LLM01: Prompt Injection
OWASP LLM Top 10 (2025)
User-supplied prompts manipulate model behaviour to bypass intended controls.
What this risk means
Direct and indirect prompt-injection attacks override system prompts, exfiltrate data, or trigger unintended tool calls. Risk is highest where the vendor exposes tool-use, retrieval, or agent capabilities to untrusted input.
How TrustAtlas dimensions address it
Security covers the vendor's prompt-injection defences and red-team posture; transparency covers whether they disclose their safety testing; dependency chain matters because downstream integrators inherit prompt-injection weaknesses from upstream models.
See methodology for how each dimension is scored across the catalog.
Questions to ask vendors
Drop these into RFPs, due-diligence questionnaires, or a procurement scorecard. Each question maps back to evidence visible on the vendor's TrustAtlas profile.
- Have you red-teamed your tool-use and agent surfaces against indirect prompt injection from documents, web content, and inbound email?
- What system-prompt isolation guarantees do you provide between tenants, and how is the isolation independently tested?
- Do you publish a known-injection-pattern blocklist, detection telemetry, or evaluation set that integrators can audit?
- When upstream model providers patch a new injection vector, what is your SLA to roll those fixes through to your customers?
Related
- Back to the full OWASP LLM Top 10 cross-walk
- NIST AI RMF cross-walk — the U.S. enterprise companion framework
- TrustAtlas methodology — how the 8 risk dimensions are scored
- Browse the vendor directory and filter by the dimensions tied to this risk