Prompt injection has sat at number one on the OWASP LLM Top 10 for three editions running — 2023, 2024, and 2025 — and it hasn’t moved. Not because nobody noticed, and not because defenders gave up. It’s a structural problem, and the rapid adoption of agentic AI has been expanding the attack surface faster than defences can keep up. This article breaks down what LLM01 actually means, why it’s still top of the list, and what autonomous agents have to do with it. It’s the foundational vocabulary you need for the broader 2026 production injection landscape.
What Is Prompt Injection and How Does OWASP Define LLM01?
Prompt injection is an attack where malicious instructions embedded in model inputs cause an LLM to override what the developer told it to do. The model follows the attacker’s instructions because, from its perspective, there’s no structural difference between a developer’s prompt and an attacker’s content. It can’t tell them apart.
OWASP designates this as LLM01 — the top-ranked risk on the OWASP LLM Top 10, a community-maintained list of the ten most critical security risks for LLM applications. First published in 2023 and maintained by the OWASP GenAI Security Project, it’s the primary classification authority for LLM security risk — the vocabulary used in compliance frameworks, procurement processes, and engineering security reviews.
LLM01 covers two sub-types:
- Direct prompt injection: adversarial instructions submitted through the model interface. Jailbreaking is the most visible form, but LLM01 covers the broader category.
- Indirect prompt injection (IDPI): malicious instructions embedded in external data the model retrieves and processes — documents, web pages, database records, email bodies — without the attacker ever touching the model.
Here’s the structural bit that matters. SQL injection was solved by parameterised queries — a hard boundary between code and data. No equivalent exists for natural-language models. The instruction channel and the data channel are the same channel. That’s an architectural property of transformer-based models, not a bug waiting for a patch.
How Did Prompt Injection End Up at the Top of the OWASP Rankings — and Stay There?
The OWASP LLM Top 10 comes out of a community-driven scoring process that weights risks by prevalence, exploitability, technical impact, and business impact.
Prompt injection scores highest on exploitability every single edition: no specialised tooling required, works across model families, low barrier to entry. And there’s no patch — every new LLM deployment goes into production carrying the same exposure.
LLM01 hasn’t been displaced because the threat has grown, not because defenders have been asleep. The 2025 edition confirmed the ranking was unchanged despite two years of defensive tooling. That’s ongoing consensus, not inertia.
And the compliance consequences are real. Insurance underwriters, enterprise procurement questionnaires, and board-level risk frameworks reference the LLM Top 10 as a baseline. No documented prompt injection controls means exposure — not just technical exposure, but compliance and procurement exposure too.
Direct vs. Indirect Injection — Why the 2026 Threat Is Mostly Indirect
Direct prompt injection is visible and attributable — adversarial input submitted through the model interface. It’s easier to monitor because it originates from user-supplied input.
Indirect prompt injection (IDPI) works differently. The attacker embeds malicious instructions in an external data source — a document retrieved by a summariser, a web page fetched by a browser agent, an email body. The model retrieves the data as part of a legitimate task, encounters the embedded instructions, and follows them. The attacker never touches the model.
In 2026, IDPI is the dominant production threat. Enterprise LLM deployments are ingesting external content: RAG-fed knowledge bases, document processing pipelines, agentic email assistants, multi-step research agents. Every external data source is a potential injection surface.
The mechanism is what’s called the confused deputy problem: the LLM is a trusted intermediary with elevated permissions, and it gets manipulated into using them on behalf of an attacker. Input validation fails at scale — the attack surface is every document, URL, or data source the model touches.
What Unit 42 actually found in the wild in March 2026 confirms IDPI as the dominant in-the-wild attack form.
How LLM01 and LLM06 (Excessive Agency) Combine in Real Attack Chains
Prompt injection’s worst-case consequences show up in combination with LLM06 — Excessive Agency: AI agents operating with more permissions than their tasks actually require.
Here’s how it plays out. An agentic assistant with access to email and a document repository is asked to summarise a third-party document. That document contains embedded injection instructions directing the agent to forward sensitive files externally. The agent processes the injected instructions and executes them — because it had permissions it didn’t need for a summarisation task.
Without LLM06, the injected instruction has nowhere to go. Without LLM01, excessive permissions just sit dormant. The combination is the production risk.
