AI
Product News
Introducing the CloudQuery Platform AI Assistant
TL;DR
CloudQuery's new AI Assistant is now the home page of the Platform. Ask questions about your cloud in plain English and get answers directly, or get SQL queries to run yourself. Two modes control data access: privacy mode generates queries for you to run, so the AI never touches your data; full access mode lets the AI run queries and return results in chat. Admins can add custom context so the assistant understands how your infrastructure is organized.
Your cloud data is already in CloudQuery. But getting an answer to "how many unencrypted RDS instances do we have across all environments?" still means switching to the SQL Console, writing a join or two, and hoping you have the right table names.
That friction is what the new AI Assistant removes.
What Is the CloudQuery AI Assistant? #
The AI Assistant is now the home page of the CloudQuery Platform. Instead of a dashboard of charts, you get a conversation window - type a question about your infrastructure in plain English and get an answer back.
This is different from the SQL query writer in the SQL Console. That tool stays where it is, unchanged. The AI Assistant is a separate feature built on a new architecture, designed to be extended over time. The two will eventually converge, but for now they're independent.
We built this because of a pattern we kept seeing: teams had all their cloud data normalized and queryable in CloudQuery, but the step from "I have a question" to "I have an answer" still required SQL fluency. Not everyone on a platform team writes queries every day. The AI Assistant closes that gap.
Key Takeaways
- The AI Assistant is the new home page of the CloudQuery Platform
- In data privacy mode (the default), the AI generates SQL but never accesses your infrastructure data directly
- Full access mode returns answers in chat - useful for iterative Q&A
- Custom Context lets admins give the assistant business knowledge about your specific cloud organization
- This is an early release; rate limits are in place and capabilities are expanding
How Do the Two Access Modes Work? #
There are two ways the assistant can operate, controlled by admins at the organization level.
Terminology
Data Privacy Mode - The default. The AI generates SQL queries for the frontend to run; it never accesses your infrastructure data directly.
Full Access Mode - The AI runs queries against your CloudQuery data and returns results inside the chat interface. Admins enable this in Organization Settings under Platform Settings, then AI Assistant Data Access.
Data Privacy Mode is the default. The AI understands your cloud asset inventory schema, generates SQL, and hands it off to the frontend to execute. You see the results without the AI ever having direct access to your infrastructure data - the right starting point for most organizations, and a hard requirement for teams in regulated industries.
Full Access Mode lets the AI run queries directly and return results in chat. The back-and-forth is faster: follow-up questions re-query without any intermediate steps. Ask "show count of virtual machines across all cloud environments" in privacy mode and you get SQL; in full access mode, you get the count.
Admins toggle this in Organization Settings, under Platform Settings, then AI Assistant Data Access. It applies to all users in the workspace.
What Can You Actually Do With It? #
The assistant works best for questions you'd normally write SQL to answer. Here's how teams are using it:
When You're In the Middle of an Incident #
You need infrastructure context fast - not the SQL Console. Things like "show me all load balancers in us-east-1 with unhealthy targets" or "which EC2 instances changed their security group in the last 24 hours?" land as quick queries or direct answers depending on your access mode. Either way, you're not writing joins during an active incident.
During a Compliance Audit or Security Review #
Audits generate a lot of "do we have any X that violates Y" questions, and the assistant handles them well because it understands the normalized schema across providers. Common ones we see:
- "Which RDS instances don't have encryption at rest enabled?"
- "Show me all IAM users with admin access who haven't logged in for 90 days"
- "List S3 buckets with public access, with their data classification tags"
- "Which EC2 instances are missing the required cost-center tag?"
From the answer, you can ask for the underlying SQL and save it directly as a policy to run on a schedule going forward.
For Cross-Cloud Inventory #
Getting a full picture across AWS, Azure, and GCP normally requires either multiple queries or join logic that not everyone wants to write. The assistant handles the cross-cloud normalization - ask "how many virtual machines do we have across all cloud environments?" and it knows which tables to join across providers.
Multi-turn conversations work here too. Start broad and narrow down without re-stating context each time.
The SQL Console isn't going anywhere. Teams who prefer writing queries directly still have the same tools. The AI Assistant is an additional path to the same data.
