Apple Is Redesigning Its App Store Rules to Let AI Agents In

Apple blocked a category of AI apps in March 2026. Six weeks later, the company is actively designing a system to let a new kind of them back in.

According to reporting from The Information, Apple's engineering teams are working on a framework that would permit AI agents to operate within App Store boundaries, while maintaining the security and privacy standards the company has built over 18 years of App Store governance. Details could be revealed at WWDC on June 8, alongside a major Siri overhaul.

That's not a distant roadmap. Apple is contacting developers now. For an organization that moves deliberately on new capability categories, that's a meaningful signal that the timeline is real.

What Apple Blocked and Why Its Rules Could Not Keep Up

In March 2026, Apple began blocking updates for popular vibe coding apps. These tools let people build websites and small applications using natural language prompts rather than traditional code, and they had been growing fast among both developers and non-technical users who found them far more accessible than conventional programming.

The enforcement wasn't about content. It was about behavior.

Apple's App Store Review Guidelines prohibit apps from writing, downloading, or running code that is not embedded in the app. That rule was designed to stop malware from slipping through App Store review by behaving normally during testing and then executing malicious code after approval. Vibe coding apps violated that rule because their core function is to have AI agents write and execute code on device in response to user requests. Apple's enforcement systems flagged this as a policy violation.

Developers were frustrated. The apps weren't doing anything harmful. They were doing exactly what users wanted. But Apple's rules didn't have a category for AI-generated, AI-executed code as a legitimate use case.

Updates were frozen for affected versions. Users who already had the apps could keep using earlier versions, but new downloads were blocked and developers couldn't ship improvements. For apps competing with web-based tools that have no equivalent restrictions, that was a serious competitive penalty. Some vibe coding apps saw their growth stall while browser-based alternatives with identical features faced no such limits.

The current App Store framework was built for static software. A developer submits an app. Apple reviews it. If it passes, users can download it. What reviewers see is roughly what users get. That assumption fundamentally breaks down for AI agent apps.

Modern AI agents, at their most capable, take actions that weren't explicitly programmed by the developer at submission time. A coding assistant might generate and run a test suite on device. A scheduling agent might navigate multiple apps to complete a meeting booking. A shopping agent might execute a purchase across three different services. None of that behavior is fully predictable or inspectable at the time of App Store review, which is the entire basis of Apple's approval model.

Apple's guidelines specifically prohibit apps from writing, downloading, or running code not embedded in the original binary. That prohibition covers most of what current AI coding agents do.

There's a narrow existing escape valve: App Intents. Introduced in iOS 16, App Intents are a typed API framework that lets developers define specific, schema-based actions that AI can invoke. An app might declare a typed action with defined parameters. Apple reviewers can inspect that declared action before approving the app. The AI calling it can only work within those declared boundaries.

This model works well for bounded, predictable behaviors. It's how Apple envisioned AI assistance integrating with apps: through declared, inspectable functions rather than open-ended agency. Some apps have already adopted App Intents extensively, and they're well-positioned for whatever Apple announces next.

The limitation is that App Intents are declarative. They can't represent the kind of open-ended, multi-step reasoning that makes the best AI agents genuinely useful. An intent that says "book a flight" would need to encode an enormous decision tree to cover the full scope of what a real travel agent does. Most developers building sophisticated AI workflows find the model too constraining for serious agentic work.

Apple knew this tension would force the issue eventually. The March enforcement actions made it urgent. And with WWDC six weeks away, the company is running out of time to let confusion about the rules persist.

Apple's New Compliance Tier for AI Agents

The new system Apple is designing would create a compliance tier for constrained AI agents. Based on The Information's reporting and follow-up coverage from MacRumors and 9to5Mac, the framework will allow agent apps that expose discrete App Intents reviewers can inspect before approval, permit AI assistants scoped to declared, schema-based actions that cannot generate executable code, and support approved third-party AI models integrated at the Siri layer without code generation capabilities. It will continue to block apps that generate and execute code on device, agents that create new applications at runtime, and system-wide agents that operate beyond pre-reviewed intent boundaries.

The technical scaffolding for this already exists in Apple's platform. Apple's sandboxing architecture, the existing App Intents framework, and the entitlement system for sensitive capabilities all provide building blocks for a constrained agent tier. The new rules would formalize and expand what's already there, giving developers a clear and officially sanctioned path for building agent-capable apps that can pass standard App Store review.

For developers tracking the best available AI coding agents and how they work across different deployment environments, the Best AI Coding Agents in 2026 resource covers how different agent architectures affect what's possible in constrained environments like Apple's.

The risk logic Apple has cited internally is specific: agents that could delete all of a user's emails if given unchecked access. That's a real failure mode. Autonomous AI systems that can take irreversible actions at scale introduce a category of risk that App Store review was never designed to handle. Apple's answer is to constrain what agents can do at the platform level before the fact, rather than trying to audit every possible post-approval behavior.

The App Store agent framework doesn't exist in isolation. It's part of a broader Apple AI push anchored by iOS 27 and a significant Siri overhaul being developed in parallel. The new Siri is being built to compete directly with Claude, ChatGPT, and Gemini. Apple has partnered with Google to integrate Gemini models into the OS, and is in conversations with Anthropic for additional model integration. The ChatGPT partnership that launched with iOS 18 produced limited user adoption, and Apple is building more capable AI experiences from the ground up rather than depending on external handoffs.

