AI Recipe: Validations Image Safety

Validates uploaded images on the Media: Image bundle using a vision-capable AI provider. Blocks content that falls outside the "Safe" tier of Flickr-style safety levels — nudity, sexually suggestive material, gore, graphic violence, and graphic medical imagery — at upload time, across the admin UI, JSON:API, and programmatic saves.

Recipes Applied

• core/recipes/image_media_type

Modules and Themes Installed

• AI (Artificial Intelligence)
• AI Validations (submodule of AI)
• Field Validation

Requirements

• Drupal 10.5 or newer
• AI module 1.4 or newer (provides the verifySetupAi config action)
• A configured default provider for the chat_with_image_vision operation type at /admin/config/ai/settings → Default Providers. Any vision-capable provider works (OpenAI GPT-4o, Anthropic Claude 3.5 Sonnet, Google Gemini 1.5 Pro, etc.).

If chat_with_image_vision has no default model configured, the recipe apply will abort cleanly with a message from the AI module's preflight check.

Installation

Add the recipe with the following Composer command:

composer require drupal/ai_recipe_validations_image_safety

⚠️ Installation note: AI Validations 1.3.x required

This recipe relies on the standalone AI Validations module, version 1.3 or newer. That version makes the recipe's validation rule follow your site's default vision model (set under Configuration → AI → AI settings) instead of requiring a hard-coded provider — see #3586397.

Until AI Validations tags a 1.3.x release (only 1.0.0-alpha1 is tagged at the moment — release request: https://www.drupal.org/project/ai_validations/issues/3600260), a plain composer require of this recipe will fail with a dependency resolution error, because Composer will not install a dev version to satisfy the recipe's ^1.3 constraint on its own.

Workaround — install in two steps:

composer require drupal/ai_validations:1.3.x-dev
composer require drupal/ai_recipe_validations_image_safety

The first command explicitly allows the development version; the second then resolves normally. Once a 1.3.x release is tagged upstream, the workaround becomes unnecessary and a single composer require drupal/ai_recipe_validations_image_safety will work.

Note for sites already using the AI module's bundled AI Validations: the copy bundled inside the AI module is deprecated. When the standalone package is installed, Drupal automatically switches to it after a cache rebuild — no uninstall/reinstall needed, and your existing configuration is preserved. Without the standalone package, the bundled copy treats this recipe's provider setting as an error and blocks every image upload with "No AI provider specified to do validation".

What it does

• Creates a Field Validation rule set on the Media: Image bundle's field_media_image field.
• Runs the AI image constraint on every image upload, classifying the image into Safe / Moderate / Restricted tiers.
• Blocks anything outside the Safe tier with a clear error message to the editor.
• Catches uploads from the admin UI, the Media Library, JSON:API posts, migrations, and programmatic $entity->save() calls.

Adjusting the threshold

The default behavior blocks both Moderate and Restricted content. To allow Moderate content (mature but not explicit) and block only Restricted (explicit / graphic), edit the ai_image_safety rule at Structure → Field Validation → AI image safety (Media: Image) and update the prompt's decision block. Full instructions are in the project README.

Cost note

Every image upload triggers one vision-model API call. Bulk migrations, imports, or high-volume user upload flows will incur proportional cost. Test with your provider's pricing before rolling out to production.

Bugs and Feedback

If you encounter any bugs or have feedback about this recipe, please file an issue in the project issue queue.

Credits

Developed as part of the AI Initiative. See the originating issue: #3585696.