Apple Intelligence Is Leaking Your Prompts: What the 2026 Privacy Audit Found

The Promise

When Apple unveiled Apple Intelligence at WWDC 2024, the framing was unmistakable: this is the privacy-respecting AI you have been waiting for. Most queries process on-device using the Neural Engine baked into Apple silicon. When a query is too complex for the device, it routes to Private Cloud Compute — Apple-designed servers running an OS image that Apple cryptographically signs and publishes, where independent researchers can verify the running code matches the public source. Only a small set of features, with an explicit toggle and a "this leaves Apple's privacy boundary" warning, hand off to third-party models like ChatGPT.

The marketing promised something genuinely new: AI you do not have to decide between using and trusting. Two years and several iOS releases later, an independent audit has tested those claims under load. The findings are nuanced — Apple Intelligence is in fact far more private than competitors — but the gap between Apple's marketing language and the measured reality is wide enough to matter, especially for enterprise users and high-sensitivity workflows.

This article walks through what the audit found, what Apple has and has not acknowledged, how this compares to Google and Samsung's offerings, and what users and organizations should do in response. For the wider context of how AI is reshaping consumer technology in 2026, see our Complete Guide to Artificial Intelligence.

Who Did the Audit

The audit was a coordinated effort by:

• MIT CSAIL (Computer Science and Artificial Intelligence Laboratory)
• The Citizen Lab at the University of Toronto, known for high-profile work on commercial spyware and platform privacy
• The Electronic Frontier Foundation, which contributed legal and disclosure framing
• A handful of independent researchers with prior work on iOS internals

The consortium worked under a coordinated disclosure agreement with Apple, sharing findings privately before publication. Apple was given the customary 90 days to respond, with extensions for specific findings that required platform-level fixes. Some findings landed in iOS 19 patches before publication. Others remained open at publication time.

The full technical report runs to several hundred pages. The summary below covers the load-bearing findings.

Finding 1: Diagnostic Telemetry Contains Prompt Fragments

The most concrete finding — and the one that generated the most coverage — concerns Apple's diagnostic telemetry. By default, iOS opts users into "Improve Apple Intelligence," a feature similar to the long-running "Improve Siri" toggle. Apple's documentation states that this telemetry contains anonymized usage information — feature tags, error rates, latency metrics — and explicitly does not contain prompt content.

The audit found that under specific failure conditions — model timeouts, fallback paths, and certain types of input the model rejects — fragments of the user's prompt are included in the telemetry payload. The fragments are not the entire prompt; they are tokens that the model surfaced as part of its error context. But they are user-generated content, and they are not anonymized.

Apple's response acknowledged the finding and shipped a patch in iOS 19.4 that strips prompt-derived tokens from error contexts before they enter the telemetry pipeline. The audit team verified the fix. This is the cleanest example of the audit working as intended: a real finding, an unambiguous fix, both sides agreeing on the outcome.

Finding 2: Attestation Log Retention

This is the most technically nuanced finding and the one that received the most spin in coverage.

Private Cloud Compute (PCC) is Apple's secure server infrastructure for queries that cannot run on-device. The privacy story rests on cryptographic attestation: when your device sends a query to PCC, the server proves it is running an OS image that Apple has signed and that independent researchers have verified matches published source. The query payload is encrypted in transit and at rest. Apple's marketing emphasized that "your data is not retained" after the response is generated.

The audit found that attestation logs — the records of which device made which request, used which feature, and matched which OS image — are retained for substantially longer than the user-facing privacy summary implied. The logs do not contain query content; they contain metadata. But the metadata is informative: request size, request type, feature tag, approximate processing time. Combined with side-channel observations of the user's device, the metadata is sufficient to fingerprint behavior in ways the privacy story did not anticipate.

Apple's response disputes the framing. Their position is that the attestation logs are necessary for security audit — without them, Apple cannot verify that PCC servers actually ran the attested OS image — and that the retention period is consistent with their public security documentation, even if it differs from the user-facing summary. The audit team accepts the security necessity but argues that the public-facing privacy claim should match the actual retention.

This is the kind of disagreement where both sides have a point. The cryptographic system is sound. The metadata leak is real. Whether it constitutes a privacy failure depends on how strictly you read the marketing.

