The OWASP Top 10 for Large Language Model Applications are mitigated in the development of large language model applications.
Prevent the disclosure of sensitive information, including personally identifiable information (PII), financial data, proprietary algorithms, and business-critical data, by implementing strong data protection and access control measures. Ensure that LLM applications use data sanitization, privacy-preserving techniques, and secure system configurations to mitigate risks of unintended data exposure.
To minimize sensitive information disclosure, LLM applications should implement data sanitization techniques to prevent user-provided data from being used in training models. Input validation must be applied to detect and filter out confidential or personally identifiable data before processing. Access controls should follow the principle of least privilege, ensuring that only necessary components have access to sensitive data. Restrict external data sources to prevent runtime data leaks, and use federated learning to decentralize data collection and reduce exposure risks. Differential privacy techniques should be incorporated to obscure identifiable data points, preventing attackers from reconstructing confidential information. System configurations should be secured by limiting access to internal model settings and ensuring misconfigurations do not expose sensitive details. Transparency must be maintained through clear data policies, providing users with control over their data and opt-out mechanisms for training inclusion. Advanced encryption methods such as homomorphic encryption and tokenization should be used to protect data throughout the LLM pipeline.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-02-01-01 | Implement data sanitization and redaction techniques | Apply automatic redaction and tokenization methods to remove sensitive information from inputs before processing. | Development | Security team, AI engineers |
| SSS-02-05-02-01-02 | Enforce strict access control policies | Apply least privilege principles and restrict unauthorized access to confidential data through role-based access controls and secure API gateways. | Deployment | Security team, Legal team |
| SSS-02-05-02-01-03 | Educate users on safe interactions with LLMs | Provide guidelines and training sessions to inform users about the risks of inputting sensitive data and offer best practices for secure LLM usage. | Post-deployment | Training team |
| SSS-02-05-02-01-04 | Utilize privacy-preserving machine learning techniques | Apply federated learning and differential privacy mechanisms to ensure that models process data securely while minimizing exposure risks. | Development | AI research team, Privacy team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) OWASP Top 10 for LLM OWASP Top 10 for LLM (LLM02:2025) |