An upgraded Siri that can accomplish complex tasks across apps needs a well-defined relationship with those apps. App Intents are how that relationship gets formalized. If Siri is going to book a flight, order groceries, or schedule a service appointment on a user's behalf, it needs to know exactly what the relevant apps have declared they can do. That's why the agent framework and the Siri update are being developed at the same time. They're architecturally connected. You can't build the assistant without specifying what it's allowed to ask the apps to do.

Developer concerns are real and specific. Commission structure is the most significant long-term question. Apple has stated it doesn't plan to charge commissions on AI agent actions during early stages. But the company has also acknowledged fees are a possibility in the future. Several major technology companies have explicitly declined to partner with Apple over this concern. Multiple Chinese companies, including Baidu, Alibaba, and Tencent, have reportedly resisted Apple AI partnerships specifically because they're unwilling to expose their products to future platform charges.

The commission concern becomes more pointed as agents become more transactional. An agent that books a restaurant reservation, completes a product purchase, or arranges a service appointment generates economic value through Apple's platform. Apple will want a share of that eventually. Developers building agentic apps today are betting on terms that don't yet exist in writing.

There's also a technical concern about the expressiveness of the constrained model. App Intents are powerful but declarative. Developers building truly open-ended agent workflows may find the schema-based model too limiting. If the compliance tier requires every action to be pre-declared in a typed intent, some agent behaviors simply won't qualify, not because they're unsafe, but because they're too context-dependent to encode in a schema ahead of time. Andrej Karpathy has noted that the industry is moving toward longer-horizon autonomous task completion that increasingly challenges any fixed-constraint model. Apple's framework will need to account for that trajectory or risk becoming a ceiling on capability rather than a safety floor.

WWDC on June 8 is the next major checkpoint. App Store Review Guideline revisions are typically published alongside WWDC keynotes. A new agent compliance section would be the clearest signal the framework is ready. Developer sessions previewing what's shipping in developer betas will confirm specifics. How Apple describes Siri's ability to work with third-party apps will reveal exactly what the agent framework permits in practice. Apple is already contacting some developers about integration opportunities, which confirms the company is in active development rather than early design.

How Apple's Approach Compares to Every Other Major Platform

Apple isn't the only platform rethinking AI agent access. It's the most cautious one.

Amazon rebuilt Alexa around agentic shopping experiences earlier this year. Alexa can now autonomously research products, compare prices, and complete purchases on behalf of users. The company's bet is that users who trust Alexa will progressively delegate more purchasing decisions to it over time.

Google hasn't announced equivalent restrictions for agent apps in the Play Store. Android apps that generate and execute code can be distributed without the categorical prohibitions Apple maintains. This week, Google also released an open-source Google Ads MCP server, enabling third-party AI agents to manage advertising campaigns autonomously.

Meta has opened its platforms to AI agents in advertising, shopping, and customer service. The Meta AI system can take actions across Facebook and Instagram on behalf of users with appropriate permissions. TikTok this week launched an MCP server that lets third-party AI agents run advertising campaigns autonomously without manual media-buyer involvement, announcing the move at TikTok World 2026 as part of an industry-wide shift toward agent-first advertising operations. Notion this week turned its workspace into a hub for AI agents, with a developer platform that lets builders create and connect agents that take autonomous action inside users' documents and databases.

Apple's approach stands in contrast to all of this. Every major consumer platform is actively enabling AI agents with relatively few declared constraints. Apple is designing a framework explicitly to constrain what those agents can do.

The argument for Apple's approach is that its users are, on average, less technical, more privacy-conscious, and accustomed to paying a premium for a safe experience. The App Store's reputation for being safer than alternatives is a genuine user benefit and a business asset Apple protects carefully. The argument against is that Apple's caution creates real gaps: developers building AI agent apps will find Android and the web more permissive, and users who want the most capable AI experiences may look elsewhere.

Apple's enforcement record makes clear it takes these rules seriously. The company threatened to remove Grok from the App Store in January 2026 over deepfake image generation. It pulled Freecash in April over data harvesting. It blocked vibe coding app updates in March. These aren't edge cases. They're a consistent pattern of enforcement that developers building AI capabilities need to plan for.

Apple has always moved deliberately when adding new capability categories to iOS. Third-party keyboards took years to arrive, and when they did they came with strict sandboxing. Background app refresh arrived with tight time limits and user-visible controls. In-app purchases launched with explicit review requirements and detailed disclosure rules. Each category eventually opened up further as Apple developed appropriate guardrails. AI agents are following the same pattern.

The bigger unresolved question is whether the constrained-intent model is durable as AI agent capabilities advance. Today's agents are capable but bounded. In two or three years, the gap between what constrained-intent agents can do and what fully open-ended agents can do may be large enough to make the framework feel like a ceiling rather than a safety standard. When that happens, Apple will face the same choice it faced with vibe coding in March: adapt the rules or block the category again.

For now, developers building within Apple's declared boundaries will be positioned for whatever the company announces on June 8. The direction is clear enough to start building toward it.