Test prompt guardrails against real chats, flag personal AI accounts, and attach remote MCP servers to assistants
Policy authors can now prove a prompt guardrail works before rolling it out: a new evaluation workbench replays real chat transcripts through a policy and shows per-message judge verdicts, with verdicts saved as regression sets for future changes. A new Non-Corporate Accounts risk policy flags sessions authenticated with personal AI accounts or unapproved email domains, and assistants can now connect directly to remote MCP servers alongside their toolsets.
Features
Policy evaluation workbench for prompt guardrails#3924 - Replay real chat transcripts through a prompt guardrail and see per-message judge verdicts with cost and latency details before enforcing the policy. Reviewer verdicts can be saved, listed, and deleted as regression sets, so a policy edit can be checked against past decisions instead of guesswork. CEL scopes are supported in replay. (Author: @vishalg0wda)
Flag sessions from personal AI accounts#3861 - A new Non-Corporate Accounts risk-policy category flags sessions authenticated with a personal AI account or with an AI-account email domain outside an approved list you configure. Findings appear once per session on the Risk Events page, and the approved-domains list is editable in the Policy Center's Customize sheet. (Author: @daviddanialy)
Attach remote MCP servers to assistants#3831 - Assistants can now connect directly to MCP servers, including remote (external SaaS) and tunneled servers that aren't backed by a Gram toolset. The assistant setup chat can list the project's MCP servers and attach one by name, and the assistant's runtime connects to it alongside its toolsets. (Author: @danielkov)
Self-serve sign-in for hook plugins#3824 - Connecting the hooks plugin no longer requires Python or manual API key setup. On session start the plugin opens the Gram dashboard in a browser, receives a hooks-scoped API key on a localhost callback, and caches it per device. Machines that have never signed in aren't blocked — sessions proceed with a warning, and enforcement only becomes strict after the first successful sign-in. (Author: @danielkov)
Track skill activations in Codex sessions#3896 - Opening a skill's SKILL.md or mentioning a skill by name in a Codex session now surfaces as
events in observability, matching the visibility already available for Claude Code sessions. (Author: @danielkov)
Email org admins when an access request is submitted#3221 - Org admins now get an email when a new access request comes in, so requests are noticed and approved without anyone having to watch the dashboard. (Author: @alx-xo)
See which account an employee used last#3909 - The Employees page's Last Activity column now shows the most recently used AI account as a dropdown, with icons distinguishing team accounts from personal ones (#3858 by @chase-crumbaugh). (Author: @daviddanialy)
Refresh list pages in place#3860 - Catalog, MCP, Agent Sessions, Employee Insights, User Sessions, Risk Events, and the Observe Tools and Agents log pages now have a manual refresh button in the toolbar, so the latest data is one click away without reloading the page. (Author: @simplesagar)
Assistant setup chat history is preserved#3811 - Prior onboarding threads with the assistant setup chat are now listed and URL-addressable, so a setup conversation can be picked up where it left off or shared with a teammate. (Author: @claude)
Groundwork for shared remote session providers#3812 - An internal admin API now manages a platform-wide catalog of remote session providers, laying the foundation for projects to inherit shared providers in a future release. (Author: @walker-tx)
Bug fixes
Restore MCP tools in chat#3831 - Chat MCP tool connections no longer fail with an "Illegal invocation" fetch error that left chats without their configured MCP tools, including the assistant setup chat. Opening a chat via a shared
URL also reliably restores the linked conversation instead of sometimes landing on a new empty thread. (Author: @danielkov)
View teammates' assistant chats read-only#3931 - Admins opening another member's project assistant chat now see a read-only transcript instead of hitting a "chat not found" error on send. The composer is hidden for threads the signed-in caller didn't create, matching what the backend has always enforced. (Author: @adaam2)
Let environment editors edit environments#3916 - Creating, updating, and deleting environments now checks the
permission instead of
, so principals holding only
are no longer rejected. Dashboard gates were realigned to match. (Author: @qstearns)
Recover from stale hooks credentials#3901 - Cached hook credentials that are rejected on auth are now cleared automatically, so Claude prompt submission continues and the user is prompted to reconnect instead of getting stuck. (Author: @danielkov)