Watch the GenAI Security Project’s – Agentic AI Security Summit, Europe from London

|

WATCH THE RECORDING !

OWASP AI Security Guidelines offer a supporting foundation for new UK government AI Security Guidelines

The UK Government Department for Science Innovation and Technology (DSIT) published its new voluntary Code of Practice (CoP) for the Cyber Security of AI today, January 31. Based upon 13 principles, the CoP clarifies the responsibilities of different AI stakeholders and is, for the first time, structured alongside the typical AI system lifecycle from planning to decommissioning.

DSIT plans to submit the CoP for ETSI standardization and commissioned the creation of a supporting implementation guide to John Sotiropoulos, Head of AI Security at Kainos and co-lead of the influential OWASP Top 10 for LLM for Applications and Generative AI Security Project.

The Implementation guide builds upon and extensively references existing guidelines and publications from other organizations such as the UK’s NCSC, ICO (Information Commissioner’s Office), NIST, MITRE, CSA, and OWASP (Open Worldwide Application Security Project).  

OWASP projects and guidelines include the AI Exchange, Top 10 for ML, and the OWASP Top 10 for LLM Applications and Generative AI Security Project (http://genai.owasp.org/). The latter is widely referenced for its Top 10 LLM, GenAI risks and mitigations, as well as its comprehensive set of AI security Initiatives, resources and guidelines, including the Security & Governance Checklist for CISOs, AI Security Centre of Excellence, AI Security Solutions Landscape, and Deepfake Response Guide

We are witnessing a shift in AI Security from the What to the How, as AI adoption matures and accelerates, builders and defenders of AI Solutions, decision-makers, and stakeholders seek actionable and realistic in-depth guides beyond the top-level headline items or detailed level of AI controls.

“Inclusion by DSIT in the CoP Implementation Guide of the OWASP Gen AI Security Project resources and guidelines is a fantastic validation of our project’s strategy and approach to leverage the scalable expertise of our hard-working open community of experts through focused initiatives to develop practical resources and guidance to support the secure adoption of AI in practice.”, said, Scott Clinton, Co-lead (strategy and growth) OWASP Top 10 for LLM and Generative AI Security Project, 

The Implementation Guide provides example controls for all provisions of each principle and offers practical guidance on key aspects of the Secure AI lifecycle, including:

  • Risk Management, Threat Modelling, and the imperative of employee, developer, and stakeholder awareness of the rapidly changing AI Threat landscape.
  • Secure By Design development of AI and its relationship with Responsible AI.
  •  Secure AI Development practices, guardrails, the importance of documenting, protecting, and tracking AI assets throughout the lifecycle, as well as non-technical controls such as the different types of human oversight
  • Securing AI Supply-Chain and dealing with imperfect situations and landscapes using a pragmatic risk-based approach
  • Testing AI Solutions and Deployment Strategies highlighting the need for early tests and the relationship between pen testing, AI Red Teaming, and AI model evaluations.
  • Operations, Vulnerability Management, and Maintenance for AI Solutions
  • AI Incident Response Handling
  • Compliant and secure decommissioning.

It recognises that security is about risk and proportionality within the context of an organisation and uses four different scenarios to illustrate how to apply the example controls. This helps it demonstrate the different options, scale, and type of efforts for AI vendors, large enterprises, and SMEs.  

The guide has been reviewed by UK DSIT and National Cyber Security Centre (NCSC) officials at each iteration. It forms part of the submission to ETSI standardization, contributing to a new milestone towards real-life adoption of AI Secure practices. 

 

To learn more about the OWASP Top 10 for LLM and Generative AI Security Project, visit: https://genai.owasp.org.

To read the UK Government Department for Science Innovation and Technology (DSIT) Code of Practice (CoP) for the Cyber Security of AI, visit: https://www.gov.uk/government/publications/ai-cyber-security-code-of-practice 

Related Blogs

OWASP and the OWASP logo are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without

warranty of service or accuracy. For more information, please refer to our General Disclaimer.  – Copyright © 2025 OWASP Foundation, Inc.

Scroll to Top