So I get asked fairly regularly for a starting point on this stuff, and up until now I've just been sending people individual links as they come up in conversation. This is my attempt to put all of it in one place, because most of what gets written in the security space is aimed at enterprise teams with dedicated security staff, not a solo founder shipping an AI product who just wants to understand what they're actually dealing with. That said, everything below seeks to be non technical enough to be useful to somebody without requiring in depth security knowledge, and would be a great resource to bookmark and keep on hand while building out applications. 1. The OWASP LLM Top 10 (genai.owasp.org) If there is one document worth reading before you ship anything with an AI component, this is it. OWASP has been producing security guidance for developers since 2001, and their Web Application Top 10 became the industry standard for traditional web security. In 2023 they released a version specifically for LLM applications, updated again in 2025, covering the ten most critical vulnerabilities specific to AI powered products. Prompt injection sits at number one on that list, which on its own should tell you something. It doesn't need to be read cover to cover, but even skimming the names and one line descriptions should give you a meaningful vocabulary for understanding what your product is and isn't exposed to. Also worth noting: they released an Agentic Applications Top 10 in 2026 specifically for founders building with autonomous AI agents. If this is applicable to your build, I would definitely give that document a further look into as well. 2. Georgia Tech's Vibe Security Radar (scp.cc.gatech.edu) Launched in May 2025 out of Georgia Tech's Systems Software and Security Lab, the Vibe Security Radar does something nobody else was doing at the time: actually tracking CVEs directly traceable to AI generated code. Researcher Hanqing Zhao's reasoning for building it was straightforward: "everyone is saying AI code is insecure but nobody is actually tracking it."