AI Pilot API
Maintained by: Aether365 Team Audience: Developers Scope: AI Pilot remediation endpoints - generate, review and apply automated fixes
AI Pilot turns failed findings from your compliance and exposure scans into automated fixes. Over the API you can generate a remediation plan for a scan, review the proposed changes, and apply the ones you approve. Applying a fix is always an explicit call you make - nothing is changed until you ask for it.
Requirements
AI Pilot endpoints require the AI Pilot entitlement (Pro or Enterprise) and a Microsoft 365 connection linked in AI Pilot (write-consent) mode. A read-only connection can generate and read plans but cannot apply fixes. Calls return 403 AUTH_INSUFFICIENT_SCOPE when the entitlement is missing.
List Auto-Remediable Checks
Returns the check IDs AI Pilot knows how to fix automatically. Use it to decide, per finding, whether an automated fix is available.
GET /tenants/me/remediation/capabilitiesExample Response
json
{
"success": true,
"data": { "autoRemediableTestIds": ["AE.1068", "CIS.M365.5.1.2.3", "AE.1102"] }
}Generate a Remediation Plan
Builds a remediation plan for a completed scan: one item per fixable failed finding, each with the current value, the proposed secure value, and the setting it targets. Reading the current value uses the AI Pilot connection's read scope; no change is written.
POST /tenants/me/scans/{scanId}/remediation-planExample Request
bash
curl -X POST https://api.aether365.io/tenants/me/scans/scan_abc123/remediation-plan \
-H "Authorization: Bearer ak_live_..."Example Response
json
{
"success": true,
"data": {
"id": "plan_abc123",
"scanId": "scan_abc123",
"msTenantId": "00000000-0000-0000-0000-000000000000",
"status": "pending",
"createdAt": "2026-06-17T09:00:00Z",
"items": [
{
"id": "item_1",
"testId": "AE.1068",
"coveredTestIds": ["AE.1068", "CIS.M365.5.1.2.3"],
"actionKey": "require_mfa_admins",
"title": "Require MFA for administrator roles",
"settingKey": "conditionalAccess.requireMfaAdmins",
"currentValue": false,
"proposedValue": true,
"status": "pending",
"appliedBy": null,
"appliedAt": null,
"error": null
}
]
}
}List Remediation Plans
Returns the tenant's remediation plans, newest first, each with its items and rolled-up status.
GET /tenants/me/remediation-plansPlan status values
| Status | Meaning |
|---|---|
pending | Generated, nothing applied yet |
completed | Every item applied and verified |
partially_applied | Some items applied, some failed or still pending |
failed | No item could be applied |
Get a Remediation Plan
GET /tenants/me/remediation-plans/{planId}Returns a single plan (with its items) scoped to your tenant. A plan that belongs to another tenant returns 404 NOT_FOUND.
Apply a Remediation Plan
Applies the selected items via the AI Pilot connection: each setting is written through Microsoft Graph and then re-read to confirm the change took effect. Items you do not list are left untouched, and an already-verified item is never re-applied.
POST /tenants/me/remediation-plans/{planId}/applyRequest Body
| Field | Type | Description |
|---|---|---|
itemIds | string[] | IDs of the plan items to apply |
Example Request
bash
curl -X POST https://api.aether365.io/tenants/me/remediation-plans/plan_abc123/apply \
-H "Authorization: Bearer ak_live_..." \
-H "Content-Type: application/json" \
-d '{ "itemIds": ["item_1", "item_2"] }'Example Response
The full plan is returned with each item's updated status and, on failure, an error explaining why.
json
{
"success": true,
"data": {
"id": "plan_abc123",
"status": "partially_applied",
"items": [
{
"id": "item_1",
"title": "Require MFA for administrator roles",
"status": "verified",
"appliedAt": "2026-06-17T09:05:00Z",
"error": null
},
{
"id": "item_2",
"title": "Disable legacy authentication",
"status": "failed",
"error": "Write consent is missing or has expired"
}
]
}
}Item status values
| Status | Meaning |
|---|---|
verified | Applied and confirmed by a re-read |
applied | Applied; Microsoft has not yet confirmed propagation (re-checked later) |
failed | Could not be applied - see error (e.g. write consent missing) |
pending | Not applied in this call |
Human approval is preserved
There is no "apply everything" shortcut. You choose the plan and the exact items to apply, so an automated workflow still keeps a human (or a deliberate decision) in the loop.