Currently the only option for threat mesh is enable/disable. Since Threat Mesh DB is updated to block using an IP there is a possibility of false positives and the chances of blocking an entire organization based on one bad actor that is coming from a proxy/NAT for that organization. An option to have staging before enforcement so that the effect of newly updated threat DB can be analyzed before it starts blocking would be beneficial (just like WAF signature staging) and even before a block the false positive can be identified and can be added to Trusted Client Rules.
Better option is to be able to request a review of that IP.