compromise of server-side capabilities and AI-driven operations.
Affected Assets
LLM
AI Agent
Severity
Critical
Technical Details Not authenticating the MCP client introduces several risks including:
Unauthorized invocation of high-privilege tools or system actions
Full impersonation of trusted agents, enabling malicious or deceptive requests
Data exposure through unrestricted access to server responses, APIs, or internal systems
Manipulation of downstream workflows via falsified or maliciously crafted requests
Escalation of privilege or lateral movement across connected systems
Loss of accountability, traceability, and auditability for all client-driven actions
Violations of integrity, transparency, and security obligations for regulated AI systems
Attack Vector: Client → MCP server request path Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: High Integrity Impact: Critical Availability Impact: Medium
Framework (Compressed)
Nov 18, 2024 – OWASP-LLM: LLM01 (Instruction Injection), LLM04 (Behavior Manipulation), LLM05 (Sensitive Data Exposure), LLM08 (Transparency & Auditability Failures) Mar 2025 – OWASP-ASI: ASI-01 (Integrity), ASI-04 (Governance), ASI-09 (Traceability), ASI-12 (Monitoring) Aug 1, 2024 – EU AI Act: Articles 11 (Documentation), 12 (Record-Keeping), 13 (Transparency), 50 (Transparency Obligations), plus Annex III robustness & security requirements
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Inter-agent communication must be authenticated
AI_IAC_007
Violation Summary If agents communicate without authentication, any unauthorized party—including rogue agents, compromised services, or external attackers—can impersonate a legitimate agent and issue commands, request data, or alter system behavior. Non-authenticated inter-agent communication destroys trust boundaries between autonomous components and enables impersonation, privilege escalation, data leakage, workflow manipulation, and full compromise of multi-agent systems. Without identity guarantees, agent-to-agent messaging becomes a high-risk attack surface.
Affected Assets
AI Agent
Severity
Critical
Technical Details Missing authentication between agents introduces several risks including:
Unauthorized agents impersonating trusted components to issue commands
Manipulation of agent workflows or decision chains through falsified messages
Leakage of sensitive data exchanged during inter-agent coordination
Injection of malicious instructions into distributed reasoning processes
Loss of accountability and inability to attribute harmful actions
Increased lateral movement risk across agent networks
Violations of integrity, trust, and regulatory controls for autonomous systems
Attack Vector: Inter-agent message channel / network communication Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: High Integrity Impact: Critical Availability Impact: Medium
Framework
Nov 18, 2024 – OWASP-LLM: LLM01 (Instruction Injection), LLM04 (Behavior Manipulation), LLM05 (Sensitive Data Disclosure), LLM08 (Transparency & Audit Failures)
March 2025 – OWASP-ASI: ASI-01 (Integrity), ASI-04 (Governance), ASI-07 (Reliability), ASI-09 (Traceability), ASI-12 (Monitoring)
Aug 1, 2024 – EU AI Act: Articles 11 (Documentation), 12 (Record-Keeping), 13 (Transparency), 50 (Transparency Obligations), plus Annex III security & robustness expectations for high-risk systems
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
Agents must not hold excessive external system credentials
AI_IAC_008
Violation Summary When agents are configured with credentials to access more than three external systems, the blast radius of a compromise dramatically increases. Each additional credential expands the agent’s privilege footprint and creates new pathways for lateral movement, data exfiltration, unauthorized actions, and multi-system compromise. Over-privileged agents become single points of systemic failure if the agent is hijacked, attacked, misconfigured, or manipulated by an LLM prompt, all connected external systems are at risk simultaneously.
