Securing LLMs: Cyera’s AI Guardian and the OWASP Top Ten 2025

Modern organizations must empower LLM adoption without compromising security or trust. OWASP’s 2025 LLM Top Ten highlights the nuanced vulnerabilities emerging from the complexity of AI systems. Cyera’s AI Guardian—combining AI Security Posture Management and AI Runtime Protection—delivers continuous visibility and enforcement across every stage: from training pipelines to live outputs. With Omni DLP amplifying data protection, LLM confidentiality, integrity, and reliability become enforceable.

Key benefits:

• Full visibility: Catalog all AI tools, including external AI products like ChatGPT, embedded AI apps like Copilot, and homegrown AI tools built on platforms like Amazon Bedrock.
• Governance made simple: Security, compliance, and business stakeholders gain confidence that LLM backed services follow the policies you define.
• Real-time intelligence: Alerts on risky prompts, outputs, and data flows help teams respond quickly.
  
  
• Reduced risk, accelerated adoption: Teams can innovate with AI while reducing prompt injection, data leakage, and misuse, with enforcement through Cyera data security policies and remediations..

This article will walk you through each of OWASP Top Ten for LLMs, briefly describing both the nature of the vulnerability and insights from a new 2025 State of AI Data Security Report by Cybersecurity Insiders, in conjunction with Cyera Research Labs (the Report). We’ll also see how Cyera can help mitigate your exposure. 

LLM01 2025: Prompt Injection

Prompt injection occurs when malicious inputs—visible or hidden—manipulate an LLM to override safety rules, expose sensitive data, or take unwarranted actions. Both direct (user prompts) and indirect (embedded in external content) injections can trick the model into ignoring system constraints. According to the Report, more than half of respondents named prompt injection as their top concern.

AI Guardian’s AI Runtime Protection monitors inputs in real time, labels untrusted sources, and quarantines suspicious prompts. Coupled with AI SPM, it enforces strict policy segmentation—ensuring system instructions remain isolated from user content. Omni DLP further scans for concealed payloads, preventing prompt-based manipulation before they reach the model.

LLM02 2025: Sensitive Information Disclosure

LLMs can inadvertently reveal proprietary algorithms, IP, or personal data—whether leaked during training, fine-tuning, or in responses. Exposing internal code, investment strategies, or business secrets can lead to serious privacy and competitive risks. 

The danger isn’t theoretical. According to the Report, 86 percent of respondents say they’re concerned about AI leaking sensitive data, and two-thirds have already discovered AI tools accessing data they didn’t need.

AI SPM tracks where sensitive data resides and which AI assets have access to it, enforcing minimal exposure. Runtime Protection redacts or flags outputs that risk disclosing protected assets. Omni DLP adds another layer, scanning for exfiltration attempts and ensuring private data doesn’t leave the system.

LLM03 2025: Supply Chain

Threats in the development or deployment pipeline—e.g., compromised third-party models, plugins, or SDKs—can introduce hidden malware or backdoors. One weak link like a malicious library can undermine the entire LLM ecosystem.

AI SPM continuously assesses dependencies and code sources for anomalies, flagging unusual behavior or unauthorized changes. At runtime, the system detects unauthorized plugin calls or suspicious external model use, quarantining compromised components before they can affect production.

LLM04 2025: Data and Model Poisoning

Adversaries can inject malicious or biased data into training or fine-tuning datasets—triggering backdoors or skewing model behavior. Such poisoning may remain hidden until specific inputs activate harmful behavior. According to the Report, 40 percent of organizations are concerned about sensitive data finding its way into training datasets.

AI SPM analyzes training pipelines, detects anomalous patterns or outlier data, and enforces validation gates. It can also detect when a training datastore is publicly editable, creating a risk of model poisoning. At runtime, AI Runtime Protection watches for behavior shifts or unexpected biases—alerting teams or rolling back to safe model versions immediately.

LLM05 2025: Improper Output Handling

When generated outputs proceed unchecked—like auto-executing code or forwarding responses—LLMs may trigger unsafe actions or expose vulnerabilities. Improper parsing can also inject harmful content downstream. According to the Report, nearly a quarter of organizations have no prompt or output controls, while another quarter only use output redaction.

AI Runtime Protection intercepts all LLM output and validates it against expected schemas and safety policies before release. AI SPM ensures outputs don’t trigger unauthorized system calls. Omni DLP scans for hidden payloads in outputs, preventing leakage or command injection.

LLM06 2025: Excessive Agency

Granting LLMs broad autonomy—like scheduling, executing tasks, or modifying systems—can lead to harmful autonomous behavior. Without tight control, models might take unintended actions. According to the report, three quarters of respondents say autonomous agents are the hardest AI tools to secure, but only 14 percent have real-time rogue agent detection, and only 11 percent have implemented automated blocking.

AI SPM enforces least-privilege rules, limiting what the LLM can initiate, allowing organizations to securely enable AI. AI Runtime Protection requires policy-based approval or human review when LLMs request elevated actions. This ensures autonomous actions are monitored and controlled.

LLM07 2025: System Prompt Leakage

Leaking internal system prompts (behind-the-scenes instructions that guide LLM behavior) compromises guardrails and empowers attackers to craft more effective manipulations. As mentioned above, nearly a quarter of organizations have no controls in place for monitoring prompts and outputs, leaving them vulnerable to system prompt leakage.

AI Runtime Protection masks system prompts and refrains from including them in outputs. AI SPM enforces strict separation between system messages and user interactions. Monitoring tools alert if internal prompts appear in logs or outputs, enabling immediate remediation.

LLM08 2025: Vector and Embedding Weaknesses

Weaknesses in embedding stores—like non-encrypted vectors or predictable structure—can be exploited to reconstruct data, infer sensitive tokens, or insert malicious embeddings. According to the Report, three-fifths of respondents listed data access risk as a significant concern

AI SPM enforces encryption-at-rest for embedding stores, enforces access controls, and detects anomalous embedding queries. Runtime Protection monitors vector API usage patterns to flag unusual access or tampering, blocking suspicious interactions.

LLM09 2025: Misinformation

LLMs may hallucinate or confidently produce false or misleading content—damaging credibility, spreading disinformation, or impacting decision-making. According to the Report, a third of organizations are worried about hallucinated content finding its way into their information systems.

AI SPM integrates reference validation and fact-check policies, scoring outputs for reliability. Outputs flagged as low-confidence or potentially inaccurate trigger safe-fallback responses or human review. Runtime Protection audits content trends for misinformation patterns, enforcing accuracy over speed.

LLM10 2025: Unbounded Consumption

Uncontrolled inputs or outputs—such as unlimited-length prompts, infinite loops, or excessive concurrent usage—can lead to runaway costs, performance degradation, or denial-of-service conditions. A lack of real-time monitoring and blocking capabilities means guardrails on usage and spend are weak, and as we’ve seen, the Report shows only a small percentage of organizations have real-time rogue agent detection and automated blocking.

AI SPM sets usage thresholds (token limits, concurrency ceilings). Runtime Protection enforces these in real time—throttling, queuing, or rejecting requests that exceed limits. Consumption dashboards alert admins before resource caps are breached, ensuring smooth, cost-controlled operation.

As enterprises deploy LLMs across customer support, internal automation, and product features, these threats will become business-critical. Thankfully, Cyera’s AI Guardian equips teams with the policies, visibility, and defenses needed to transform LLM risks into manageable governance—a foundation of trust for AI-powered progress. To see how Cyera’s AI Guardian can help your organization, schedule a demo today.