The OWASP Top 10 for Agentic Applications (2026) is the institutional acknowledgment of this — a companion framework that wouldn’t need to exist if the original LLM Top 10 adequately covered agentic risk. Related risks — LLM02 (Sensitive Information Disclosure), LLM03 (Supply Chain), LLM08 (Over-Permissioned Agents) — all intersect with LLM01 in agentic architectures.
For what happens when it escalates beyond data leakage, see how injection escalates beyond data leakage to remote code execution.
What Compliance Frameworks Say About Prompt Injection Risk
Three major frameworks turn the LLM01 ranking from a technical advisory into a compliance requirement.
NIST AI 600-1 / NIST AI RMF identifies adversarial inputs including prompt injection as a primary AI risk category. Alignment with US federal guidance means documented controls.
ISO 42001, the international AI management systems standard, requires identifying and managing AI-specific risks. It’s increasingly cited in enterprise procurement questionnaires — which means documented LLM01 management is becoming a barrier to enterprise sales in regulated verticals.
EU AI Act high-risk AI systems must meet robustness and security requirements. Prompt injection in systems informing consequential decisions — credit, hiring, healthcare — is a compliance exposure whether or not the Act names it explicitly.
None of these frameworks tell you exactly what controls to implement. All of them require evidence that risk has been identified, assessed, and addressed. The OWASP ranking gives you the vocabulary — and for how prompt injection industrialised in 2026, there’s more to dig into.
What Has Changed Since 2023 — and What Has Not
In 2023, the attack surface was mostly the single-model chatbot. By 2026, production deployments are largely agentic — multi-step pipelines with tool access, RAG-fed document processors, email and calendar agents with broad system permissions. Each one is a new IDPI surface that didn’t exist at scale three years ago. The OWASP Top 10 for Agentic Applications (2026) signals this plainly — the taxonomy had to grow because the threat did.
What hasn’t moved is the architectural constraint. LLMs have no native mechanism to distinguish developer instructions from untrusted data. Instructions and data both arrive as natural language. That’s an architectural property of transformer-based models, not something a patch can address.
Mitigations have improved — guardrails, output filtering, context window monitoring, privilege-separation architectures. But all of them are probabilistic. Red team exercises consistently demonstrate bypass within weeks of new control deployment. Defence in depth is the operational reality; no single control is sufficient.
The honest answer to “why is it still #1” is this: the deployment surface has grown faster than structural mitigations have developed, and structural mitigations may not be achievable within current model architectures. For evidence on how injection attacks actually played out in production through early 2026, see the broader 2026 production injection landscape.
FAQ
What is the OWASP LLM Top 10? A community-maintained list from the Open Worldwide Application Security Project ranking the ten most critical security risks for LLM applications. It’s been used as a baseline in compliance, procurement, and engineering risk assessments since 2023.
What does LLM01 mean? OWASP’s designation for prompt injection as the number-one LLM risk. The label shows up in compliance frameworks, procurement questionnaires, and security audits.
Why can’t prompt injection just be patched? There’s no structural separation between the instruction channel and the data channel in natural-language models. SQL injection was solved by parameterised queries — no equivalent exists for LLMs.
What is indirect prompt injection? Malicious instructions embedded in external data the model retrieves — documents, web pages, database records — rather than typed directly by a user. The model encounters the instructions and follows them without the attacker ever touching the system.
Is jailbreaking the same as prompt injection? Jailbreaking is a sub-type of direct prompt injection that targets safety constraints. LLM01 covers a broader surface; jailbreaking is the most visible form but not the most enterprise-relevant one.
How does agentic AI make prompt injection more dangerous? Agentic AI gives injected instructions real-world capabilities — tool access, API calls, file operations. Combined with Excessive Agency (LLM06), a successful injection triggers automated actions across multiple systems with no human checkpoint in sight.
What is the difference between LLM01 and LLM06? LLM01 is the injection vulnerability; LLM06 is Excessive Agency — the agent operating with more permissions than its task requires. Injection provides the hijack; excessive agency determines how far it travels.
Where is the official OWASP LLM Top 10 list? Published at owasp.org by the OWASP GenAI Security Project. The 2025 edition is current; the OWASP Top 10 for Agentic Applications (2026) is a companion framework for agentic architectures.
Does the EU AI Act cover prompt injection? Not by name, but its robustness requirements for high-risk AI systems encompass it as a failure mode. If you’re deploying LLMs in high-risk classifications, document that you’ve assessed and addressed the risk — the OWASP LLM01 ranking gives you the vocabulary to do that.
