Ask most people how an NSFW detector works and you get a clean two-step story: the model looks at an image, returns a probability, and anything above a threshold gets blocked. That description is not wrong so much as incomplete — and the incompleteness is exactly where trust teams get burned. The detector’s score is an input to a decision, not the decision itself. The moment that distinction collapses is the moment nobody can explain why a specific borderline image was actioned. Consider the question that eventually lands on every moderation team: why was this particular photo removed? A raw confidence number — say, 0.87 — is not an answer. It is a measurement. The answer lives in the mapping from that measurement to a policy clause to, when needed, a human reviewer’s adjudication. If your system can only produce the 0.87, you have a classifier. If it can produce the clause and the reasoning path, you have a moderation decision you can defend. What does an NSFW detector’s confidence score actually represent? An NSFW detector is a classifier, typically a convolutional or transformer-based vision model trained on labelled examples of explicit and non-explicit content. Given an image or a video frame, it emits a score — usually a value between 0 and 1 per class (explicit, suggestive, and so on). Popular open baselines like NSFW.js or the models that ship with commercial moderation APIs work this way, and the pattern generalises across implementations regardless of the backbone architecture. The critical thing to understand is what that number is not. A score of 0.87 does not mean “87% of people would call this explicit,” nor does it mean the model is “87% sure.” It is the output of a learned function that was calibrated — or, often, not calibrated — against a training distribution. Two detectors can both output 0.87 on the same image and mean entirely different things, because their score distributions differ. This is why lifting a threshold from one vendor’s documentation and applying it to another model is a common and quiet failure mode. Score calibration matters here in the same way it matters when reading any model’s probability output. The techniques for reasoning about whether a confidence number is trustworthy are not unique to moderation; the same discipline applies when reading AI confidence scores in LLM evaluation, where a raw probability is routinely mistaken for a verdict. How is a threshold actually chosen? A threshold is not a property of the model. It is a policy decision expressed as a number. Choosing it means asking: at what score do we take an action, and which action? The naive approach picks a single cutoff — 0.5, because it feels neutral, or 0.9, because it feels safe — and applies it uniformly. In practice, a defensible threshold is derived from the operating point you want on the precision–recall curve, and that operating point is a business and legal choice, not a mathematical one. A platform that would rather over-block than let explicit material reach minors sets a low threshold and accepts more false positives. A platform serving adult creators who tolerate nuance sets it higher and accepts more false negatives. Neither is correct in the abstract; each is correct relative to a stated tolerance. Reading the trade-off correctly requires understanding what recall and precision actually measure at a given cutoff — the confusion matrix’s recall reading is the same instrument here, just applied to explicit-content classification instead of a benchmark. Quick answer: score, threshold, decision Element What it is Who owns it Confidence score Model output, 0–1, per class The model / ML team Threshold The score at which an action triggers Policy / trust team Action Block, limit reach, queue for review, allow Policy engine Justifying clause The written rule the action enforces Policy / legal Adjudication Human decision on borderline or appealed items Reviewer The score is the only row the model owns. Everything below it is governance. Confusing these rows is the root of most “the AI blocked my post and nobody can tell me why” complaints. How does the score flow into a decision rather than being the decision? Here is the mechanism the naive view skips. A production moderation pipeline does not wire the classifier output straight to a block button. It routes the score through a policy layer that maps score bands to actions: Below the low band: allow, log nothing beyond the score. Between the low and high band: take a soft action — reduce distribution, add a warning interstitial, or queue for human review. Above the high band: take a hard action — block or remove — and record the clause that authorises it. The bands, the actions, and the clause references are configuration, not model weights. This is what lets a trust team tune false-positive and false-negative rates against explicit policy tolerance instead of a single arbitrary cutoff. It is also what makes the decision reproducible: the record for a blocked item names the score, the threshold in force, the band it fell into, and the clause that band enforced. The full policy-to-decision mechanics — how clauses are versioned, how appeals reopen a record, how the audit-evidence pack surfaces all of it — belong to the broader moderation workflow, described in our work on AI governance and trust. This article stays on the narrower question of how the detector’s output enters that workflow. Worth stating plainly: this is operational classification of content. A well-designed detector scores the pixels in front of it. It does not, and should not, profile or track who posted the image — that is a different system with a different risk profile and a different