LightleapAI Version 2.1.0 Release Notes

Modified on Thu, 25 Jun at 5:13 PM

LIGHTLEAP ORION

Release Notes

What's New | May 2026

We're excited to announce the biggest update to LightLeap Orion since launch. This release introduces a completely redesigned architecture built for enterprise-scale operations, along with powerful new features across security, administration, and analytics.

Multi-Tenant Platform

LightLeap Orion now operates as a true multi-tenant SaaS platform. Your institution gets a dedicated, isolated environment with its own configuration, users, and data — all managed from a single platform.

What this means for you:

Dedicated tenant environment with fully isolated data
Per-institution configuration for authentication, fraud thresholds, and feature settings
Users can belong to multiple organizations with separate roles in each
Centralized subscription and billing management

Single Sign-On (SSO)

Connect LightLeap Orion to your institution's identity provider for seamless, secure access. No more separate passwords.

Supported protocols:

SAML 2.0 — Compatible with Shibboleth, ADFS, and any SAML 2.0-compliant IdP
OpenID Connect (OIDC) — Compatible with Okta, Azure AD, Google Workspace, Ping Identity
Local authentication — Username/password with configurable password policies and expiry

Features:

Automatic role mapping from your IdP attributes to LightLeap roles
Configurable session timeouts per your institution's security policy
Email domain routing to the correct SSO provider
Password expiry with configurable grace periods

Role-Based Access Control

Granular control over who can see and do what within your LightLeap Orion environment.

Built-in roles:

Role	What They Can Do
Staff Admin	Full access to your institution's environment — manage users, configure settings, view all data including PII
Analyst	View dashboards, flag fraud, approve identity verifications, export data
Viewer	Read-only access to dashboards and application data

24 granular permissions covering:

Analytics viewing, configuration, and data export
Fraud marking, queue management, and fraud identifier visibility
Identity verification request, approval/rejection, and status viewing
PII access levels (full, partial, or name-only based on role)
Model viewing and management (application, registration, financial models)
System settings, user management, and audit log access

Permissions are enforced at every level — API endpoints, page navigation, and individual UI elements. Your users only see what their role allows.

Fraud Detection Enhancements

Smarter Fraud Workflows

Contextual reason codes: When reviewing an applicant, the system now shows only relevant action codes based on the applicant's current status. If someone is flagged as fraud, you see “Mark as not fraud” reasons. If they're clean, you see “Mark as fraud” reasons. No more confusion from seeing both sets simultaneously.
Per-model thresholds: Each analytics model (application, registration, financial) can have its own fraud detection sensitivity, configured independently. Fine-tune detection for different document types without affecting others.
Enhanced identifier panels: Historical input support lets you track how applicant data has changed over time.

Fraud Webhooks & Event Notifications

Webhook callbacks: Configure a URL to receive real-time HTTP notifications when fraud predictions are made. Built-in retry logic ensures reliable delivery even if your endpoint is temporarily unavailable.
AWS EventBridge integration: Publish fraud prediction events directly to your EventBridge bus for seamless integration with your existing AWS workflows, Lambda functions, or downstream systems.
Reliable delivery: All webhook events are queued with dead-letter queue (DLQ) support — no events are silently dropped.

Access Tokens & API Integration

External API Access

API tokens (llat_* format): Generate persistent, tenant-scoped tokens for integrating LightLeap Orion with your other systems
Tokens are scoped to your institution — no cross-tenant access is possible
Use standard Bearer token authentication on all external API endpoints (/orion/api/external/*)

Ideal for:

ICCP-governed AI invocations: Authorize Orion fraud models through signed institutional context assertions
Omnia chatbot: Let your AI chatbot query fraud scores and verification status in real time
Embedding Orion dashboards in your existing portals via Atlas Dashboard SDK
Triggering fraud predictions from your SIS or admissions system
Building custom reporting integrations
Automated data pipelines

ICCP — Integrated Context Control Protocol

LightLeap Orion is built on ICCP 1.0 (Integrated Context Control Protocol) — a standardized interoperability framework for governing how AI systems receive authorized institutional context. ICCP was presented at Quantum Leap 2026 and is designed to function as an institutional requirement alongside LDAP, SAML, SCIM, and LTI.

What ICCP Does

ICCP ensures that AI systems never access enterprise data without explicit institutional approval. Before any AI model is invoked — whether for fraud detection, identity verification, or chatbot interactions — the institution controls exactly what identity, data, and models are authorized.

