Fides 2.86.0 release notes

• 2.86.0: May 26, 2026

Helios

Detect and classify global data risks with comprehensive visualization for data mapping and reporting for modern Enterprise.

• Stop a Running Classification Job: Classification tasks can now be cancelled mid-run instead of having to wait for them to finish. Pending tasks are pulled off the queue immediately; in-progress LLM classifications check a cooperative stop signal between fields and exit at the next checkpoint. Already-classified fields keep their results; unclassified fields reset so they can be retried later. Stop works at both single-task and bulk-classify granularity. Detection and promotion tasks can be stopped while pending, but not mid-execution.
• Group Cloud Infrastructure Resources Into Systems: Resources discovered by the AWS cloud infrastructure monitor can now be organized into named groups and linked to multiple systems at once — useful for shared resources like an RDS instance or S3 bucket that serves several applications. Group assignments are surfaced on the resource list and travel with the resource through promotion. Behind the "AWS monitor" feature flag.
• Monitors Inherit Stewards From Systems: Discovery monitors can now inherit their data stewards from the system they point at, so adding a steward to a system propagates to every monitor scanning it. A background reconciler keeps inherited assignments in sync as system stewards change. Inherited stewards live alongside explicitly-assigned ones, and a new Stewardship tab on the user detail page lists every system and monitor a person is responsible for. On by default for new monitors; toggleable per monitor.
• Helios Insights is Generally Available: The insights view that surfaces trends across discovery monitors has graduated from beta and is now on for all customers. No flag or config change is needed.
• Bug Fixes:
  • LLM-based context classification on Okta and Entra identity provider monitors can be enabled at seed time via an enable_llm flag, instead of requiring a follow-up API call after monitor creation.
  • IDP monitor scans no longer fail with stale-connection errors after a long enrichment phase — affects deployments behind a connection-pooling proxy like RDS Proxy or pgbouncer.
  • Fixed an infinite render loop when keyboard shortcuts were used inside the Action Center.
  • Updated the rules used to match staged resources to taxonomy types so unusual resource shapes classify correctly.
  • Cmd+K search reliably opens as a centered modal whether the navbar is expanded or collapsed.
  • Custom field values on a privacy declaration now repopulate correctly when reopening a saved declaration.

Lethe

Enterprise grade privacy request management and processing with a single orchestration layer for DSRs across vendors and systems