Affected Assets
AI Agent
Severity
High/Critical
Technical Details Allowing an agent to hold multiple (3+) external system credentials introduces several risks including:
Large blast radius: compromising the agent compromises all connected systems
Increased likelihood of credential leakage through logs, LLM outputs, prompts, or tool interactions
Prompt injection enabling unauthorized use of high-privilege multi-system access
Lateral movement across different platforms (e.g., Jira → GitHub → AWS → Snowflake)
Violation of least-privilege and separation-of-duties principles
Difficulty revoking or rotating credentials in incident response
Loss of governance and traceability when many systems are accessed through one agent identity
Attack Vector: Agent credential store / agent-initiated external API calls Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: Critical Integrity Impact: Critical Availability Impact: Medium to High
Framework
Nov 18, 2024 – OWASP-LLM: LLM01 (Injection), LLM04 (Behavior Manipulation), LLM05 (Sensitive Data Disclosure), LLM08 (Transparency & Audit Failures)
Mar 2025 – OWASP-ASI: ASI-01 (Integrity), ASI-04 (Governance), ASI-05 (Safe Handling), ASI-09 (Traceability), ASI-12 (Monitoring)
Aug 1, 2024 – EU AI Act: Articles 11 (Documentation), 12 (Record-Keeping), 13 (Transparency), 50 (Transparency Obligations), Annex III controls emphasizing least privilege, system robustness, and secure integration
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
LLM endpoints must require authentication
AI_IAC_009
Violation Summary If an LLM endpoint allows unauthenticated access, any external party can invoke the model without identity verification, usage controls, or accountability. This exposes the LLM to abuse, data leakage, prompt injection, denial-of-service, and unauthorized use of compute resources. In agentic and tool-enabled environments, unauthenticated access can also enable attackers to manipulate downstream workflows, trigger unsafe actions, or extract sensitive information without detection.
Affected Assets
LLM
Severity
Critical
Technical Details
Allowing unauthenticated access to an LLM endpoint introduces several risks including:
Unauthorized use of the model for malicious or abusive purposes
Prompt injection and adversarial inputs from unknown or untrusted actors
Leakage of sensitive context, system prompts, or embedded data
Abuse of compute resources leading to cost overruns or service degradation
Inability to enforce rate limits, quotas, or usage policies per identity
Loss of accountability, auditability, and forensic traceability
Circumvention of governance, approval, and access-control processes
Attack Vector: Public or unauthenticated API endpoint Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality Impact: High Integrity Impact: High to Critical Availability Impact: High (due to abuse or denial-of-service)
Frameworks
Nov 18, 2024 – OWASP-LLM: LLM0, LLM03 LLM04, LLM08 Mar 2025 – OWASP-ASI: ASI-01, ASI-04, ASI-09, ASI-12 Aug 1, 2024 – EU AI Act: Articles 11, 12, 13, 50 and obligations for secure access control and robustness in high-risk and GPAI systems
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://artificialintelligenceact.eu/ai-act-explorer/
A user must authenticate before accessing the AI Agent
AI_IAC_014
Violation Summary
Allowing access to an AI Agent without user authentication enables unauthorized actors to invoke agent capabilities, consume resources, and perform malicious actions under anonymous or unverified identities. This weakens accountability, bypasses access governance, and increases the risk of abuse in production and enterprise environments.
Affected Assets
AI Agent
Severity
High
Technical Details
Missing authentication before AI Agent access introduces several risks including:
Unauthorized use of AI Agent functionality by external or internal actors
Bypass of identity-based controls and audit accountability
Potential misuse for malicious prompting, automation abuse, or harmful output generation
Increased exposure of sensitive responses or restricted agent behaviors to unverified users compliance and governance violations related to access control requirements
Attack Vector: Network/Application Access
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Confidentially Impact: High
Integrity Impact: High
Availability Impact: Medium
Frameworks
Dec 2025 – OWASP-ASI: ASI-03 Mar 2025 – OWASP-LLM: LLM-07 Jul 2024 – EU AI Act: Article 15 and Recital 66 (high-risk AI systems: accuracy, robustness, cybersecurity)
References https://genai.owasp.org/initiatives/agentic-security-initiative/ https://genai.owasp.org/llm-top-10/ https://artificialintelligenceact.eu/ai-act-explorer/
Enforce URL allowlists for agent fetches, tools, and outbound HTTP
AI_IAC_015
Violation Summary
Unrestricted URLs let prompt injection or tool abuse drive server-side request forgery, data exfiltration, and lateral movement. LLM and agentic security guidance and operational controls for AI systems expect explicit allowlisting and scheme restrictions for any automated retrieval or callback.
