A DLP solution is only as strong as what it can detect. Gaps in detector coverage aren't just a technical inconvenience; they're exposure windows. Every format that goes unrecognized is a policy that can't fire, a remediation that can't happen, and a breach waiting to occur.
Three new detectors are now available in Nightfall: personal photos (selfies and headshots), Malaysian Driver's License numbers, and South African National ID numbers. Each one addresses a specific, real-world security need, and together they signal something larger about where AI-native DLP is heading.
Personal Photos (Selfies & Headshots)
The Problem
Personally identifiable information doesn't live only in structured data fields. A headshot or selfie carries identity information that, in the wrong context, can compromise user anonymity, violate privacy regulations, or breach platform commitments to users. Financial platforms operating under strict anonymity requirements face real risk when user-submitted images containing identifiable portraits are stored or transmitted outside controlled environments.
How It Works
The Personal Photo detector uses a large language model (LLM) to classify images and identify selfies, headshots, and portrait-style photographs. Detection fires when all of the following conditions are met:
- A single real person is the primary subject of the image
- The face is fully visible and facing the camera
- The image is consistent with a selfie, headshot, or upper-body portrait
The detector deliberately excludes group photos, side profiles, partially visible faces, and stylized or illustrative imagery. This precision boundary keeps alert volume focused on genuinely sensitive content.
Why LLMs for Image Detection?
Traditional computer vision approaches rely on trained models that need large labeled datasets and tend to be brittle at the edges. LLM-based classification can be guided through prompt tuning: describe what to look for in natural language, evaluate performance, and iterate. For this detector, strong performance was achieved after targeted prompt tuning, pointing to LLMs as a viable mechanism for expanding image detection coverage. This approach can complement or potentially replace parts of existing computer vision stacks for document-type detectors like driver's licenses, passports, and credit cards.
The takeaway for security teams: image-based PII is a real and growing attack surface. DLP policies that only scan text fields leave a significant gap in coverage. This detector is a direct response to that gap.
Malaysian Driver's License Number
The Problem
Southeast Asia is home to some of the fastest-growing digital economies and some of the most complex PII landscapes. Regulatory frameworks vary by country, data formats differ, and a single platform operating across the region may handle dozens of distinct national ID and document formats simultaneously. Nightfall has expanded our coverage to include 48 Southeast Asia detectors.
How It Works
The Malaysian Driver's License Number detector identifies license numbers issued by Malaysia's Road Transport Department (JPJ). One important technical nuance: in many cases, a Malaysian Driver's License number corresponds directly to the holder's NRIC (MyKad) number. This means the detector may overlap with Malaysian National ID detection in some environments. Security teams configuring policies in this region should account for that relationship when defining alert logic.
The takeaway for security teams: if your DLP policy library doesn't reflect the geographies your platform operates in, you have coverage gaps by design. Regional PII formats aren't edge cases; they're the primary data type for your users in those markets.
South African National ID Number
The Problem
South Africa is often the entry point for global platforms expanding into Africa, and South African National ID (SAID) numbers are central to KYC flows, financial onboarding, and regulated data environments. Custom regex patterns can partially address this, but they break at the edges. They don't account for format variations, and they have no mechanism for validating whether a matched string represents a real, plausible ID.
How It Works
The South African National ID Number detector identifies the standard 13-digit SAID format (YYMMDDSSSSCAZ), including common variants with spaces or hyphens, the kinds of formatting inconsistencies that real-world data creates constantly.
The detector also includes enhanced validation logic:
- Date-of-birth parsing: The SAID format encodes the holder's birth date in the first six digits. The detector validates that this date is plausible, filtering out strings that match the format but couldn't represent a real person.
- Checksum verification: South African ID numbers include a Luhn checksum. Validating this significantly reduces false positives.
This is the difference between a regex and a detector. A regex matches patterns. A detector understands structure and validates content.
The takeaway for security teams: pattern matching gets you to detection. Validation gets you to the right level of confidence. Without checksum and date verification, a high-volume environment will drown your SecOps team in false positives and real exposures will get lost in the noise.
What These Releases Signal
Three detectors. Three distinct problem spaces. One consistent thread: coverage gaps are exposure gaps.
The right DLP platform needs depth across multiple dimensions simultaneously: AI-native detection for data types that rules can't handle, geographic breadth for regions with specific regulatory requirements, and structural validation that goes beyond pattern matching. These detectors reflect that approach.
If your current DLP solution relies on static regex libraries and region-limited coverage, these are the gaps that will surface in your next data audit. Or your next incident.
Schedule a demo to see how these detectors fit into your existing DLP policies, from detection configuration to alert tuning and automated remediation.
.svg)
.svg)
