Apple unveiled an agentic password-changing feature at WWDC26 that will ship in iOS 27, iPadOS 27, and macOS 27. The Passwords app leverages Apple Intelligence to automatically detect compromised credentials, navigate websites, and replace weak passwords with strong ones without user intervention. This addresses a genuine security gap: research shows users routinely ignore breach warnings or delay fixing exposed passwords.

The automation runs as a Live Activity, handling redirects, pop-ups, and multi-factor authentication challenges while updating credentials. Apple's existing Password Monitoring already identifies reused and compromised passwords using privacy-preserving techniques that don't expose secrets to Apple's servers. However, the new capability requires the agent to read and interpret untrusted web content, creating a significant attack surface for prompt injection.

Every webpage contains third-party content that could manipulate the AI's behavior. Malicious ads, injected widgets, or compromised account pages might redirect credentials, disable MFA, or falsely report successful changes. The core architectural question remains: does the AI model ever receive actual passwords in its context? Proper isolation requires deterministic controls, not just on-device processing.

Account lockout represents another practical risk—if the agent changes a password but fails to save it correctly, users lose access with no recovery path. Until Apple documents the security architecture and approval model, this feature exemplifies why agentic AI demands careful scrutiny before consumer release.