Affected Assets
AI Model
MCP Server
LLM
Severity
Critical
Technical Details
Missing or weak URL allowlists for agent fetches, tools, and outbound http controls introduces risks including:
Allowing arbitrary URL fetches enables attackers to use the AI agent to execute server-side request forgery (SSRF), accessing sensitive internal networks, link-local addresses, and cloud metadata endpoints.
Permitting unvalidated model-chosen or user-supplied URLs without strict host and path rules allows malicious actors to covertly exfiltrate data to external attacker-controlled servers.
Permitting dangerous or custom schemes (such as file://, gopher://, dict://, or ftp://) instead of enforcing a default deny-list allows attackers to pivot and move laterally within the internal network.
Failing to re-validate each HTTP redirect hop against the allowlist allows attackers to bypass initial URL checks and redirect the agent to restricted targets.
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None to Low
User Interaction: None
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low to Medium
Timeline
Nov 18, 2024 — OWASP-LLM: LLM06 (Excessive Agency), LLM07 (Insecure Plugin Design / System Interaction)
March 2025 — OWASP-ASI: ASI-02 (Tool Misuse & Exploitation); ASI-01, ASI-03, ASI-04, ASI-07, ASI-09
Aug 1, 2024 — EU AI Act: Obligations for high-risk AI systems around security, accuracy, robustness, and human oversight (e.g., Art. 15 Cybersecurity & Robustness, Art. 14 Human Oversight, Art. 9 Risk Management)
References
https://genai.owasp.org/llm-top-10/
https://genai.owasp.org/initiatives/agentic-security-initiative/
Detect and block agent privilege escalation attempts
AI_IAC_016
Violation Summary
When agent orchestration does not detect and block privilege escalation, attackers or flawed automation can expand OAuth scopes, administrative APIs, roles, or dangerous tools beyond what the user or policy approved. That breaks least-privilege expectations for agentic systems and enables unauthorized or destructive actions with the appearance of legitimate agent behavior.
Affected Assets
AI Agent
LLM
MCP Server
Severity
Critical
Technical Details
Missing or weak escalation controls introduces risks including:
Unbounded scope and capability growth driven by model output, chat, or tool results without human-in-the-loop approval or static policy comparison
Dynamic registration or use of admin-only, destructive, or credential-bearing tools without verifying the bound identity’s role
Role or permission changes triggered by model-generated content instead of governed identity workflows
Execution of tool plans without comparing requested tools, HTTP methods, or resource paths to a maximum-privilege profile captured at bind time
Fail-open behavior that logs suspected escalation but still executes the action
Attack Vector: Network / Application (abuse of agent tooling and authorization flows)
Attack Complexity: Low to Medium
Privileges Required: Low (often none beyond normal agent or user session use)
User Interaction: None to Limited
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low to Medium
Timeline
Nov 18, 2024 — OWASP-LLM: LLM01 (Prompt Injection), LLM06 (Sensitive Information Disclosure), LLM08 (Excessive Agency)
March 2025 — OWASP-ASI: ASI-03 (Identity & Privilege Abuse); related themes ASI-01, ASI-04, ASI-07, ASI-09
Aug 1, 2024 — EU AI Act: obligations for high-risk AI systems around security, accuracy, robustness, and human oversight (e.g. Art. 15, 14, 9 context-dependent)
References
https://genai.owasp.org/llm-top-10/
https://genai.owasp.org/initiatives/agentic-security-initiative/
Maintain session token integrity with signing, verification, expiry, and binding
AI_IAC_017
Violation Summary
Weak or improperly handled session tokens for agents, APIs, or MCP clients enable forgery, session fixation, confused-deputy behavior, and long-lived unauthorized access. Without integrity, authenticity, expiry, binding, and consistent validation, session identifiers become a high-value target and a weak control for delegated agent actions.