• See Every Request From the Same Person: When a request is submitted and checked for duplicates, you can now open a "View related requests" drawer from the activity timeline to see all requests submitted with the same IDs such as email or phone number.
• Filter the Request Manager by Source: A new Source filter on the Request Manager dashboard narrows the list to requests submitted through a specific channel: Privacy Center, Request Manager, Consent Webhook, FidesJS, Janus SDK, or Dataset Test. Consent webhook and dataset-test requests are hidden by default but selectable explicitly.
• DSR Traversal Visualizer (Beta): Before a request runs, you can now preview exactly which integrations it will touch, in what order, and which ones are gated by manual review. The new DSR traversal visualizer shows an upcoming request as a four-lane graph: the identity it starts with, the systems it queries (grouped by stage), the manual review gates that hold it back, and the systems it won't touch. Each integration card shows the dataset and field breakdown and the data categories Fides will pull. Property-scoped and split by action type (Access or Erasure). Behind the "DSR traversal visualizer" feature flag.
• Manage Privacy Request Behavior on the Integration Detail Page: Each integration now has its own Privacy requests tab where you can switch DSR execution on or off and manage linked datasets — without leaving the integration page. For database integrations, the tab also lists linked datasets with a searchable picker. PostgreSQL, RDS MySQL, and Google Cloud SQL for MySQL integrations now also carry the DSR Automation tag in the integration picker.
• Accept File Uploads From the Data Subject: A new file_upload custom field type can be added to Privacy Center forms, letting data subjects attach a file when submitting a privacy request (for example, a photo ID for identity verification). Files are scanned for content type and size before being accepted, and the upload is persisted as an attachment on the request. Per-field size and MIME constraints are configurable in the Privacy Center config. An optional ICAP-backed virus scanner can be wired in via [attachment_scanning] in fides.toml for deployments that require anti-malware scanning at the upload boundary; if configured but unreachable, uploads are rejected. A background job sweeps up uploads that were never associated with a request.
  • Opt-in: Until a Privacy Center config adds a FileUploadCustomPrivacyRequestField, there is no new behavior.
• Build Privacy Center Forms by Chatting With Fides: A new form-builder chat sits inside the Admin UI and drafts Privacy Center intake form specs (field order, conditional visibility, placeholders, location-based logic) from plain-English descriptions, with a live preview alongside. The builder knows the available field types (Text, Select, Multi-select, Radio, Location), emits ISO location codes for location-based conditional logic, and respects visibility rules so values from hidden fields aren't accepted at submit time. The underlying field-order, visibility, and placeholder support is also available via the Privacy Center config directly. Note: This is gated by the "Form builder" beta feature flag.
• Date of Birth as a Custom Identity: Add date_of_birth with a date field type to a Privacy Center action's identity_inputs and the Privacy Center will render a date picker and pass the value through as an identity on the resulting request — useful for downstream systems that disambiguate users by date of birth (for example, household accounts that share an email).
• "Powered by Ethyca" on the Privacy Center, On By Default: The Privacy Center attribution link is now enabled by default. Set FIDES_PRIVACY_CENTER__ATTRIBUTION_ENABLED=false to disable it. Note: This changes the default behavior — customers who never set this environment variable will start seeing the attribution link after upgrading.
• Bug Fixes:
  • The Privacy Center consent page heading and description render their configured HTML instead of showing raw tags as escaped text. Affects deployments with ALLOW_HTML_DESCRIPTION turned on.
  • The manual task digest email now renders the company logo configured on the default property's Privacy Center, instead of falling back to the legacy single-row config.
  • Dashboard priority actions no longer include privacy requests that have been soft-deleted.
  • Integration save errors appear inline under the offending form field instead of as a transient toast.
  • The property_id parameter on the privacy-request attachment upload endpoint is now optional, so requests that aren't tied to a property can still attach files.

Janus

High performance consent recording and orchestration for data sharing, built for enterprise data engineering and AI pipelines.

• Apple App Tracking Transparency for the iOS and Flutter SDKs: Mobile apps built on the Janus iOS or Flutter SDKs can now present Apple's tracking permission prompt before the Fides consent experience, and have the user's answer flow through to the consent UI automatically. When the user denies tracking, every privacy notice that isn't marked ATT-exempt is pre-set to opt-out and locked off so they can't be re-enabled. Opt-in via enableATT: true in the iOS or Flutter Janus configuration; without that flag the SDKs behave exactly as before. Apps that opt in must include NSUserTrackingUsageDescription in their host app's Info.plist. For experiences running the IAB Transparency and Consent Framework, the ATT decision is forwarded to the embedded webview so the same locking applies to the TCF UI. A companion Exempt from App Tracking Transparency toggle on the privacy notice form lets you configure this without a direct API call.
• Iterable Consent Webhook Tokens Refresh Themselves: A new scheduled task refreshes Iterable's OAuth client credentials before they expire, so Iterable bidirectional-consent integrations no longer need a manual token rotation. A generic REFRESH_CONSENT_WEBHOOK_TOKEN request type is also available for other consent webhooks that follow the same pattern.
• Faster Consent Banner Load Times: The FidesJS consent SDK is meaningfully smaller after trimming unused locale data and a few dependencies, with no change to consent behavior.
• Bug Fixes:
  • Fixed a case where an out-of-order consent request could overwrite a newer explicit preference. When a child notice opt-out arrived before a parent opt-in that was submitted earlier, the older parent's cascade could quietly replace the newer choice. The merge step is now timestamp-aware, the cascade-up step uses the most recent child timestamp, and superseded preferences are captured as historical-only records instead of disappearing.
  • Iterable echo detection now handles mixed-direction consent changes correctly, so a single inbound consent change is no longer misread as Fides' own outbound write.
  • The FidesJS banner no longer resurfaces in cases where a notice that was previously stored as non-applicable was served on a later visit.
  • Updated the cookie wildcard placeholder text.

Astralis

Real-time data access, usage, and retention policy enforcement across your infrastructure. Astralis embeds governance directly into data pipelines and AI workflows, preventing misuse before it happens and generating an always-on audit trail for regulatory and AI governance.

