June 2026 Product Release Notes
Last updated: July 1, 2026
Theme: Identity Infrastructure at Scale
This release builds out the identity stack end to end - AI that's on by default, machine-identity threat hunting for AWS, programmatic control over your integrations and App Store, and access policies that explain and own themselves.
Highlights
Albus, on by default - Lumos AI now on across your account
NHI Threat Hunter for AWS [BETA] - Hunt risky AWS machine identities
Access Policy Insights - See whether each grant belongs
Access Policy Owner - Hand policy upkeep to the right people
Integrations API - Manage your integrations as code
Identities Table Revamp - Filter and sort every identity attribute
Sync Observability - See every sync, stage by stage
App Store Configuration MCP [BETA] - Configure the App Store with AI agents
๐งช Now in Beta - opt in
Most of this release is generally available. A few items are launching in Beta - available now to customers who opt in. Reach out to your CSM to participate.
NHI Threat Hunter for AWS - requires the AWS IAM Identity Center connector
App Store Configuration MCP - scoped to approval-change configuration
Coming next month: NHI - Identities & Ownership View and Lumos API V1 will both open in Beta.
๐ก Intelligence & AI
Albus, On by Default
Albus, the Lumos AI assistant, is now enabled and synced automatically for existing customers - no per-account request. It also reads more of your data and answers with interactive, exportable charts.
What's new:
Albus enabled and synced across existing accounts by default (a short exclusion list aside*)
Reads more data, including access-request and approver data
Access matrix now considers every attribute automatically, not a hand-picked few
Inline interactive charts - bar, line, area, and donut - in Lumos styling
Export answers and charts to PDF or markdown reports
Benefits:
Get answers from Albus without waiting on enablement
Act on visuals instead of walls of text
Share exec-ready reports without rebuilding them in a spreadsheet
*Rest assured, if you've requested Albus to remain off in your tenant, it will not be enabled.
NHI Threat Hunter for AWS [BETA]
A security agent that scans your AWS environment for the non-human identity (NHI) exposures an attacker could actually use and delivers them as prioritized, owned issues.
What's new:
Scans the full AWS IAM authorization graph - users, roles, groups, policies, and trust
Flags risky service principals, weak federation, and over-broad iam:PassRole / sts:AssumeRole chains
Enriches IAM Access Analyzer and GuardDuty findings with graph and ownership context
Resolves privileged identities to their owning app or team
Surfaces a short, high-confidence set of findings as Lumos Issues
Benefits:
Catch exploitable AWS identity risks that native tools miss
Cut noise - a few defensible findings, not another dashboard
Route each finding to an owner for remediation
Requires the AWS IAM Identity Center connector. Available in Beta - reach out to your CSM to participate.
๐งฑ Platform
Access Policy Insights
Every app and permission in an access policy now carries a plain-language insight, the assignment and usage numbers behind it, and a short explanation - so you can tell whether each grant belongs.
What's new:
One insight per grant: Essential, Widely Used, Rarely Used, Widely Assigned, Rarely Assigned
Assignment and usage percentages for each app and permission
A plain-language reason on every insight, so no number-crunching is required
Freshness timestamp; insights refresh on draft, on publish, and at least every 7 days
Refreshed layout with search and permission descriptions
Benefits:
Confirm access is appropriate before you publish
Catch over-granted access at a glance
Give reviewers the evidence on the page, not in a spreadsheet
Access Policy Owner
Assign an owner to each access policy so the people closest to an app or team can keep it current, while admins keep control of what goes live.
What's new:
Owner field on every policy - one or more users, or a group
Assign at creation or any time after, including in bulk
Owners can view and edit access on the policies they own
Publishing and activating stay with admins
Owner shown in list and policy views; ownership changes are logged
Benefits:
Delegate policy upkeep to app owners and team leads
Keep policies current as the policy count grows
Show clear, auditable accountability for every policy
Identities Table Revamp
The Identities page is now a full table on the Lumos Table Platform, with filtering, sorting, and column controls - and the custom attributes you sync from Okta and other apps are finally visible and filterable in one place.
What's new:
Filter, sort, and search across identities
Show, hide, and reorder columns
Custom synced attributes (Okta and other apps) visible and filterable in the table
Consistent with Apps, Access Reviews, and other updated tables
Benefits:
Find the identities you need without exporting to a spreadsheet
Slice by the attributes your team actually uses
Work on a surface that matches the rest of Lumos
Rollout note: launching in the June release, with general availability July 6.
App Store Configuration MCP [BETA]
Configure your Lumos App Store programmatically or through any Model Context Protocol (MCP) compatible AI agent, instead of clicking through every record. This scoped beta covers approval-change configuration.
What's new:
Read and update App Store configuration over the Lumos MCP server
Scoped beta: approval-step changes across apps and permissions
Works with MCP-compatible AI tools, authenticated via OAuth
Changes take effect immediately and appear in the Admin UI
Benefits:
Update many permissions in the time it took to do one
Run Lumos configuration from the AI tools your team already uses
Cut manual configuration errors
Available in Beta - reach out to your CSM to participate.
โ Access Reviews
Admin-Configured Restricted Review Table Views
Admins can define the table views reviewers see in a User Access Review (UAR), keeping each reviewer focused on the information that matters for their decision.
What's new:
Admins configure the table views and columns available to reviewers
Restricted views apply across the review
Benefits:
Keep reviewers focused and reduce review errors
Standardize what each reviewer sees
Ad Hoc Reminders in Permission Reviews
Send a reminder to reviewers at any point during a Permission Review, without waiting for the next scheduled nudge.
What's new:
Trigger an on-demand reminder to outstanding reviewers
Works alongside the existing scheduled reminders
Benefits:
Close out stalled reviews faster
Reach the right reviewers at the right moment
๐ Integrations
Integrations API
A public REST API, plus a new lumos_integration Terraform resource, to manage the full integration lifecycle - connect, reconnect, disconnect, read, and sync - without the UI.
What's new:
REST endpoints to connect, reconnect, disconnect, get, list, and trigger sync
New
lumos_integrationTerraform resource over the same APICredentials are write-only - never returned by reads
Connect and reconnect emit audit-log events regardless of origin
Uses your existing API token and "modify integrations" permission
Benefits:
Manage integrations as code in your Terraform or CI/CD
Script operations like disconnect-all or scheduled re-syncs
Keep integration configuration version-controlled and auditable
Existing Connector Improvements
Ongoing enhancements to existing connectors so you can model more use cases on the integrations you already run.
What's new:
Incremental syncs for Workday, Okta, and UKG Pro
Workday: implementers and Workday-owned accounts sync
SAP Concur: Spend user provisioning
Okta: standard admin role provisioning
Benefits:
Sync faster and more efficiently on high-volume connectors
Model more of your real business requirements
Sync Observability (V1)
A Sync Status view on each integration's Integrations tab that shows every sync from the last 7 days - with live progress, stage timing, and record counts - so you can answer "did the sync run?" without filing a ticket.
What's new:
Last 7 days of syncs on each integration's Integrations tab
In-progress runs update live with elapsed time
Toggle between Entity view and Pipeline (stage) view
Stage timing and record counts for each entity
Benefits:
Self-serve answers on sync status and where a run is stuck
Diagnose stale data in seconds instead of escalating
Trust data freshness for reviews, access requests, and audits
Coming soon
NHI - Identities & Ownership View [BETA] - See and assign owners for every machine identity
Microsoft Teams - Request and manage access from Teams
Access Request Agent in Slack - Request access with an @mention
Lumos API V1 [BETA] - A broader public API for your Lumos data
Standardized Access Changes (UACM) - A consistent model for access changes