Natural-language device queries change how fleet investigations scale

At a glance

What this is: This is a Device Trust update that converts natural-language prompts into SQL queries for endpoint investigations, with preview and execution controls retained by the admin.

Why it matters: It matters because fleet visibility is only useful when security and IT teams can ask precise questions quickly without losing control over scope, safety, or query quality.

👉 Read 1Password's update on natural-language querying in Device Trust

Context

Security teams often know what they want to check on endpoints but lose time translating the question into correct, efficient SQL. In a Device Trust environment, that delay matters because investigation speed depends on both query quality and the ability to run checks across the right device set without creating noise or resource strain.

The governance issue is not AI taking over decisions. It is that operational queries have historically required specialist schema knowledge, which limits who can investigate at speed. A natural-language layer can reduce that bottleneck, but only if the human operator keeps control over what is previewed, scoped, and executed.

Key questions

Q: How should security teams use natural-language query builders without losing control?

A: Use them as assisted authoring tools, not autonomous executors. Keep query preview mandatory, restrict execution to approved device scopes, and log the original prompt alongside the generated SQL. That preserves operator accountability while still improving investigation speed across endpoint fleets and device trust workflows.

Q: When do AI-assisted endpoint queries create more risk than they reduce?

A: They create more risk when teams let broad prompts run unchecked across large device populations or when rewritten SQL is executed without review. The risk is not the prompt itself, but the combination of opaque logic, excessive scope, and weak audit trails around endpoint access and device telemetry.

Q: What do security teams get wrong about AI-generated SQL for device investigations?

A: They assume the main problem is query syntax. In practice, the harder issue is preserving investigative intent, limiting blast radius, and understanding whether the query still reflects the exact control question after rewriting. Good tooling speeds drafting, but governance still has to validate the output.

Q: How do teams know whether query assistance is actually improving device trust operations?

A: Look for shorter time to answer common endpoint checks, fewer failed or noisy queries, and better consistency in how investigators scope work. If generated SQL increases resource usage, broadens access unnecessarily, or produces unclear results, it is adding friction rather than reducing it.

How it works in practice

Natural-language to SQL generation in endpoint trust tooling

The capability sits on top of the existing osquery-backed device inventory and policy layer. An operator describes the desired investigation in plain English, and the system synthesises SQL that can be executed against endpoint telemetry. That is a translation layer, not autonomous decision-making. The important technical point is that the generated query still depends on the underlying schema, available endpoint data, and the quality of the prompt. If the ask is vague, the result can be broad, inefficient, or incomplete. The value is speed of query construction, not new data collection.

Practical implication: teams should treat generated SQL as a draft investigative artifact and validate it before running it broadly.

Why query preview and scoping are the control points

The risk in any query-generation workflow is not the syntax alone. It is the blast radius of what the query touches and what it returns. Previewing SQL before execution preserves operator oversight, while selecting a subset of devices limits unnecessary load and reduces the chance of over-collection during an investigation. In governance terms, this is a controlled assistant pattern rather than delegated execution. The human remains responsible for whether the query is safe, relevant, and proportionate to the incident or compliance question.

Practical implication: require query preview and device scoping as mandatory steps in incident and compliance workflows.

AI-assisted osquery tuning and performance hygiene

The article also points to a second use case: improving already-written SQL. That matters because endpoint queries can become expensive when they pull unnecessary columns, apply inefficient filters, or scan too widely. An AI layer that tightens predicates and narrows selected fields can help reduce resource overhead and improve signal quality. In practice, this is query hygiene, not policy enforcement. The technical benefit depends on whether the rewritten statement still answers the original question without weakening the investigative intent.

Practical implication: use the assistant to improve query efficiency, but keep a review step for any rewritten logic before operational use.

