Skip to content

May 2026 — MCP action tools, Okta AI agent detection, AI chat improvements

MCP server v1.1.0 adds write-scope action tools; Okta AI agent principals now sync as first-class non-human identities; AI chat can now act on grouped findings and remove admin roles.

MCP server — action tools (v1.1.0)

The MCP server at mcp.thalian.ai adds six new tools alongside the original six query tools.

New query tools (available to all API keys):

  • list_rules — returns all active detection rules with severity, category, and affected entity types. Useful for building automation or understanding what Thalian is monitoring.
  • check_app_policy — look up an application's current policy status (sanctioned, unauthorized, blocked, or none).

New action tools (require a write-scope API key):

  • snooze_finding — snooze an open finding for 1–90 days
  • dismiss_finding — dismiss an open finding
  • remediate_finding — queue a remediation action for admin approval
  • set_app_policy — set an application to sanctioned, unauthorized, or blocked, or clear its policy

Action tools require a write-scope API key. Create one in Settings → API Keys and enable the write permission toggle. Write-scope keys are recorded in the audit log on every mutating call.

See MCP Server for full setup details and tool reference.

Okta AI agent identity detection

Thalian now syncs and governs AI agent principals from Okta's AI Agents feature as first-class non-human identities (NHIs). AI agents appear in the Identities page alongside service accounts and are handled appropriately — excluded from MFA coverage metrics and off-hours anomaly detection, since agents run continuously by design.

Two new detection rules:

  • Possible AI agent unclassified — flags service account identities that exhibit agent-like behavior patterns but haven't been formally classified in Okta. Maps to SOC 2 CC6.1/CC6.2 and ISO 27001 A.5.15/A.5.18.
  • AI agent count growing — fires when the number of active AI agents grows faster than overall headcount, surfacing infrastructure drift before it becomes a governance gap.

AI chat improvements

Grouped finding context — The AI assistant can now identify and act on individual users within grouped findings. Previously, grouped findings (admin without MFA, stale admins, suspended members in groups, cross-platform MFA gap) had no specific identities surfaced to the assistant — it couldn't name affected users or initiate targeted remediation for them. Now the assistant names each affected user and can act on them individually.

remove_admin_role action — New confirmation-gated action for removing admin or privileged roles from a specific user across all connected identity providers: Okta, Google Workspace, Entra ID, JumpCloud, and OneLogin. The user's account stays active — only elevated roles are removed. Behaves the same as other high-impact actions: the assistant proposes the action with a summary, and you confirm before it executes.

View on GitHub