Purpose-Based Access Control (Alpha)

All PBAC functionality remains behind the "Alpha purpose-based access control" feature flag.

• Access Policies Reference Custom Taxonomies and System Groups: The policy editor's match block accepts any registered taxonomy dimension, so customers who have extended Fides with custom taxonomies can reference those dimensions when authoring access policies. The policy YAML validator no longer rejects valid custom keys, and the chat assistant knows about the custom dimensions in your deployment so the policies it drafts can reference them. System groups are also pulled into the assistant's context, so policies can be scoped to a system group by name.
• Improved Taxonomy Value Picker: The taxonomy value picker inside a policy match block now scales to large taxonomies with a clear count of selected values, search support, and better layout for long lists.
• API Path Renamed: The access policy REST API endpoint was renamed from /access-policy to /access-policies to follow standard REST naming. The Admin UI already uses the new path, but customers calling the access policy API directly need to update their integrations. Note: This is a breaking change for direct API callers.
• Bug Fix: The BigQuery PBAC connector now extracts referenced tables from cached queries via a SQL-parsing fallback, so enforcement no longer skips queries whose tables were not surfaced through BigQuery's authoritative table list.

Assessments (Beta)

• Easier-to-Read Replies From the Chat Assistant: Responses from the assistant are now easier to scan — formatted code, lists, and links appear in their proper layout instead of running together as a single block of text. A small animated indicator shows when the assistant is working.
• Bug Fix: Questionnaire answer normalization no longer silently drops conflicts between a user's answer and Fides' own system data — the conflict is preserved for review.

Integrations

• New Integration: Microsoft Dynamics CRM (Access): You can now fulfill access privacy requests against Microsoft Dynamics CRM data. The integration is available in the standard add-integration flow.
• Google Analytics Migrated to Admin API: The Google Analytics connector has moved to Google's current Admin API ahead of Google's retirement of the older deletion API, so deletion requests keep flowing without any change beyond reauthorizing the integration. Note: Universal Analytics support has been removed in the same change because Google sunset Universal Analytics in July 2024. Customers still running a Universal Analytics integration will need to migrate to Google Analytics 4.
• Bug Fixes:
  • The Ada Chatbot integration has been renamed to Ada to match the vendor's current branding.
  • The Bloomreach integration now accepts subdomains of bloomreach.com in its allowed domains list.
  • The Gong integration now skips a privacy request entry when Gong returns a 400 because the email belongs to a Gong user, instead of failing the whole request.

Fides core

• Domain Validation Now Blocks by Default: Fides now blocks outbound calls to domains that aren't on a connector's allowed list, instead of only logging a warning. The FIDES__SECURITY__DOMAIN_VALIDATION_MODE setting now defaults to enabled (block) instead of monitor (warn only). Set it to monitor explicitly to keep the previous behavior, or to disabled to turn the check off entirely. Note: This changes the default behavior — requests to disallowed domains will now be blocked with a DomainValidationError.
• Data Catalog Beta Removed: The Data Catalog beta feature, which had not graduated from beta, has been removed.
• Keyboard-Accessible Drag and Drop: Admin UI lists that use drag-and-drop reordering can now be reordered with the keyboard, making them usable for keyboard-only and assistive-technology users. Mouse drag-and-drop continues to work as before.
• Security: Removed the GitPython runtime dependency, eliminating three published vulnerabilities from the production image. Removed test dependencies (pytest, ruff, and others) from the production Docker image. Bumped click to 8.1.8, pydantic to 2.12.5, and litellm to 1.84.0.

Database schema & data changes

• New cloud_infra_group and cloud_infra_group_assignment tables for AWS cloud infrastructure resource grouping.
• New tcf_version_hash_history table for TCF configuration change tracking.
• New attachment_user_provided table for data-subject file uploads.
• New access_package_review model and new awaiting_access_review status on the PrivacyRequest model.
• New inherit_system_stewards column on MonitorConfig. New source and source_system_id columns on MonitorSteward with an updated unique constraint.
• New group_id column on MonitorTask to support grouped stop operations.
• New NOTIFICATION_UPDATE scope added for notification mutation endpoints.