Affected Assets
AI Agent
LLM
MCP Server
MCP Client
Severity
Critical
Technical Details
Inadequate session token design and validation introduce risks including:
Accepting unsigned or unauthenticated tokens (e.g. trusting opaque random IDs with no MAC or signature verification)
Guessable or sequential identifiers instead of cryptographically secure randomness
Missing or unenforced expiry and lack of server-side invalidation
Timing-sensitive comparison of secrets (e.g. plain == on HMACs or bearer tokens) exposing tokens to guessing or side channels
Session tokens in URLs, logs, or client-visible errors (leakage and replay)
Continuing to honor old session tokens after role or scope elevation without re-issuing bound tokens
Attack Vector: Network
Attack Complexity: Low to Medium
Privileges Required: None to Low
User Interaction: None
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low
Timeline
Nov 18, 2024 — OWASP-LLM: LLM07 (Insecure Plugin/Tool Design) where sessions gate tool use; LLM06 (Sensitive Information Disclosure) for token exposure
March 2025 — OWASP-ASI: ASI-03 (Identity & Privilege Abuse)
References
https://genai.owasp.org/llm-top-10/
https://genai.owasp.org/initiatives/agentic-security-initiative/
Enforce cryptographically verified user-to-agent binding for every request
AI_IAC_018
Violation Summary
Without binding, attackers or confused deputies can steer an agent with another user's identity, reuse pooled agents across principals, or override the authenticated subject using client-supplied fields or model text. AI governance expectations and agentic identity guidance require stable, verified binding between human or service identity and agent execution context.
Affected Assets
AI Agent
LLM
MCP Server
Severity
Critical
Technical Details
Missing or weak cryptographically verified user-to-agent binding for every request control introduces risks including:
Threat actors overriding authenticated subjects by supplying unverified JSON fields, query parameters, or unsigned headers, allowing them to impersonate other users for tool calls, MCP invocations, and downstream API requests.
Parsing LLM or tool output to change the bound user, role, tenant, or OAuth subject allows the model or attacker to manipulate the execution identity before privileged actions.
Reusing a single long-lived agent instance, connection, or MCP session across different HTTP requests or WebSocket sessions without explicitly re-initializing and re-verifying identity allows attackers to hijack pooled agents and access data across principals.
Invoking high-risk tools (e.g., payments, admin APIs, PII export) without explicitly verifying that the currently bound subject matches the resource owner or an authorized delegate enables unauthorized actions.
Continuing agent execution with a default or anonymous user when authentication or binding validation fails provides a fallback mechanism that attackers can exploit to bypass access controls entirely.
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None to Low
User Interaction: None
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low to Medium
Timeline
Jan 26, 2023 — NIST AI RMF 1.0: GOVERN 4.1, MAP 4.1.
Nov 18, 2024 — OWASP Top 10 for LLM Applications: LLM08 (Excessive Agency) and LLM06 (Sensitive Information Disclosure).
March 2025 — OWASP Agentic Security Initiative (ASI): ASI-01 (Agent Identity) , ASI-03 (Identity & Privilege Abuse).
References
https://genai.owasp.org/llm-top-10/
https://genai.owasp.org/initiatives/agentic-security-initiative/
Restrict AI agents to an explicit tool allowlist
AI_IAC_SEC_020
Violation Summary
AI agents that can invoke arbitrary local or remote tools are highly susceptible to prompt-injection-driven abuse, privilege creep, and unintended data exfiltration. Enforcing a centrally managed allow list ensures only approved capabilities are reachable and prevents fallback to broad or dynamic tool access.
Affected Assets
AI Agent
LLM
MCP Server
MCP Client
Severity
Critical
Technical Details
Missing or weak restrict ai agents to an explicit tool allow list controls introduces risks including:
Executing tools from a registry, plugin catalog, MCP server list, or runtime-discovered manifest without verifying membership in an approved allow list.
Permitting configurations that use '*' tool names, default-all behavior, or interpret empty allow lists as granting full access.
Enabling or adding tools directly from LLM outputs, prompt text, or untrusted metadata without server-side policy validation.
Reusing a single global allow list across distinct user roles or task classes instead of applying narrower, scoped lists.
Proceeding with tool execution when an allow list fetch, parse, signature check, or policy service lookup fails, rather than failing closed.
