TL;DR: A natural-language query builder is being added to Device Trust that turns plain-English requests into ready-to-run SQL for fleet investigations, while still letting admins preview and scope the query before execution, according to 1Password. The practical shift is not autonomy, but faster endpoint visibility without handing control away.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams use natural-language query builders without losing control?
A: Use them as assisted authoring tools, not autonomous executors.
Q: When do AI-assisted endpoint queries create more risk than they reduce?
A: They create more risk when teams let broad prompts run unchecked across large device populations or when rewritten SQL is executed without review.
Q: What do security teams get wrong about AI-generated SQL for device investigations?
A: They assume the main problem is query syntax.
Practitioner guidance
- Require preview before execution Make SQL preview a mandatory checkpoint for any natural-language generated query, and log the prompt, generated statement, and executor identity together for auditability.
- Scope queries to the smallest viable device set Use subset execution for investigations whenever the question can be answered on a limited cohort, especially when checking encryption, browser versions, or remote-access tooling.
- Review rewritten SQL for signal quality Treat any AI-tuned query as a draft, then confirm that the rewritten filters and selected columns still answer the original investigative question without adding noise.
What's in the full announcement
1Password's full product update covers the operational detail this post intentionally leaves for the source:
- Examples of the plain-English prompts the assistant can turn into SQL for endpoint investigations
- The exact preview flow that lets admins inspect generated SQL before it is executed
- Details on how rewritten queries can be tightened to reduce noise and improve performance
- How Device Trust combines osquery and additional telemetry sources to support fleet-wide visibility
👉 Read 1Password's update on natural-language querying in Device Trust →
Device Trust AI queries: what it means for fleet investigations?
Explore further
Natural-language query generation lowers the investigation barrier, but it does not change the identity model. The article describes a faster way to ask questions of endpoint telemetry, not an autonomous system making security decisions. That distinction matters because the operator still chooses the question, the scope, and the execution target. For practitioners, this is a workflow acceleration layer over device trust, not a new governance subject.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding shows that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, with inadequate monitoring and logging and over-privileged accounts each at 37%.
A question worth separating out:
Q: How do teams know whether query assistance is actually improving device trust operations?
A: Look for shorter time to answer common endpoint checks, fewer failed or noisy queries, and better consistency in how investigators scope work. If generated SQL increases resource usage, broadens access unnecessarily, or produces unclear results, it is adding friction rather than reducing it.
👉 Read our full editorial: Natural-language device queries change how fleet investigations scale