OWASP Top 10 for LLMs and Bizzi controls
The OWASP Top 10 for Large Language Model Applications is the backbone of Pillar V. Every risk class on the list maps to at least one named Bizzi control in this pillar. Where a class is mitigated only in part, we say so. The point of this section is not to claim coverage. It is to give an auditor a single page that pins each OWASP risk to the exact Bizzi section addressing it.
Why OWASP-LLM is the backbone
Section titled “Why OWASP-LLM is the backbone”- Community-maintained. Authored by working security practitioners, not a single vendor. No conflict of interest in what gets included or how it is framed.
- Updated against the threat environment. OWASP Foundation re-baselines the list against current attack patterns rather than on a fixed schedule.
- Recognised by audit partners. Enterprise security reviews and SOC 2 assessors already speak this vocabulary. Mapping to it removes translation overhead.
- Cross-referenced by other standards. ISO/IEC 42001 and NIST AI RMF both reference OWASP-LLM, so a single mapping serves multiple compliance regimes.
The mapping
Section titled “The mapping”| OWASP-LLM | Risk in one line | Bizzi control | Section |
|---|---|---|---|
| LLM01 Prompt Injection | Attacker manipulates input to bypass the system prompt | Input Guardrails + <user_data> context separation + output validation | §3 |
| LLM02 Insecure Output Handling | Downstream code trusts LLM output (SQL, HTML, shell) | Text-to-SQL sandbox, output validation pipeline, render-time escaping | §8 |
| LLM03 Training Data Poisoning | Poisoned training data plants a backdoor | 100% Internal QA gating, source attestation, lineage tracking | §4, §5 |
| LLM04 Model Denial of Service | Expensive prompts exhaust quota or budget (Denial of Wallet) | Per-tenant / per-IP rate limits, token complexity check, cost ceiling | §10 |
| LLM05 Supply Chain Vulnerabilities | Compromised library, model, or labelled dataset | Model Registry, vendor risk management (Pillar II §6), signed weights | §6 |
| LLM06 Sensitive Information Disclosure | LLM leaks PII, system prompt, or cross-tenant data | PII Redaction at input and output, system-prompt protection | §7 |
| LLM07 Insecure Plugin Design | A tool or plugin holds rights it does not need | MCP layer (Pillar IV §12) + Agent RBAC | §9 |
| LLM08 Excessive Agency | Agent acts with privileges the user does not hold | Access Token inheritance. No superadmin agent under any circumstance | §9 |
| LLM09 Overreliance | User over-trusts AI output | Confidence scores, mandatory HITL for high-value decisions | Pillar III §3, §7 |
| LLM10 Model Theft | Model weights exfiltrated and reused or reverse-engineered | Vendor agreements, encryption at-rest, no model-download endpoint | §6 |
What “mapped” means here
Section titled “What “mapped” means here”We do not claim 100% mitigation of any risk class. Zero-days exist. Strong adversaries bypass single layers. What we claim is this. For each OWASP-LLM class, Bizzi has at least one named control with a named owner, and the control is exercised against red-team scenarios on a defined cadence. The Standards callout at the end of each Pillar V section names the OWASP IDs that section addresses, so the mapping is enforced inline, not only in this index.
What OWASP-LLM does not cover
Section titled “What OWASP-LLM does not cover”OWASP-LLM is necessary but not sufficient. Today it does not cover:
- Agentic-specific risks beyond plugin design. Goal misalignment, autonomous escalation, multi-agent collusion.
- Traditional ML (non-LLM) failure modes. Adversarial examples on tabular models, evasion in vision pipelines.
- The full operational surface. Incident response, kill-switch design, and platform ISMS sit underneath OWASP rather than inside it.
Pillar V covers the gaps. §1 (Threat Model) frames what OWASP omits. §11 (Kill-switch) and §12 (Incident Response) give us the containment story OWASP does not provide. §13 (Platform Security) anchors the whole pillar to ISO/IEC 27001.