Failing to log attempted tool IDs, actors, policy versions, and denial reasons to a protected audit sink when unauthorized tools are blocked.
Attack Vector: Network / Application
Attack Complexity: Low
Privileges Required: None to Low
User Interaction: None to Limited
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
Timeline
Oct 2023 — OWASP-LLM (v1.1): LLM01 (Prompt Injection), LLM06 (Sensitive Information Disclosure), LLM08 (Excessive Agency).
March 2025 — OWASP-ASI: ASI-05; ASI-01, ASI-03, ASI-04, ASI-07, ASI-09.
Jan 26, 2023 — NIST AI RMF 1.0: MANAGE, GOVERN
References
https://genai.owasp.org/llm-top-10/
https://genai.owasp.org/initiatives/agentic-security-initiative/
Enforce resource bounds, termination limits, and traceability for subagent spawning
AI_IAC_022
Violation Summary
Unbounded spawning of AI subagents without strict lifecycle constraints can lead to runaway autonomous processes, infinite loops, and 'agentic fork-bombs' that exhaust compute, memory, or API budgets. Agent orchestration code must enforce hard timeouts, maximum execution step counts, concurrency limits, and structured parent-child traceability at every point a subagent is created.
Affected Assets
AI Agent
LLM
Severity
High
Missing or weak autonomous subagent spawning and execution controls introduces risks including:
Unsafe or inconsistent agent behavior from missing execution bounds (no timeouts or step counts), allowing subagents to run indefinitely and exhaust compute or API quotas.
Agentic fork-bomb conditions arising from loop-based or recursive spawning with no counter guard, causing uncontrolled replication of child processes.
Prompt/task injection via unvalidated instruction passthrough, raw LLM or upstream agent outputs passed directly to subagents without format verification or assertion checks.
Loss of forensic traceability when spawn events lack correlation or parent-agent identifiers, making incident reconstruction and chain-of-custody auditing impossible.
Resource exhaustion (memory, API budget, concurrency slots) due to absent concurrency limits and unbounded spawning across parallel workflows.
Compliance and governance failures stemming from absent structured audit logs at spawn sites, preventing detection of policy violations and accountability attributi
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Confidentially Impact: Low
Integrity Impact: High
Availability Impact: High
Timeline
Jan 26, 2023 - NIST AI RMF: MANAGE 3.1
Jan 26, 2023 - NIST AI RMF: MEASURE 2.4
Nov 18, 2024 - OWASP LLM Top 10 (v1.1): LLM04
Nov 18, 2024 - OWASP LLM Top 10 (v1.1): LLM01
Dec 2025 - OWASP Agentic Security Initiative Top 10 (2026): ASI08
References
https://genai.owasp.org/initiatives/agentic-security-initiative/
Vulnerability
Continuously detects and remediates critical software weaknesses inside AI assets.
Do not allow dependencies with critical or high severity vulnerabilities
AI_VULN_SEC_001
Violation Summary Allowing AI agents to depend on libraries or packages with known critical or high-severity vulnerabilities introduces a direct and exploitable attack surface into the agent runtime. AI agents typically operate with elevated privileges, access sensitive data, invoke tools, and interact with external systems. Vulnerable dependencies can be exploited to execute arbitrary code, escalate privileges, leak secrets, poison agent behavior, or compromise downstream systems—often without direct interaction with the LLM itself.