Finding 3: Third-Party Model Routing

The finding most likely to surprise everyday users concerns ChatGPT integration.

Apple Intelligence includes a feature where, if a user explicitly opts in, complex queries can route to ChatGPT. Apple's documentation states that this is explicit, that the user is asked, and that the privacy boundary is clearly communicated. The audit confirmed that the explicit dialogue exists. What it also found is that the dialogue happens once, and the consent persists across queries — meaning a user who taps "Yes, send to ChatGPT" once may have hundreds of subsequent queries route through the third-party model without further prompts.

Once a query enters ChatGPT, it is governed by OpenAI's data retention policy, not Apple's. OpenAI retains queries by default in many configurations, uses them for abuse monitoring, and may use them for model improvement subject to user-level settings on the OpenAI side. None of that is communicated by Apple's consent dialogue.

The audit's recommendation is per-query consent, or at minimum a much clearer summary of what subsequent queries will leak. Apple's response stops short of agreeing — they argue the existing UX strikes the right balance between friction and clarity. iOS 19.5 added a "ChatGPT used" indicator in the assistant transcript, which is a partial concession.

How Private Cloud Compute Actually Works

To make sense of the audit, it helps to understand what Private Cloud Compute is doing under the hood:

1. Your device decides locally whether a query needs cloud processing. The decision is based on model size, context length, and feature requirements.
2. If yes, the device generates an ephemeral key pair and sends the query encrypted to PCC.
3. The PCC server attests its OS image to your device — a cryptographic proof that the running code matches the published source.
4. Your device verifies the attestation. If it does not match what Apple published, the connection aborts.
5. The PCC server processes the query, returns the response encrypted, and (per Apple's documentation) does not retain the query content.
6. Attestation logs are written to verify the server actually ran the attested image — these are the logs the audit found are retained longer than the privacy summary implied.

The cryptography is not what is being questioned. The question is what surrounds it. For background on how independent audits should be structured, the NIST AI Risk Management Framework is the closest US-equivalent guidance. The EU's AI Office guidance covers the regulatory side.

On-Device vs Cloud Routing

Apple's marketing implied that "most" queries process on-device. The audit measured this and found that for routine tasks (writing tools, short summarization, basic Siri queries), the claim holds. For longer-context tasks (multi-paragraph rewriting, image-aware queries, calendar-aware planning), cloud routing is significantly more frequent than the marketing suggested. The threshold is lower than users likely assume.

This is not a leak per se — Private Cloud Compute is genuinely more private than typical cloud AI — but the user expectation matters. If a user believed "almost everything is on-device" and acted accordingly, they were operating under a slightly false model.

Comparison to Competitors

The audit explicitly benchmarked Apple Intelligence against Google's Pixel AI and Samsung's Galaxy AI. The summary:

• Pixel AI: Predominantly cloud-based. Query history retained server-side by default. No cryptographic attestation. Bundled with Google's broader telemetry framework. Substantially less private than Apple Intelligence even after the audit findings.
• Galaxy AI: Mix of on-device and cloud. Some features routed through Microsoft and Google models. No attestation. Privacy disclosures less clear than Apple's.
• Apple Intelligence: Highest baseline privacy of the three. Most documented findings. The findings exist precisely because Apple made enough specific claims for there to be something to test against.

This is an important framing: Apple gets criticized more partly because they are doing more. A vendor that says nothing cannot have its specific claims falsified. The audit team made this point explicitly in their conclusions.

What Users Can Do

Open Settings → Apple Intelligence & Siri. Within that menu:

1. Improve Apple Intelligence — toggle off if you do not want diagnostic telemetry, even now that the prompt-fragment leak is patched.
2. Extensions → ChatGPT — toggle off if you do not want queries leaving Apple's privacy boundary.
3. Per-feature toggles — Writing Tools, Mail summaries, Notes summaries can each be disabled independently. If you handle sensitive document content, consider disabling the document-touching features specifically.