NHI Mgmt Group analysis

Natural-language query generation lowers the investigation barrier, but it does not change the identity model. The article describes a faster way to ask questions of endpoint telemetry, not an autonomous system making security decisions. That distinction matters because the operator still chooses the question, the scope, and the execution target. For practitioners, this is a workflow acceleration layer over device trust, not a new governance subject.

The real governance value is faster access to endpoint facts without expanding standing analyst privilege. Query generation can reduce dependence on a small group of SQL specialists during active investigations. That helps teams scale response, but only if query creation remains reviewable and constrained. The programme question is not whether AI can write SQL, but whether it can reduce investigative latency without widening uncontrolled access to device data.

Device Trust is moving toward intent-driven investigation, and that changes how fleet visibility is consumed. Security teams are no longer limited to prebuilt views or manual query authoring when they need to validate software posture, encryption status, or remote-access tooling. That shifts value from static reporting toward on-demand interrogation of endpoint state. Practitioners should expect more demand for controls that preserve auditability, scope, and query provenance.

Query provenance becomes the named control problem in AI-assisted endpoint operations. Once a prompt is converted into SQL, teams need to know what was asked, what was generated, and what was actually executed. That is the governance layer that keeps natural-language assistance from becoming opaque automation. The practical conclusion is straightforward: if query provenance is weak, investigative trust weakens with it.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• A separate finding shows that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, with inadequate monitoring and logging and over-privileged accounts each at 37%.
• That visibility gap is why the NHI Lifecycle Management Guide matters alongside Top 10 NHI Issues when teams operationalise AI-assisted investigations.

What this signals

Query assistance will only scale safely if it improves investigator throughput without weakening provenance. For teams running device trust programmes, the decision point is not whether natural-language query generation exists. It is whether the organisation can preserve prompt history, generated SQL, and execution scope as auditable artefacts. That is where governance and operational speed either align or drift apart.

The introduction of AI-assisted query drafting also sharpens the need for repeatable investigation patterns. If your team already struggles to standardise endpoint checks, the assistant will amplify that inconsistency unless you define approved prompts, review rules, and execution guardrails. The control plane matters more than the language interface.

With 1 in 4 organisations already investing in dedicated NHI security capabilities, per The State of Non-Human Identity Security, the broader signal is clear: security programmes are moving toward governance of machine-driven access and investigation flows, not just human login events.

For practitioners

• Require preview before execution Make SQL preview a mandatory checkpoint for any natural-language generated query, and log the prompt, generated statement, and executor identity together for auditability.
• Scope queries to the smallest viable device set Use subset execution for investigations whenever the question can be answered on a limited cohort, especially when checking encryption, browser versions, or remote-access tooling.
• Review rewritten SQL for signal quality Treat any AI-tuned query as a draft, then confirm that the rewritten filters and selected columns still answer the original investigative question without adding noise.
• Document approved investigative prompts Maintain a small library of approved plain-English prompts for recurring checks so teams can reuse tested investigations instead of improvising under pressure.

Key takeaways

• Natural-language query generation speeds endpoint investigations, but it does not remove the need for human review, scoped execution, and auditability.
• The core governance issue is query provenance, because teams must know what was asked, what was generated, and what actually ran.
• Device trust programmes should standardise approved prompts and execution guardrails before AI-assisted querying becomes routine.

Key terms

• Device Trust: Device trust is the practice of evaluating endpoint posture before allowing access to company resources. It combines policy checks, telemetry, and enforcement so access can be conditioned on software state, encryption, firewall status, or other compliance signals.
• osquery: Osquery is an endpoint visibility tool that represents device state as queryable tables. Security teams use SQL-like statements to inspect software, configuration, and runtime conditions, which makes it useful for investigations, compliance checks, and fleet-wide validation.
• Query provenance: Query provenance is the record of how a query was created, reviewed, and executed. In AI-assisted operations, it includes the original prompt, generated SQL, execution scope, and operator identity so teams can audit decisions and reconstruct investigative steps.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Password: natural-language query generation for Device Trust. Read the original.