The OWASP Top 10 for Large Language Model Applications are mitigated in the development of large language model applications.
Ensure that system prompts do not contain sensitive information such as API keys, credentials, role structures, or internal rules that could be exploited if leaked. System prompts should not be treated as security controls, nor should they be used to enforce authorization or privilege management. Proper separation of sensitive data from prompts and implementing external guardrails can mitigate risks associated with system prompt leakage.
System prompt leakage occurs when LLM system prompts reveal sensitive details that were never intended for exposure, such as authentication credentials, internal business rules, or security policies. Attackers can extract this information through prompt engineering, reverse engineering techniques, or prompt injection attacks to gain unauthorized access or bypass security controls. To mitigate system prompt leakage risks, organizations should never store sensitive data directly in system prompts and should externalize security-critical configurations. Additionally, avoid relying on system prompts for enforcing strict security behaviors, such as content filtering or authorization, as LLMs can be manipulated into bypassing their own instructions. Instead, independent security guardrails should be implemented outside the model. Critical security controls, such as authorization checks and privilege separation, must be handled independently from the LLM. LLM-based applications should rely on external enforcement mechanisms rather than system prompts for defining access permissions. Where multiple levels of access are required, separate LLM agents should be used, each with only the minimum permissions needed to perform their task. Regularly monitor and test system prompts to ensure they do not inadvertently reveal internal logic, filtering criteria, or business-sensitive information.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-07-01-01 | Separate sensitive data from system prompts | Ensure API keys, authentication details, and role-based access controls are not embedded in system prompts, using secure externalized storage instead. | Development | Security team, DevOps team |
| SSS-02-05-07-01-02 | Implement independent security guardrails | Security measures such as access control, privilege checks, and sensitive content filtering must be enforced outside the LLM using deterministic and auditable methods. | Deployment | Security team |
| SSS-02-05-07-01-03 | Limit system prompt exposure through monitoring and testing | Regularly test and audit LLM-generated outputs to detect unexpected disclosures of system prompt details, using automated detection mechanisms. | Post-deployment | Security team |
| SSS-02-05-07-01-04 | Avoid reliance on system prompts for strict behavior control | Implement external mechanisms for enforcing security behavior rather than relying solely on LLM system prompts to enforce rules. | Development | Security team, AI engineers |
| SSS-02-05-07-01-05 | Use separate agents for different privilege levels | Where different levels of access are required, use separate LLM agents with the least privilege necessary for their Developmentated tasks. | Deployment | Security team, Development team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) OWASP Top 10 for LLM OWASP Top 10 for LLM (LLM07:2025) |