June 2026 Product Release Notes

Last updated: July 1, 2026

Theme: Identity Infrastructure at Scale

This release builds out the identity stack end to end - AI that's on by default, machine-identity threat hunting for AWS, programmatic control over your integrations and App Store, and access policies that explain and own themselves.

Highlights

  • Albus, on by default - Lumos AI now on across your account

  • NHI Threat Hunter for AWS [BETA] - Hunt risky AWS machine identities

  • Access Policy Insights - See whether each grant belongs

  • Access Policy Owner - Hand policy upkeep to the right people

  • Integrations API - Manage your integrations as code

  • Identities Table Revamp - Filter and sort every identity attribute

  • Sync Observability - See every sync, stage by stage

  • App Store Configuration MCP [BETA] - Configure the App Store with AI agents

๐Ÿงช Now in Beta - opt in

Most of this release is generally available. A few items are launching in Beta - available now to customers who opt in. Reach out to your CSM to participate.

  • NHI Threat Hunter for AWS - requires the AWS IAM Identity Center connector

  • App Store Configuration MCP - scoped to approval-change configuration

Coming next month: NHI - Identities & Ownership View and Lumos API V1 will both open in Beta.

๐Ÿ›ก Intelligence & AI

Albus, On by Default

Albus, the Lumos AI assistant, is now enabled and synced automatically for existing customers - no per-account request. It also reads more of your data and answers with interactive, exportable charts.

What's new:

  • Albus enabled and synced across existing accounts by default (a short exclusion list aside*)

  • Reads more data, including access-request and approver data

  • Access matrix now considers every attribute automatically, not a hand-picked few

  • Inline interactive charts - bar, line, area, and donut - in Lumos styling

  • Export answers and charts to PDF or markdown reports

Benefits:

  • Get answers from Albus without waiting on enablement

  • Act on visuals instead of walls of text

  • Share exec-ready reports without rebuilding them in a spreadsheet

*Rest assured, if you've requested Albus to remain off in your tenant, it will not be enabled.

NHI Threat Hunter for AWS [BETA]

A security agent that scans your AWS environment for the non-human identity (NHI) exposures an attacker could actually use and delivers them as prioritized, owned issues.

What's new:

  • Scans the full AWS IAM authorization graph - users, roles, groups, policies, and trust

  • Flags risky service principals, weak federation, and over-broad iam:PassRole / sts:AssumeRole chains

  • Enriches IAM Access Analyzer and GuardDuty findings with graph and ownership context

  • Resolves privileged identities to their owning app or team

  • Surfaces a short, high-confidence set of findings as Lumos Issues

Benefits:

  • Catch exploitable AWS identity risks that native tools miss

  • Cut noise - a few defensible findings, not another dashboard

  • Route each finding to an owner for remediation

Requires the AWS IAM Identity Center connector. Available in Beta - reach out to your CSM to participate.

๐Ÿงฑ Platform

Access Policy Insights

Every app and permission in an access policy now carries a plain-language insight, the assignment and usage numbers behind it, and a short explanation - so you can tell whether each grant belongs.

What's new:

  • One insight per grant: Essential, Widely Used, Rarely Used, Widely Assigned, Rarely Assigned

  • Assignment and usage percentages for each app and permission

  • A plain-language reason on every insight, so no number-crunching is required

  • Freshness timestamp; insights refresh on draft, on publish, and at least every 7 days

  • Refreshed layout with search and permission descriptions

Benefits:

  • Confirm access is appropriate before you publish

  • Catch over-granted access at a glance

  • Give reviewers the evidence on the page, not in a spreadsheet

Help Center Article

Access Policy Owner

Assign an owner to each access policy so the people closest to an app or team can keep it current, while admins keep control of what goes live.

What's new:

  • Owner field on every policy - one or more users, or a group

  • Assign at creation or any time after, including in bulk

  • Owners can view and edit access on the policies they own

  • Publishing and activating stay with admins

  • Owner shown in list and policy views; ownership changes are logged

Benefits:

  • Delegate policy upkeep to app owners and team leads

  • Keep policies current as the policy count grows

  • Show clear, auditable accountability for every policy

Help Center Article

Identities Table Revamp

The Identities page is now a full table on the Lumos Table Platform, with filtering, sorting, and column controls - and the custom attributes you sync from Okta and other apps are finally visible and filterable in one place.