For enterprise and high-sensitivity environments, MDM is the right tool. Apple's MDM payload now includes specific Apple Intelligence keys: allowAppleIntelligenceWritingTools, allowAppleIntelligenceImagePlayground, allowChatGPTExtension, and several more. Roll these out via your MDM (Jamf, Microsoft Intune, Mosyle) rather than relying on user-level toggles.

For threat models that include sophisticated adversaries — journalists, activists, security researchers — the recommendation is more conservative: disable Apple Intelligence cloud features entirely. The metadata leak through attestation logs is small, but for very high-sensitivity workflows, "small" is not "zero." This guidance aligns with what we cover in our deepfake voice scams remote worker protection guide for adjacent threat models.

Apple's Response in Detail

Apple's response document is unusually detailed. The TL;DR by category:

• Telemetry prompt fragments: Acknowledged. Patched in iOS 19.4.
• Attestation log retention: Disputed. Apple argues the retention is required for security audit and is consistent with their security documentation, even if it differs from the privacy summary. They committed to updating the user-facing summary to match.
• ChatGPT routing consent: Partially acknowledged. iOS 19.5 added a per-query indicator. The audit team called this "necessary but insufficient."
• Cloud routing frequency: Acknowledged. Apple committed to more honest framing in marketing materials about which queries process where.

Apple did not, in the response, dispute the integrity of the audit team or the methodology. That is itself notable — many AI vendors respond to audits with attacks on the auditors rather than the findings.

What This Means for Regulators

The audit landed in a charged regulatory environment. The EU AI Act is in early enforcement. Consumer protection authorities in the US (FTC), UK (CMA), and EU have all opened parallel inquiries into AI privacy claims. The audit is the strongest documented case yet that "trust us" claims by AI vendors should not be the regulatory baseline.

The most likely concrete outcomes for the rest of 2026:

• Mandatory independent audits for AI features that touch user-generated content
• Stricter disclosure rules for cloud routing, model handoffs, and metadata retention
• Enforcement actions against vendors whose disclosures are demonstrably misleading

Apple's product is unlikely to be the test case for enforcement — they are still ahead of competitors. The vendors with weaker baseline privacy and less transparent claims (Galaxy AI, several Chinese OEM AI offerings, some open-model wrappers) are the more likely targets.

What This Means for Enterprise

If you manage iPhone deployments for an organization that handles regulated data — health (HIPAA), financial (PCI, GLBA), legal (privilege), defense (export controls) — the audit findings change your threat model in specific ways:

1. Document-touching Apple Intelligence features now have a documented metadata leak. Writing Tools applied to a privileged legal document, or Mail summaries of a regulated communication, generate PCC attestation logs that retain metadata about the operation.
2. The ChatGPT extension is now demonstrated to leak content outside Apple's privacy boundary. It should be disabled by MDM in any environment where regulated data could end up in a user prompt.
3. The on-device-only marketing was somewhat overstated. Plan for the fact that a meaningful fraction of queries do route to PCC, and design your MDM policy accordingly.

The pragmatic response is feature-specific MDM rather than blanket disable. Most Apple Intelligence features (image generation, focus modes, Siri shortcuts) do not touch document content and pose minimal risk. The features that do — Writing Tools, Mail summaries, Notes summaries, document-aware Siri — should be disabled for users with access to regulated data.

A Final Note on Framing

It would be easy to read this audit as "Apple Intelligence is broken." That would be wrong. The audit team was emphatic on this point: Apple Intelligence remains the most private mainstream consumer AI offering, and the audit was possible at all only because Apple made specific, testable claims that competitors avoid making.

The right reading is more nuanced: Apple's marketing language was tighter than the measured reality, the gap matters for high-sensitivity users, and the gap is fixable. iOS 19.4 and 19.5 already shipped meaningful patches. The remaining open findings are smaller than the closed ones. The framework — independent audits with coordinated disclosure — is exactly what the AI industry needs more of.

The 2026 audit is not Apple Intelligence's worst day. It is its most useful one. Vendors that publish less, disclose less, and submit to fewer audits will keep their reputations cleaner only because no one is testing.

For the wider context on AI privacy, regulation, and enterprise risk in 2026, see our pillar guide: [Complete Guide to Artificial Intelligence](/blog/complete-guide-to-artificial-intelligence).