Apple is working out how to bring agentic AI apps into the App Store without dismantling the review system that makes the platform defensible, AppleInsider reported. The internal debate, those sources say, is less about whether to open the platform than how to contain what gets in. The most capable AI agents — according to current industry reporting — the kind that write code, spawn programs, and act autonomously across a device, are exactly what App Review was designed to prevent. That tension is the problem Apple is trying to solve, and the company hasn't solved it yet.
Not all agentic AI is the same, and the distinction matters for everything that follows. Three categories are in play: coding agents that generate and execute software directly on iPhone and iPad; assistant-style apps that perform declared, auditable actions through Apple's existing App Intents framework; and system-level AI models that Apple approves to handle requests through Siri, Writing Tools, and Image Playground. The App Store governance problem is concentrated in the first category. Apple's apparent path forward, based on current reporting, draws from the other two.
App Store submissions climbed 60% year over year in Q1 2026, with April alone up 104%, as non-technical founders working with tools like Claude Code and Replit moved from concept to submission in days. That volume surge is the environment in which Apple is trying to set Apple's App Store policy for agentic AI.
Why coding agents break App Review
App Review rests on a single structural assumption: Apple inspects software before users run it. Coding agents dissolve that assumption.
An AI coding app that clears review could subsequently be used to create malware Apple has never seen. The generated software could bypass parts of Apple's traditional inspection process. Apple's App Store Review Guidelines already prohibit apps from writing and producing other software on iPhone and iPad, the same report noted, a rule that currently bars vibe-coding tools from the store entirely.
The revenue concern compounds the security one. A coding agent that builds lightweight tools on demand could substitute for purchased App Store software, potentially reducing the transaction volume underlying Apple's services business. Both concerns center on the same category of app.
The review system is already strained before agents enter the picture. In 2024, Apple caught more than 17,000 apps that passed initial review and then altered their behavior afterward. One Ledger-clone scam that slipped through reportedly drained about $9.5 million from users before being pulled. Agents, designed to change their behavior dynamically in response to context, would make post-launch enforcement considerably harder under any model Apple currently operates.
The problem Apple is actually trying to solve, then, is not whether AI agents should exist on iPhone. It's whether the company can define a category of agent whose behavior is auditable both during review and after deployment. That narrower question points directly at the infrastructure Apple has already built.
How App Intents already enforce the boundary Apple wants to draw
Apple may not need to redesign its platform to accommodate a constrained class of AI agents. The enforcement mechanism is already there.
App Intents, the typed API framework Apple introduced with iOS 16 and has expanded through every subsequent release, define what a third-party app is permitted to do in structured, schema-based terms that Apple's AI can call and Apple's reviewers can inspect. As developer Blake Crosley laid out in detail recently, App Intents are the formal contract between a third-party app and Apple Intelligence. An app without them in 2026 is invisible to Apple Intelligence entirely.
The mechanics are concrete. A hydration app's LogWaterIntent declares an amount: Int parameter. Apple's AI calls it with a value and receives a result, with no freeform string parsing and no behavior outside the declared schema. Every action the AI can take through that app is enumerated in advance, typed, and reviewable.
Apple's next-generation OS releases are expected to expand Foundation Models support, Apple's on-device large language model framework, which runs parallel to App Intents and exposes its own Tool protocol for in-app inference. Critically, there is no setSystemPrompt() API available to third-party developers with Apple does not currently expose a public API for developers to define system-level prompts. External apps cannot shape how Apple's system-level AI behaves or expand their action space beyond what they have declared.
Reports that Apple's upcoming 27-series OS releases with future Apple operating system releases will let users choose from Apple-approved third-party models for Siri, Writing Tools, and Image Playground describe a different question entirely. Those models would reportedly operate at the system level under stricter Apple inspection and without any coding capability. Letting users pick between approved AI services for Siri queries is not the same as admitting autonomous coding agents into the store. It's evidence of Apple's preferred governance style: controlled substitution within Apple-defined surfaces, not open-ended autonomy.
The commercial case, and what the framework may look like
Apple's motivation for engaging with this problem is not purely defensive. The company reportedly wants agentic AI subscriptions to flow through the App Store, where it collects a revenue share, rather than around it.
Sources say Apple's internal discussions are explicitly tied to finding a way to profit from agentic apps. Computerworld reported six weeks ago that Apple will probably take a cut of AI subscription sales made through the platform, though exact terms remain unclear. Revenue is a driver. The shape of any solution is constrained by what the review model can actually govern.
What Apple is reportedly designing is a compliance framework requiring agentic apps to meet defined privacy and security standards as a condition of approval. That framework would, by construction, exclude the more autonomous systems. No OpenClaw-style autonomous software with broad reach across a user's system. Based on current reporting, the split looks roughly like this:
Likely permitted: Agent apps that expose discrete, typed App Intents; AI assistants scoped to a declared action space; approved third-party models integrated at the Siri layer without coding capability
Likely blocked: Apps that generate executable code on-device; agents that spawn new applications outside pre-reviewed behavior; system-wide agents operating beyond declared intents
European regulatory pressure adds a dimension worth noting, though a narrower one than it might appear. When the Commission applied DMA interoperability obligations against Apple for iOS connectivity features, Apple's response was to build structured access processes: a dedicated engineering team, a formal request system, and a public tracker for developers.
Separately, ICLE flagged AI agents may emerge as new platform gateways not clearly covered by existing DMA categories. Apple's compliance history makes its approach predictable: build the minimum access framework the rules require, then scope it as tightly as the rules allow.
What to watch next
WWDC in June is expected to carry significant AI content, though it remains unclear whether App Store Review Guidelines for AI apps will be addressed directly. The more reliable signals will come from developer documentation and API surface changes. Watch what new App Intents capabilities are introduced, not just which AI partnerships get announced on stage.
The metrics that will reveal what Apple's review policy actually is, as distinct from what it publishes, are rejection rates, time-to-approval, and post-launch pull rates. Those three numbers together will show whether Apple has genuinely opened a lane for agentic AI or added new language to a policy it intends to enforce as narrowly as before.
The App Intents infrastructure, as Blake Crosley observed last month, is something Apple has been building and signaling for three years. Whether or not a formal compliance tier for agentic apps arrives this year, the technical boundary it would codify is already visible in the platform. Developers who map their AI capabilities to declared, schema-based App Intents are building in the direction Apple's governance model already points. Developers counting on open-ended agent autonomy are building toward a wall. The platform architecture already reflects the governance approach Apple appears to favor.
Comments
Be the first, drop a comment!