Core principles:

Institutional control: Your institution governs what context the AI receives, not the AI vendor
Least-privilege access: AI models only see what is needed for this user, right now
Signed assertions: Every context authorization is cryptographically signed and verifiable
Deterministic audit traceability: Every AI invocation is traceable and fully reconstructable
Vendor-agnostic: Works with any AI provider (OpenAI, Anthropic, internal, on-prem)

How It Works

Your Systems (SIS, LMS, Portal)

→ ICCP Governance Layer (Identity, Policy, Context Assembly, Audit)

→ AI Models (fraud detection, verification, chatbot)

Before any model invocation, the ICCP Governance Layer assembles a Context Assertion — a signed, immutable payload that declares:

Field	What It Controls
Identity Claims	Who is making the request — user ID, institution, role, clearance level (e.g., FERPA-Authorized)
Authorized Models	Which AI models this request is allowed to invoke
Authorized Resources	Which data sources the AI can access, with scope constraints (e.g., “current-term only”) and TTL expiry
Compliance Mode	Which regulatory profile applies (FERPA, HIPAA, PCI, Institutional Confidential)
Signature	Institution-signed token — vendors must validate before processing

Example assertion:

{

"iccp_version": "1.0",

"assertion_id": "uuid",

"issued_by": "Institution-ATL-001",

"subject": {

"user_id": "u-93824",

"role": "AcademicAdvisor",

"clearance": "FERPA-Authorized"

"authorized_models": ["orion-fraud-v2"],

"authorized_resources": [

{

"resource_id": "banner-applications",

"scope": "current-cycle",

"ttl_seconds": 300

}

"compliance_mode": "FERPA",

"signature": "institution-signed-token"

}

ICCP in LightLeap Orion

Fraud predictions are governed by ICCP assertions — every model invocation is authorized, scoped, and auditable
Identity verification requests carry ICCP context with clearance levels and FERPA compliance mode
llat_* API tokens serve as the bearer credential within ICCP flows — your token authenticates the request, the ICCP assertion authorizes the context
Policy enforcement: Institution policy → Role policy → User settings (in precedence order). If an assertion fails validation, the invocation is rejected.
TTL expiry: Context authorizations are time-bound. Expired assertions automatically invalidate — no stale access.
Revocation: Institutions can dynamically revoke authorization, invalidating active sessions immediately

ICCP Deployment Models

Model	Best For	Description
Embedded	Single-product deployments	ICCP runs inside the Orion application tier — fastest path to adoption
Gateway	Multi-app institutions	ICCP as an “AI Context Firewall” — centralized governance across multiple AI systems
Federated	Multi-institution / consortia	Cross-institution governance with shared compliance profiles and partner ecosystems

ICCP Audit & Compliance

Every ICCP invocation automatically generates an audit record containing:

Assertion ID, user ID, model invoked, resources accessed, timestamp
Retained per institutional compliance requirements (FERPA: 7-year retention in Orion)
Compatible with WORM/immutable log storage and SIEM integration
Redaction-first logging available for sensitive fields

Chat with Orion

Chat with Orion is a new in-product conversational interface that lets your team ask natural-language questions about applicants, fraud predictions, and identity verification — no dashboard navigation required. It's built into the Orion UI and available wherever your team already works.

What You Can Ask

“Show me all applicants flagged as fraud this week and group them by program”
“What's the verification status for applicant A-19234?”
“Why was this applicant flagged?” — Orion explains the contributing identifiers and threshold
“Compare fraud rates across our application, registration, and financial models for the spring cycle”
“Which applicants are pending review longer than 48 hours?”

Key Capabilities

Grounded answers: Every response cites the underlying records, dashboards, and model predictions it draws from — your team can drill in with one click
Role-aware responses: Chat respects RBAC and PII visibility settings — users only see what their role permits, so the same question returns different detail for an Analyst vs. a Viewer
ICCP-governed: Every chat invocation is authorized by a signed institutional context assertion, with the same audit trail and TTL controls as the rest of Orion's AI features
Live data: Queries hit your live Orion analytics — no stale snapshots, no separate sync
Action shortcuts: From a chat answer, jump directly to mark fraud, request verification, or open the full applicant view
Conversation memory: Follow-ups work naturally — “show me the same list, but only flagged for income verification”

How It's Different From Omnia

Chat with Orion is the in-product analyst experience — built into the Orion dashboard for your fraud and admissions teams. Omnia is the cross-product chatbot for applicants and front-line staff outside Orion. Both are powered by the same ICCP governance and llat_* token infrastructure, so the same authorization model applies.