set of obligations. Where do human reviewers fit? The middle band exists precisely because classifiers are worst exactly where humans most want a defensible answer: at the border. A model that is confidently right at 0.05 and 0.98 can be near-useless at 0.55, and 0.55 is where the contested cases live. Routing that band to human adjudication is not a fallback for a weak model; it is a design choice that acknowledges where automated classification stops being trustworthy. In our experience across trust-and-safety engagements, the reviewer’s role is not to second-guess the score but to apply the clause the score triggered — to decide whether this image, in this context, actually violates the rule the band pointed to. (Observed across engagements; not a published benchmark.) That adjudication then becomes part of the record. When an appeal arrives months later, the defensible artifact is not “the model said 0.87” — it is “the model said 0.87, the item fell in the review band under threshold config v4, a reviewer confirmed it against clause 3.2, and here is the timestamp.” The audit record an NSFW decision must keep is the concrete inventory of exactly those fields. Why must the detector version and threshold be pinned to each decision? Because models are retrained and thresholds are tuned, and both change the meaning of a score. A decision made under detector v2.1 at threshold 0.82 is simply not the same decision the same content would receive under v3.0 at threshold 0.78. If you do not pin the version and threshold to each decision record, you cannot reconstruct why an item was actioned once the model behind it has moved on. This is the reproducibility requirement that separates a moderation system you can stand behind in a regulator conversation from one you cannot. Teams that pin detector version and threshold to each decision can reproduce the “why” for any given item months later — the same discipline that makes a pinned-model moderation stack reliable at the infrastructure layer applies at the decision-record layer. The measurable payoff is fewer reversed decisions on appeal and a shorter path from “the model flagged this” to “this clause justified the action.” For platforms operating under sector-specific obligations — a media or telecom provider answering to a broadcast regulator, for instance — the pinning requirement is not optional hygiene but the thing that lets you show a supervisory body exactly what was decided, under which rule, by which model version, and when. FAQ How does an NSFW detector work? An NSFW detector is a vision classifier that takes an image or video frame and outputs a confidence score per class (such as explicit or suggestive). In practice it is one component in a moderation pipeline: the score is routed through a policy layer that maps score bands to actions, so the detector informs a decision rather than making it. What does an NSFW detector’s confidence score actually represent, and how is a threshold chosen? The score is the output of a learned function calibrated against a training distribution — not a literal probability that humans would agree, and not a statement of the model’s certainty. A threshold is a policy decision expressed as a number, derived from the precision–recall operating point a platform wants given its stated tolerance for over- versus under-blocking. How does a detector’s score flow into a moderation decision rather than being the decision itself? The score passes through a policy layer that maps bands to actions: allow below a low band, soft action or human review in the middle band, hard action above a high band. The bands, actions, and clause references are configuration, so the decision record can name the score, the threshold, the band, and the clause that authorised the action. How are false positives and false negatives balanced against explicit policy tolerance? By choosing the threshold’s operating point deliberately: a lower threshold catches more explicit content but over-blocks, a higher one under-blocks but preserves nuance. The correct point is relative to a written tolerance, letting teams tune both error rates against policy rather than an arbitrary single cutoff. Where do human reviewers fit when an NSFW flag is borderline or contested? Borderline scores — the contested cases near the middle of the range — are routed to human adjudication because classifiers are least reliable exactly there. The reviewer applies the clause the band triggered to the specific item and context, and that adjudication becomes part of the defensible decision record. Why must the detector version and threshold be pinned to each decision to keep it defensible? Retraining and threshold tuning both change what a score means, so a decision made under one version and cutoff is not reproducible under another. Pinning the detector version and threshold to each decision lets a team reconstruct exactly why an item was actioned months later, which reduces reversed appeals. How is an NSFW detector kept reproducible when the model is retrained or the threshold changes? Reproducibility comes from treating the detector version and threshold as part of the decision record, not as ambient configuration that silently rolls forward. When the model or cutoff changes, historical decisions still resolve against the version and threshold that were actually in force, and new decisions record the new values. The next time someone asks why a specific image was actioned, the quality of your answer is fixed long before the question arrives — it is fixed at the moment you decide whether the detector’s score travels alone or arrives with the threshold, the clause, and the version that gave it meaning.