1. Trusted email domains
What it is — You can now define a list of trusted domains for your email channel. Senders from those domains are created as Employees automatically.
Why it matters — Without domain-level controls, every inbound email, including spam and unknown external senders, creates a new user and a new request. This new update draws a clear boundary between your workforce, known partners, and unwanted noise.
How it works — To set it up, admins can go to Settings, select Security, and go to the Email domain access tab.

Add one or more trusted domains (e.g., acme.com) to create those senders as Employees.
For everyone else, choose a fallback: Add as Guest or Ignore email.
Remember: Subdomains aren't inherited (e.g. acme.com won't cover support.acme.com), and all senders are allowed by default until you configure this.
2. Multiple Application Owners in Access Management
What it is — You can now assign multiple owners to an application in Access Management.
Why it matters — Some applications are managed by more than one person, and approvals need to be handled by that group rather than a single owner.
How it works — Admins can add multiple application owners in one go, and create a policy for the application owners group, so approvals are managed collectively.
3. Allowed Hosts for API Credentials (formerly Webhook Credentials)
What it is — Webhook Credentials are now called API Credentials, and you can restrict which hosts a credential is allowed to be used with.
Why it matters — Without host-level controls, credentials can be used anywhere—creating a security loophole if a credential is ever leaked.
How it works — When adding credentials, admins can define a list of allowed hosts, and the credentials will only work with those hosts. The default allows all hosts, so nothing breaks. You can tighten it further by adding more restrictive hosts as needed.