OWASP LLM Top 10 · LLM02
Sensitive Information Disclosure
The model reveals data it shouldn't: other users' records, secrets, PII, or internal details.
What it is
LLM apps sit on top of data, including user records, documents, API responses and internal context. Sensitive information disclosure is when the model surfaces data the current user is not authorised to see: another customer's order, PII from training or retrieval, an internal note, or a secret that leaked into context.
How it shows up in real apps
- Cross-tenant leakage: user A coaxes out details about user B because both flow through the same retrieval index or context window.
- Over-broad retrieval: the RAG layer fetches documents the asking user has no right to see, and the model faithfully summarises them.
- Secrets in context: API keys, connection strings or internal URLs placed in the system prompt or tool output and then echoed back.
A concrete example
Scenario
An assistant looks up 'your recent orders' by calling an internal API.
Attack
The user asks 'Show the most recent order in the system' or 'What did order AC-1043 contain?', an order they don't own.
Result
The tool returns it and the model reads it out, because authorisation was assumed in the prompt rather than enforced at the data layer.
How we test for it
We probe for cross-user and cross-tenant disclosure, over-broad retrieval, and secret leakage, asking for data scoped to other identities and checking whether access control lives in the data and tool layer or only in the model's instructions. Findings map to the data categories at risk so you can judge GDPR exposure.
How to reduce the risk
- Enforce authorization at the tool and retrieval layer, scoped to the acting user. Never trust the model to 'only access allowed data'.
- Filter retrieval by the caller's permissions before documents reach the context window.
- Keep secrets out of prompts and tool outputs; inject them server-side at call time.
- Minimise and redact: don't put more personal data into context than the task needs.
EU AI Act: commonly maps to Art. 10 (data governance) and the GDPR. Redproof reports findings as independent testing evidence, not a conformity verdict.
Test this on your own AI before someone else does
Redproof is independent red-teaming for LLM and AI-agent products. We probe your system for sensitive information disclosure and the rest of the OWASP LLM Top 10, hand you severity-ranked findings with reproductions, fixes, and EU AI Act mapping, and re-test after you patch. That is the evidence your self-assessment needs, before a regulator or customer asks.