Nemotron 3.5 Content Safety: The First Unified Multimodal, Multilingual Guard with Custom Policy Reasoning

NVIDIA just shipped what might be the most complete open content safety model yet: Nemotron 3.5 Content Safety unifies multimodal evaluation, 140-language coverage, custom enterprise policy enforcement, and auditable reasoning traces in a single inference call. If you've been following the content moderation space, you know most guard models force you to choose: multimodal or multilingual, low latency or reasoning, fixed taxonomy or custom policies. Nemotron 3.5 is the first production-ready model that refuses that trade-off.

And they released the training dataset—multimodal, multilingual, with reasoning traces included. That's rare enough in OSS safety work to be worth calling out up front.

What Actually Changed in 3.5

Nemotron 3 (released March 2026) was already a solid 4B-parameter multimodal guard. Version 3.5 completes the architecture by adding three major capabilities that matter for real deployments.

Unified Multimodal Evaluation

The model now evaluates user prompt, image, and assistant response together in a single context window. This closes a known gap: policy violations that only emerge from the interaction between text and image—or between request and response—now get caught in one pass instead of requiring separate scoring and reconciliation logic.

This is the right design. Real safety failures often live in the joints between modalities, not in isolated text or image content.

True Multilingual Coverage

Nemotron 3.5 maintains explicit training on 12 languages: English, French, Spanish, German, Chinese, Japanese, Korean, Arabic, Hindi, Russian, Portuguese, and Italian. But the base model is Google Gemma 3 4B IT, which brings strong zero-shot generalization across approximately 140 languages.

That means deployments in Southeast Asia, Scandinavia, or less-resourced African languages get usable safety coverage without custom fine-tuning. The model inherits multilingual transfer from the base rather than requiring explicit training data for every target market.

Custom Policy Enforcement

This is the headline feature. Nemotron 3.5 accepts a custom policy specification alongside the input and reasons over that policy when producing its verdict.

Production deployments don't operate under a single universal safety taxonomy. A healthcare chatbot has different risk thresholds than a financial services agent, a developer IDE, or a kids' education app. The model lets you suppress irrelevant categories ("violence" triggers on "terminate a process" in DevOps tools are annoying) or inject proprietary risk categories specific to your regulatory environment.

This capability was first introduced in the text-only Nemotron Content Safety Reasoning 4B model. Version 3.5 extends it to the full multimodal, multilingual setting.

Reasoning Traces: THINK Mode

Every safety verdict can include an auditable reasoning trace via optional THINK mode. When enabled, the model outputs step-by-step reasoning before delivering a final safe/unsafe label and violated categories.

Here's an example from the release:

<think> The user prompt asks for guidance on acquiring a controlled substance without a prescription. The assistant response provides specific sourcing steps and references an online marketplace. This interaction violates the Criminal Planning/Confessions and Controlled Substances categories. The image (a pharmacy exterior) provides locational context but does not alter the verdict. </think>

This matters for three reasons:

1. Compliance and audit logging: Regulated industries need documented justifications for content moderation decisions.
2. Human review: Reviewers can see why a verdict was reached and identify systematic model errors.
3. Policy iteration: The traces reveal how the model interprets edge cases, letting you refine custom policy language.

When latency is the primary constraint, you disable THINK mode and get back the same low-latency binary verdict available in Nemotron 3.

The reasoning traces are generated via a two-step process to keep them concise. First, a larger model like Qwen 397B generates verbose chain-of-thought reasoning. Then a second model (Qwen 80B) condenses those traces to fit in three sentences or fewer. This keeps output tokens low and latency acceptable even when reasoning is enabled.

Architecture and Modes

Nemotron 3.5 is built on Gemma 3 4B IT with a LoRA adapter for targeted safety classification. The base provides a 128K context window, strong vision-language reasoning, and broad multilingual coverage. The adapter keeps the model compact enough for real-time deployment on GPUs with 8GB+ VRAM.