Availability

Available to all users with the Analyst or Staff Admin role on Orion-enabled tenants
Toggle on/off per institution from the admin console
Conversation history retained per user with the same FERPA-compliant audit retention as the rest of Orion

Omnia AI Chatbot Integration

Connect LightLeap Omnia (AI chatbot) to your Orion analytics environment for real-time, conversational access to fraud and verification data.

Real-time queries: Omnia can query Orion's fraud predictions and identity verification status in real time, enabling frontline staff and applicants to get instant answers about application status
ICCP-governed: All Omnia-to-Orion queries flow through ICCP — the chatbot only sees data authorized by the institution's context assertion for that user and role
Orion Smart SDK: Omnia pulls dashboards, fraud scores, and verification data directly into chat conversations using the Orion Analytics Smart SDK v1.0
Powered by llat_* tokens: Same token authentication as all external integrations — configure once, use across products

Use cases:

Admissions staff asking “Is this applicant flagged?” in chat
Automated status updates to applicants via chatbot
Advisors checking verification status without switching to the Orion dashboard

Embed Support

Embed LightLeap Orion views directly in your existing web portals
Token-based iframe authentication: pass an llat_* token in the URL, and it's automatically exchanged for a secure browser session
No additional login required for embedded views
Atlas Dashboard SDK: Embed interactive Orion dashboards into third-party applications with full fraud and identity verification capabilities

Platform Administration

Admin Console

A new dedicated administration portal for managing your LightLeap Orion environment:

User Management: Invite users by email, pre-assign roles, activate/deactivate accounts, track invitation status
SSO Configuration: Set up and manage SAML/OIDC connections with your identity provider
Subscription Overview: View your active subscriptions, plan features, and billing status
Audit Logs: FERPA-compliant activity trail — every action is logged with who did what, when, from where. Immutable 7-year retention.

Onboarding Experience

New guided setup wizard for first-time administrators
Step-by-step: set admin password → review your subscription → accept terms of service
Invite additional team members with role pre-assignment
Resend invitation emails for users who haven't yet accepted

Legal & Compliance

Terms of Service, Privacy Policy, and Acceptable Use Policy accessible within the platform
Terms acceptance tracked per user with timestamps

Analytics & Dashboard Updates

Simplified API output: Streamlined data format (JSON by default) for faster and easier integrations
Per-model configuration: Independent thresholds, settings, and feature toggles per analytics model
Improved identifier panels: Historical input support for tracking applicant data changes over time
Batch processing: Activity logs processed in batches for improved performance at scale

Theme & Visual Updates

Dark mode: Toggle between light and dark themes from your user settings. Your preference is saved and persists across sessions.
Refreshed design: Apple-inspired design system with cleaner typography, consistent spacing, and a modern semantic color palette
Responsive improvements: Better experience on laptops and tablets — auto-hiding navigation, scroll controls on settings pages, optimized layouts for smaller screens

Security & Compliance

Capability	Details
Data isolation	Every institution's data is logically isolated at the database level — no cross-tenant data access
Audit logging	Immutable, FERPA-compliant audit trail with 7-year retention. Every action logged with user, role, IP, and timestamp
Encrypted connections	All database connections use TLS with AWS RDS certificate verification
OAuth token encryption	Third-party integration tokens encrypted at rest
Session security	Signed cookies, configurable timeouts, activity-based session refresh to prevent idle session hijacking
PII controls	Role-based PII visibility — full access, partial (name + email), or name-only depending on your assigned role
Password policies	Configurable password expiry TTL with grace periods
Tenant-scoped API tokens	External API tokens are scoped to your institution and product — cannot access other tenants
ICCP 1.0 governance	Every AI model invocation is authorized by signed, time-bound institutional context assertions with deterministic audit traceability

Migration Notes

If you are an existing customer migrating from the previous version:

No data loss: All your existing analytics data, models, and configurations have been preserved
Same URLs: Your existing bookmarks and integrations continue to work
New login experience: If your institution has SSO configured, you'll be redirected to your identity provider on first login. Local username/password still works if SSO is not set up.
New admin portal: Access the administration console at your platform URL under /platform/
API token migration: If you use API integrations, you'll receive new llat_* tokens. Legacy tokens will be supported during the transition period.
New roles: Existing admin users are mapped to the Staff Admin role. You can adjust roles after login from the admin console.

Getting Help

Contact your LightLeap account manager for onboarding assistance
Reach out to support for SSO configuration help
Refer to the admin console's built-in user management guide for role and permission setup
EventBridge integration documentation available upon request

Thank you for being a LightLeap Orion customer. We're committed to building the most powerful, secure, and intuitive analytics platform for your institution.