What's new:

  • Filter, sort, and search across identities

  • Show, hide, and reorder columns

  • Custom synced attributes (Okta and other apps) visible and filterable in the table

  • Consistent with Apps, Access Reviews, and other updated tables

Benefits:

  • Find the identities you need without exporting to a spreadsheet

  • Slice by the attributes your team actually uses

  • Work on a surface that matches the rest of Lumos

Rollout note: launching in the June release, with general availability July 6.

App Store Configuration MCP [BETA]

Configure your Lumos App Store programmatically or through any Model Context Protocol (MCP) compatible AI agent, instead of clicking through every record. This scoped beta covers approval-change configuration.

What's new:

  • Read and update App Store configuration over the Lumos MCP server

  • Scoped beta: approval-step changes across apps and permissions

  • Works with MCP-compatible AI tools, authenticated via OAuth

  • Changes take effect immediately and appear in the Admin UI

Benefits:

  • Update many permissions in the time it took to do one

  • Run Lumos configuration from the AI tools your team already uses

  • Cut manual configuration errors

Available in Beta - reach out to your CSM to participate.

โœ… Access Reviews

Admin-Configured Restricted Review Table Views

Admins can define the table views reviewers see in a User Access Review (UAR), keeping each reviewer focused on the information that matters for their decision.

What's new:

  • Admins configure the table views and columns available to reviewers

  • Restricted views apply across the review

Benefits:

  • Keep reviewers focused and reduce review errors

  • Standardize what each reviewer sees

Ad Hoc Reminders in Permission Reviews

Send a reminder to reviewers at any point during a Permission Review, without waiting for the next scheduled nudge.

What's new:

  • Trigger an on-demand reminder to outstanding reviewers

  • Works alongside the existing scheduled reminders

Benefits:

  • Close out stalled reviews faster

  • Reach the right reviewers at the right moment

๐Ÿ”Œ Integrations

Integrations API

A public REST API, plus a new lumos_integration Terraform resource, to manage the full integration lifecycle - connect, reconnect, disconnect, read, and sync - without the UI.

What's new:

  • REST endpoints to connect, reconnect, disconnect, get, list, and trigger sync

  • New lumos_integration Terraform resource over the same API

  • Credentials are write-only - never returned by reads

  • Connect and reconnect emit audit-log events regardless of origin

  • Uses your existing API token and "modify integrations" permission

Benefits:

  • Manage integrations as code in your Terraform or CI/CD

  • Script operations like disconnect-all or scheduled re-syncs

  • Keep integration configuration version-controlled and auditable

Existing Connector Improvements

Ongoing enhancements to existing connectors so you can model more use cases on the integrations you already run.

What's new:

  • Incremental syncs for Workday, Okta, and UKG Pro

  • Workday: implementers and Workday-owned accounts sync

  • SAP Concur: Spend user provisioning

  • Okta: standard admin role provisioning

Benefits:

  • Sync faster and more efficiently on high-volume connectors

  • Model more of your real business requirements

Sync Observability (V1)

A Sync Status view on each integration's Integrations tab that shows every sync from the last 7 days - with live progress, stage timing, and record counts - so you can answer "did the sync run?" without filing a ticket.

What's new:

  • Last 7 days of syncs on each integration's Integrations tab

  • In-progress runs update live with elapsed time

  • Toggle between Entity view and Pipeline (stage) view

  • Stage timing and record counts for each entity

Benefits:

  • Self-serve answers on sync status and where a run is stuck

  • Diagnose stale data in seconds instead of escalating

  • Trust data freshness for reviews, access requests, and audits

Coming soon

  • NHI - Identities & Ownership View [BETA] - See and assign owners for every machine identity

  • Microsoft Teams - Request and manage access from Teams

  • Access Request Agent in Slack - Request access with an @mention

  • Lumos API V1 [BETA] - A broader public API for your Lumos data

  • Standardized Access Changes (UACM) - A consistent model for access changes