The inference interface supports three output modes:

• Mode 1 (low-latency binary): User Safety: safe / Response Safety: unsafe
• Mode 2 (binary + categories): adds Safety Categories: Violence, Criminal Planning/Confessions
• Mode 3 (THINK mode): prepends reasoning trace before verdict and categories

The safety taxonomy follows the Aegis 2.0 framework: 13 core categories aligned with the MLCommons safety taxonomy, plus 10 fine-grained subcategories. This alignment allows direct comparison with other open and closed guard systems benchmarked on Aegis datasets.

The Training Dataset Release

NVIDIA released the Nemotron 3.5 Content Safety Dataset—multimodal, multilingual, with reasoning traces included. This is significant because most OSS safety models don't release training or evaluation sets, and the problem is worse in multimodal space where images often come from resources with restrictive licensing.

The dataset mix includes:

• Multilingual text safety data from Nemotron Safety Guard Dataset v3, with culturally nuanced subsets and proportional representation across safety categories
• Human-annotated multimodal data collected in English by NVIDIA, translated into 12 languages
• 99% real photographs, not synthetic generations—directly addressing a known weakness in multimodal safety benchmarks like VLGuard and MM-SafetyBench, which rely heavily on SDXL-generated images that lack cultural texture and adversarial complexity
• Safe multimodal data from Nemotron VLM Dataset v2 (scanned documents, charts, papers, diagrams) to prevent over-flagging benign professional content
• Reasoning traces derived from chain-of-thought outputs from teacher models (Qwen 397B condensed via Qwen 80B)
• Topic-following data from the CantTalkAboutThis dataset with policy-specification/verdict pairs across enterprise scenarios
• Synthetic data accounting for roughly 10% of total volume, used to diversify jailbreak patterns and generate rare policy violation examples

While not all real images could be released due to licensing constraints, the released subset includes images from Wikimedia and synthetic sources.

Benchmarks and Production Fit

Nemotron 3.5 was evaluated across multilingual, multimodal, and custom-policy benchmarks including VLGuard, MM-SafetyBench, PolyGuard, RTP-LX, Aya Redteaming, XSafety, MultiJail, Aegis, Dynaguardrail, and CoSA.

Nemotron 3 set a baseline with 84% average accuracy on multimodal harmful-content tests and roughly half the latency of LlamaGuard-4-12B. Version 3.5 maintains that 4B efficiency while adding custom policy support and reasoning traces.

The production challenge for enterprise safety is applying consistent guardrails across global languages, text and image inputs, and domain-specific policies without adding prohibitive latency. Nemotron 3.5's architecture directly targets that constraint.

Why This Matters

Content safety has been stuck in a fragmentation trap. You could get strong English text classification (LlamaGuard), or good multimodal coverage (some proprietary APIs), or reasoning traces (a few research models), but not all three in a compact, deployable package.

Nemotron 3.5 is the first model that ships all of it together: multimodal input, 140-language zero-shot coverage, custom policy reasoning, and auditable traces in a 4B model you can run on a single consumer GPU.

The custom policy enforcement is particularly important. Fixed taxonomies force every deployment into the same risk profile, which means enterprise teams either accept false positives that break legitimate use cases or build bespoke classifiers from scratch. Nemotron 3.5 gives you a third option: define your policy in natural language at inference time and let the model reason over it.

And the dataset release changes the game for researchers and smaller teams who want to build domain-specific safety models but lack the resources to collect multimodal, multilingual training data from scratch.

Open Questions

A few things I'm still curious about:

• How well does zero-shot generalization actually hold across the 140-language tail? The explicit training covers 12 languages; everything else is inherited from Gemma 3's base multilingual capabilities. Real-world edge cases in low-resource languages will be the test.
• What's the latency penalty for THINK mode in production at scale? The condensed reasoning traces keep output tokens low, but two-model distillation during training doesn't eliminate inference-time generation cost.
• How do enterprises handle policy specification in practice? Writing effective natural-language policies that trigger correct reasoning behavior is itself a design challenge. I'd love to see NVIDIA publish a policy prompt engineering guide.

But those are refinements. The core architecture is sound, the dataset release is generous, and the multimodal + multilingual + custom policy combination is genuinely new in the open model space.

If you're shipping content moderation for a global product, Nemotron 3.5 deserves a serious look.