Affected Assets
AI Agent
MCP Server
LLM
Severity
Critical
Technical Details
Using dependencies with critical or high vulnerabilities introduces several risks including:
Remote code execution or arbitrary command execution within the agent environment
Credential theft, token leakage, or exposure of secrets used by the agent
Supply-chain attacks where malicious code is introduced via compromised packages
Manipulation or poisoning of agent logic, tool invocation, or decision flows
Lateral movement across systems accessed by the agent
Persistence mechanisms established through compromised libraries
Inability to trust agent outputs or actions due to compromised runtime integrity
Violations of secure development, patch management, and risk-management obligations
Attack Vector: Vulnerable third-party dependency / supply-chain compromise Attack Complexity: Low Privileges Required: None (exploits often execute with agent privileges) User Interaction: None Confidentiality Impact: Critical Integrity Impact: Critical Availability Impact: Medium to High
Frameworks
OWASP LLM: LLM05, LLM08
OWASP ASI: ASI-05
NIST SSDF: Practice RV.1
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://csrc.nist.gov/pubs/sp/800/218/final
Do not allow critical or high vulnerabilities in the code
AI_VULN_SEC_002
Violation Summary The presence of vulnerabilities in application or agent code introduces direct security risks that can be exploited to compromise confidentiality, integrity, and availability. Vulnerable code paths—such as injection flaws, insecure deserialization, broken authentication, improper authorization, or unsafe file handling—can be abused by attackers to execute arbitrary code, access sensitive data, manipulate AI behavior, or disrupt operations. In AI and agent-based systems, these vulnerabilities are especially dangerous because compromised code can influence autonomous decisions and propagate impact across multiple systems.
Affected Assets
AI Agent
MCP Server
LLM
Severity
Critical
Technical Details
Having vulnerabilities in code introduces several risks including:
Remote code execution or command injection through exploitable code paths
Unauthorized access to sensitive data, credentials, or internal APIs
Manipulation of AI agent logic, reasoning flows, or tool invocation
Privilege escalation or bypass of authorization controls
Lateral movement across integrated systems and services
Persistence mechanisms established through exploited vulnerabilities
Loss of trust in application outputs and automated decisions
Violations of secure development lifecycle and regulatory requirements
Attack Vector: Vulnerable application or agent code Attack Complexity: Low to Medium (depending on vulnerability type) Privileges Required: None (for many common vulnerabilities) User Interaction: None or minimal Confidentiality Impact: Critical Integrity Impact: Critical Availability Impact: Medium to High
Frameworks
OWASP LLM: LLM05, LLM08
OWASP ASI: ASI-05
NIST SSDF: Practice RV.2
References
https://genai.owasp.org/llm-top-10/ https://genai.owasp.org/initiatives/agentic-security-initiative/ https://csrc.nist.gov/pubs/sp/800/218/final
Enforce foundation model identity, version pinning, and approved model registry for all AI workloads
AI_VULN_SEC_005
Violation Summary
Using unverified, unversioned, or unregistered foundation models exposes the system to supply-chain compromise, silent model swaps, and untracked behavioral drift. AI risk management third-party supply chain controls and pre-trained model monitoring expectations require every model loaded at inference or fine-tuning time to be resolved from an approved registry with cryptographic identity verification and pinned versions.
Affected Assets
AI Model
AI Agent
MCP Server
LLM
Severity
Critical
Technical Details
Missing foundation model identity, version pinning, and approved model registry for all AI workloads controls introduces risks including:
Loading models from arbitrary, unregistered URLs or paths exposes the system to malicious or tampered artifacts and supply-chain compromise.
Allowing user input or prompt text to select active models or failing to verify cryptographic hashes/signatures against a known-good manifest, permits unauthorized execution and silent model swaps.
Using mutable tags (like `latest`) instead of immutable identifiers or digest pins causes untracked behavioral drift, making it impossible to guarantee consistent model behavior over time.
Serving predictions without recording the resolved model identifier and version in request metadata prevents effective forensic readiness, monitoring, and accountability.
Failing open and proceeding to load models when registry lookups or hash verifications fail bypasses critical security gates and leads to insecure fallback states.
Attack Vector: Network
Attack Complexity: Medium to High
Privileges Required: High
User Interaction: None
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
Timeline
Jan 26, 2023 — NIST AI RMF 1.0: GOVERN 4 and MAP 4.2.
Nov 18, 2024 — OWASP-LLM: LLM01 (Prompt Injection), LLM06 (Sensitive Information Disclosure), LLM08 (Excessive Agency)
March 2025 — OWASP-ASI: ASI-03 (Identity & Privilege Abuse); related themes ASI-01, ASI-04, ASI-07, ASI-09
References
https://genai.owasp.org/llm-top-10/
https://genai.owasp.org/initiatives/agentic-security-initiative/
Last updated