Drift Detection

Drift detection monitors your data landscape for changes that affect compliance posture. When new sensitive data appears, existing data changes, or configuration settings shift, Slim.io generates drift events and can execute automated remediation.

What Constitutes Drift

Slim.io detects three types of drift:

Data Drift

New sensitive data detected in previously clean locations, or new PII categories found in already-classified files.

Examples:

• A CSV file that previously contained no PII now includes SSN values after an update
• A new file uploaded to a bucket that is covered by a governance policy
• An existing file’s PII exposure increased (more findings detected on re-scan)

Configuration Drift

Changes to connector settings, policy definitions, or classifier configurations that affect the scope or behavior of detection.

Examples:

• A connector’s bucket scope was expanded to include new prefixes
• A policy was disabled or had its conditions relaxed
• A classifier was removed or its confidence threshold lowered

Exposure Drift

Changes to the accessibility or visibility of data that increase risk, even if the data itself has not changed.

Examples:

• A private S3 bucket was made public
• A storage account’s access tier changed
• IAM permissions on a bucket were broadened

Drift Events

Each detected drift generates an event with the following information:

{
  "event_id": "drift-2024-03-15-001",
  "type": "data_drift",
  "severity": "high",
  "timestamp": "2024-03-15T14:30:00Z",
  "connector_id": "conn-aws-prod",
  "resource": "s3://production-data/exports/users.csv",
  "description": "New Credit Card findings detected (15 matches, confidence 0.92)",
  "previous_state": { "findings_count": 0, "risk_score": 12 },
  "current_state": { "findings_count": 15, "risk_score": 78 },
  "policies_triggered": ["tokenize-financial-pii", "alert-high-risk"]
}

Auto-Remediation Playbooks

Drift events can trigger automated remediation actions through governance policies. Common playbooks:

Tokenize

Replace newly detected PII with encrypted tokens. This is the default remediation for financial data.

Mask

Redact sensitive values in place. Use for non-recoverable anonymization (e.g., when tokenization is not needed).

Quarantine

Move the affected file to an isolation bucket or container. The original file is replaced with a tombstone reference. Security teams review quarantined files before release.

Alert

Send notifications to configured channels (Slack, email, webhook) without modifying the data. Use as a lightweight response for lower-severity drift.

Baseline Management

Drift detection works by comparing the current state against a stored baseline:

• Initial Baseline — Created after the first full scan of a connector
• Baseline Updates — Updated after each completed scan (incremental or full)
• Manual Reset — Administrators can reset the baseline to the current state, acknowledging all existing findings as the new normal

Baseline Suppression

You can suppress specific findings from generating drift events by marking them as “accepted risk” in the Data Catalog. Accepted findings:

• Remain visible in the Data Catalog with an “accepted” label
• Do not trigger drift events on subsequent scans
• Are excluded from risk score calculations
• Can be un-accepted at any time to resume monitoring

Monitoring Drift

In the Customer Dashboard, navigate to Governance > Drift to see:

• Timeline — Chronological view of all drift events
• Severity Distribution — Breakdown by critical/high/medium/low
• By Connector — Which connectors are generating the most drift
• Remediation Status — Which drift events have been auto-remediated vs. pending review
• Trend Charts — Drift volume over time (increasing drift indicates growing data risk)

Drift API

Retrieve drift events programmatically:

GET /api/v1/governance/drift-events?since=2024-03-01&severity=high
Authorization: Bearer $TOKEN

Response includes paginated drift events with full metadata for integration with external SIEM or incident management systems.