How do I map the OWASP LLM Top 10 to NIST AI RMF and ISO/IEC 42001 controls for an audit?
To map OWASP LLM Top 10 risks to NIST AI RMF and ISO/IEC 42001 controls for an audit, organizations should identify the specific controls that mitigate each OWASP risk across the AI system lifecycle and governance structure. This involves cross-referencing the detailed descriptions and suggested controls for each OWASP LLM Top 10 item with the functions and controls outlined in NIST AI RMF and ISO/IEC 42001.
Here are concrete controls and their mappings:
- OWASP LLM01 Prompt Injection can be mitigated by evaluating AI system security and resilience, including prompt-injection resistance, as per NIST-MEASURE-2.7. Controls include input/instruction separation, trust boundaries on retrieved/tool content, and adversarial testing.
- OWASP LLM02 Sensitive Information Disclosure is addressed by data privacy considerations, which cross-map to NIST GenAI "Data privacy". Practical controls involve input/output scrubbing and redaction, data minimization, strict RAG-source scoping, and tenant isolation.
- OWASP LLM03 Supply Chain risks are covered by NIST-GOVERN-6.1 (Third-party / supply-chain risk policy) and ISO/IEC 42001 A.10 (Third-party relationships). This requires tracking provenance, licensing, and model-update risks for third-party models, datasets, and tools.
- OWASP LLM04 Data and Model Poisoning is mitigated by ISO/IEC 42001 A.7 (Data for AI systems), which focuses on data governance, provenance, quality, and preparation. NIST-MEASURE-2.7 also cross-maps to model DoS, which can be a result of poisoning. Controls include data-source vetting, integrity checks, and anomaly detection on training data.
- OWASP LLM06 Excessive Agency is addressed by ISO/IEC 42001 A.9 (Use of AI systems) which emphasizes responsible-use controls and human oversight. This also cross-maps to NIST-GOVERN-3.2. Controls include least-privilege tool access, human approval for high-impact actions, and scoped credentials.
- OWASP LLM10 Unbounded Consumption (resource exhaustion/denial-of-wallet) is covered by ISO/IEC 42001 Cl.9 (Performance evaluation), which includes monitoring, measurement, analysis, and evaluation of the AIMS. This cross-maps to NIST-MEASURE-3.1 (Risk tracking over time). Controls include rate limits, quotas, token/spend caps, and abuse detection.
- iso_42001
- nist_ai_rmf
- owasp_llm_top10
How does your AI agent score?
Get a free, instant AI agent security readiness snapshot — mapped to NIST, OWASP & ISO — then unlock the full report with a prioritized, cited fix-list.
This AI-generated answer is for guidance only — not a certification, audit, or penetration test. Grounded in the NIST AI RMF, OWASP LLM Top 10, and ISO/IEC 42001 control text; verify applicability to your environment.