What happened
Apple announced a new Apple Intelligence-powered feature that can automatically fix weak and compromised passwords. The feature was announced at WWDC 2026 and is expected to launch with iOS 27 for the Passwords app and Safari.
Apple’s built-in Passwords app and Safari can already flag weak, duplicate, or compromised passwords. Safari can also help users create secure passwords when they are setting up an account. However, the existing tools do not automatically fix weak or compromised passwords.
The new feature changes that by allowing the Passwords app and Safari to automatically update eligible accounts to strong passwords. Apple said the system will use AI to take action based on user behavior and secure passwords automatically.
Apple said the new capabilities are powered by the next generation of Apple Foundation Models. These models run on device and on servers using Private Cloud Compute. Apple said the architecture is designed with privacy in mind, from the foundation models to the operating system technologies that integrate the models into Apple’s platforms.
Most of the features run locally on newer iPhones, while some use Private Cloud Compute for cloud-based processing. Apple said that when Private Cloud Compute handles user requests, personal data is not stored or made accessible to Apple or anyone else.
The Apple Intelligence improvements and the agentic password manager are expected to arrive with iOS 27 later this year. Users who do not want to wait can sign up for the Developer Program and try the beta build.
Who is affected
Apple users who rely on Safari and the built-in Passwords app will be affected once the feature launches with iOS 27. The feature is designed for users with weak, duplicate, or compromised passwords and will automatically update eligible accounts to stronger passwords.
Organizations with employees using Apple devices may also be affected if workers rely on Safari or Apple’s Passwords app for personal or work-related account access. The article does not state which account types or websites will be eligible for automatic password updates.
Why CISOs should care
This feature reflects a broader shift toward automated credential remediation. Password managers have long helped detect weak, reused, or compromised passwords, but Apple’s new approach moves further by allowing the system to automatically update eligible accounts to stronger credentials.
For CISOs, that creates both an opportunity and a governance consideration. Automated password remediation could reduce exposure from weak or compromised credentials, but security teams will need to understand how these features interact with enterprise password policies, managed devices, browser controls, and approved credential management workflows.
The privacy architecture is also relevant. Apple says the feature uses on-device processing and Private Cloud Compute, with personal data not stored or made accessible to Apple or anyone else when cloud processing is used. CISOs evaluating AI-assisted security features should pay close attention to where processing occurs, what data is handled, and how vendors describe privacy protections.
3 practical actions
- Review how Apple password tools fit into enterprise credential policy: The new feature will allow Safari and the Passwords app to automatically update eligible weak or compromised passwords. CISOs should determine whether employees are allowed to use Apple’s built-in password tools for work accounts and how those tools align with corporate password management standards.
- Prepare guidance for automated password changes on managed devices: Apple’s feature can take action to secure passwords automatically based on user behavior. Security teams should prepare user guidance explaining when automated password changes are appropriate, what employees should do if account access changes unexpectedly, and how to report issues involving work-related credentials.
- Assess privacy and data handling for AI-assisted credential tools: Apple says the feature is powered by Apple Foundation Models, runs locally for many features, and uses Private Cloud Compute for some cloud processing without storing or exposing personal data to Apple. CISOs should evaluate these claims in the context of enterprise risk, especially where AI-assisted tools interact with passwords, account recovery, and authentication workflows.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.