OWASP Updates GenAI Security Project with New 21‑Risk Matrix and Tool Guidance
What Happened — The Open Web Application Security Project (OWASP) released an updated GenAI Security Project, introducing a matrix that catalogs 21 distinct generative‑AI risks and maps each to recommended mitigation tools. The guidance explicitly separates defensive strategies for generative AI and emerging agentic AI systems.
Why It Matters for TPRM —
- Provides a vendor‑agnostic risk taxonomy that can be embedded into third‑party assessments.
- Highlights control gaps that many AI service providers still overlook, raising supply‑chain exposure.
- Enables procurement teams to demand concrete evidence of risk‑specific safeguards from AI vendors.
Who Is Affected — Organizations across all sectors that integrate generative AI or agentic AI services, especially SaaS providers, fintech firms, health‑tech companies, and cloud‑hosted AI platforms.
Recommended Actions —
- Map existing AI‑related third‑party contracts against the OWASP 21‑risk matrix.
- Request vendors’ tool‑usage evidence and remediation processes for each identified risk.
- Update internal AI governance policies to reflect the separate treatment of generative vs. agentic AI controls.
Technical Notes — The update does not reference specific CVEs; instead it enumerates risk categories (e.g., prompt injection, model poisoning, data leakage) and aligns each with open‑source or commercial mitigation tools. Source: Dark Reading