Custom Context: Giving the Assistant Your Business Knowledge #
Cloud data is structured. Your cloud organization is not.
The AI knows what an EC2 instance is. It doesn't know that your
team:product tag maps to the accounts owned by the product engineering group, or that anything in the sandbox-* prefix should be excluded from compliance checks. That business context lives in people's heads.Custom Context is a plain-text document that gets added to the top of every conversation. Organization admins create and manage these documents, and all users in the workspace get the benefit. The most useful ones tend to cover account naming conventions, what your tag scheme actually means, and which environments are production versus not. There's an "Auto-include" option that adds the document to every new conversation automatically.
One thing to know: custom context can't be added after the first AI response in a session. Start a new chat if you need to include it.
See the AI Assistant documentation for the full setup guide.
Is This Safe for Enterprise Use? #
Data privacy is the thing teams ask about most. In privacy mode - which is the default - the AI model only sees your schema, not your actual infrastructure data. It generates SQL, the frontend runs it, and you see the results. Your data never leaves your CloudQuery instance. Full access mode is an explicit admin opt-in, visible and reversible at any time. Individual users can't escalate their own access level.
The assistant also has guardrails: it's scoped to cloud infrastructure questions and declines requests outside that. No web browsing, no off-topic queries. Rate limits are in place per session and per day; we're monitoring usage during the rollout and will tune them based on real patterns.
We're tracking quality throughout using LLM observability tooling to monitor relevance scores against each prompt. When the assistant gives a poor answer, we see it. This is an early release and we expect rough edges - that's precisely why we're watching it closely.
What the AI Assistant Cannot Do #
A few things are out of scope for this release and worth knowing upfront: the assistant has no web access, so it can't fetch external docs or analyze URLs. It can't generate reports, interact with policy violations, or work with Insights data. These are on the roadmap.
If you're expecting the SQL Console to disappear - it won't. Engineers who prefer writing queries directly can keep doing that. The AI Assistant is an additional entry point, not a forced replacement.
See the AI Assistant in Action
We can walk you through both access modes, show how custom context works with your team's infrastructure, and help you figure out the right configuration for your organization. Or explore the AI Assistant docs to get started on your own.
Frequently Asked Questions #
What Is the CloudQuery AI Assistant? #
The CloudQuery AI Assistant is a conversational interface for your cloud infrastructure data, built into the home page of the CloudQuery Platform. Ask questions in plain English and get answers directly (full access mode) or as SQL queries you can run yourself (privacy mode). It works against your existing CloudQuery asset inventory - no separate setup required.
What Is the Difference Between Data Privacy Mode and Full Access Mode? #
In data privacy mode (the default), the AI generates SQL that the frontend runs on your behalf - the model itself never touches your data. In full access mode, the AI runs queries and returns results in chat. Admins switch between modes in Organization Settings under Platform Settings, then AI Assistant Data Access.
Who Can Change the Data Access Mode? #
Organization admins only. The setting applies to all users in the workspace; individual users can't change their own access level.
What Is Custom Context and How Does It Work? #
Custom Context is a plain-text document added to the start of every AI Assistant conversation. It lets admins provide business knowledge that isn't visible in the raw data - account ownership, tag meanings, environment naming, and so on. Documents can be set to auto-include. Custom context must be added before the first AI response in a session.
Can I Still Use the SQL Console After Getting a Query From the AI? #
Yes. Queries the assistant generates can be opened in the SQL Console to refine, saved as a policy, or stored as a reusable saved query.
Does the AI Assistant Have Access to the Internet? #
No. The assistant works only with your infrastructure data and any custom context you've provided. It can't fetch external URLs or read documentation sites.
Are There Limits on How Much I Can Use the AI Assistant? #
Yes - rate limits per session and per day. We're monitoring usage during the initial rollout and will adjust based on real-world patterns. If your team hits limits frequently, reach out and we can discuss your usage profile.
What Can the AI Assistant Not Do Yet? #
The current release doesn't support report generation, policy management, policy violation review, or Insights. No web access either. These are on the roadmap; capabilities are expanding as we learn what teams need most.
