Device Trust AI queries: what it means for fleet investigations

TL;DR: A natural-language query builder is being added to Device Trust that turns plain-English requests into ready-to-run SQL for fleet investigations, while still letting admins preview and scope the query before execution, according to 1Password. The practical shift is not autonomy, but faster endpoint visibility without handing control away.

NHIMG editorial — what this means for NHI practitioners

Questions worth separating out

Q: How should security teams use natural-language query builders without losing control?

A: Use them as assisted authoring tools, not autonomous executors.

Q: When do AI-assisted endpoint queries create more risk than they reduce?

A: They create more risk when teams let broad prompts run unchecked across large device populations or when rewritten SQL is executed without review.

Q: What do security teams get wrong about AI-generated SQL for device investigations?

A: They assume the main problem is query syntax.

Practitioner guidance

• Require preview before execution Make SQL preview a mandatory checkpoint for any natural-language generated query, and log the prompt, generated statement, and executor identity together for auditability.
• Scope queries to the smallest viable device set Use subset execution for investigations whenever the question can be answered on a limited cohort, especially when checking encryption, browser versions, or remote-access tooling.
• Review rewritten SQL for signal quality Treat any AI-tuned query as a draft, then confirm that the rewritten filters and selected columns still answer the original investigative question without adding noise.

What's in the full announcement

1Password's full product update covers the operational detail this post intentionally leaves for the source:

• Examples of the plain-English prompts the assistant can turn into SQL for endpoint investigations
• The exact preview flow that lets admins inspect generated SQL before it is executed
• Details on how rewritten queries can be tightened to reduce noise and improve performance
• How Device Trust combines osquery and additional telemetry sources to support fleet-wide visibility

👉 Read 1Password's update on natural-language querying in Device Trust →

Device Trust AI queries: what it means for fleet investigations?

Explore further

View Full Forum →  |  NHI Foundation Course →