WWDC 2026: Apple Replaced Custody with Cryptography

At WWDC on Monday, Craig Federighi said Apple uses “none” of Google’s assistant. He was technically right. He was also sitting above an announcement that moves Apple’s most capable AI model onto NVIDIA GPUs inside Google’s data centers. Both things are simultaneously true, and understanding how that’s possible is the WWDC 2026 story that every trade-press headline missed. Most outlets ran something along the lines of “Apple builds AI with Google Gemini.” That’s wrong in a specific and important way. What Apple actually did was change the philosophical foundation of its privacy claim — from physical custody to mathematical proof — and whether that’s better or worse for users depends on whether you trust institutions or equations.

Five Models, One of Them Different

Apple shipped a new AI model family at WWDC called Apple Foundation Models, organized into five components. Four of them run on Apple Silicon in Apple-controlled infrastructure: AFM Core, a standard dense architecture for everyday on-device tasks; AFM Core Advanced, a sparse natively multimodal model that enables image understanding and expressive voices; AFM Cloud, the server workhorse optimized for latency and serving cost; and AFM Cloud Image, which handles image generation and the spatial reframing tools in Photos. According to Apple VP Amar Subramanya, speaking at a WWDC tech talk covered by 9to5Mac, all four were trained on Apple’s own pipelines using Google Gemini technology as refinement data — not as a deployed model, but as a training signal. That distinction matters. Gemini shaped how those four models were trained. Gemini is not what runs when you ask Siri a question.

The fifth model, AFM Cloud Pro, is different. It handles complex reasoning and agentic tool use — the most computationally demanding tasks Apple Intelligence routes to the cloud. It runs on NVIDIA GPUs inside Google’s data centers. “This is our most capable model,” Subramanya said, “with quality similar to Gemini frontier models.” Whether that means AFM Cloud Pro is a wrapped Gemini inference endpoint or an independently trained model of equivalent capability, Apple did not say. Neither the security blog post nor the keynote tech talk resolved that ambiguity, and it is a meaningful one: the privacy architecture is identical either way, but the competitive dynamics are not. An Apple model running on Google’s hardware is different from a Google model running on Google’s hardware behind Apple’s privacy wrapper. Apple wants users and developers to believe it’s the former. That belief currently has no independent verification.

The Sentence That Changes the Argument

The WWDC press release did not explain what actually changed. The announcement that matters appeared in a June 8 post on Apple’s security engineering blog, which most users will never read. It contains the following sentence: “we are collaborating with Google and NVIDIA to run new Apple Intelligence workloads on Google Cloud, extending our industry-leading PCC privacy commitments to third-party data centers for the first time.” The load-bearing words are “for the first time.” Until Monday, Apple’s Private Cloud Compute ran exclusively on hardware Apple owned. The original security argument was structural: Apple controls the silicon, Apple controls the software stack, therefore the privacy guarantee is enforced by physical custody. That argument no longer applies to AFM Cloud Pro. The compute now runs on Google’s racks, with Google’s Titan chip serving as one of two independent roots of trust, alongside Intel CPUs with TDX technology and NVIDIA Confidential Computing GPUs. Apple controls neither the facility nor the servers. What it controls is the attestation chain.

That chain works as follows. Apple’s security blog describes “a cryptographically verifiable, append-only ledger of all Google Cloud hardware that is part of the PCC fleet.” Every physical machine that handles a request from Apple Intelligence is logged in that ledger before it’s allowed to participate. The software that runs on those machines — the PCC stack that processes user requests — must be “cryptographically approved by Apple” before Apple devices will send requests to it. Apple devices verify the attestation signature before transmitting anything. If the attestation doesn’t check out, the request doesn’t go. The five original PCC guarantees — stateless computation, enforceable guarantees, no privileged runtime access, non-targetability, verifiable transparency — are described in the same post as unchanged. What changed is the physical address of the servers those guarantees apply to.

Why Cryptography Can Beat Custody

The counterintuitive argument here is that the new architecture might be stronger than the old one. Apple’s original privacy claim — “we own these servers” — was a trust claim. You could not personally verify it. You could not audit whether Apple’s own engineers had privileged access to PCC nodes outside the attested code path. You trusted Apple’s assertions about its internal controls. The attestation model replaces assertion with proof. “Outside experts can verify those privacy guarantees at any time,” Apple’s Apple Intelligence page states, a claim that was also true of the original PCC but is more meaningful when the infrastructure is operated by a party with independent interests. When Apple ran everything, there was a single actor you were trusting. Now there are two actors — Apple and Google — whose interests diverge sufficiently that neither one alone could quietly compromise the system without the cryptographic proofs failing in ways the other party would notice.

The Foundation Models developer framework, documented for iOS 27 developers, extends this logic further. Apple is opening the same privacy architecture to any third-party model provider with a Swift package that conforms to the Language Model protocol. Google is not the only future partner. The attestation infrastructure Apple has built is designed to generalize — any capable model, from any provider, could theoretically run on PCC infrastructure with the same cryptographic guarantees. Xcode 27’s agentic coding features, announced in the same WWDC sessions, operate inside this same trust boundary. Apple is building a privacy layer, not a model. The distinction is architectural: Apple is positioning itself as the verification authority for AI compute, not as a model developer competing with OpenAI. WWDC 2026 made that positioning explicit.

What the Skeptics Get Right

The strongest criticism of the PCC-on-Google-Cloud arrangement is not about what the attestation model protects. It’s about what it doesn’t. Apple’s cryptographic guarantees cover the content of computation — the request you send, the response you receive, the state of the processing in between. They do not cover traffic analysis. Google can observe that Apple Intelligence requests are arriving at a specific cluster at a given volume and time. Google can see resource allocation patterns, network metadata, and the compute signature of request load. None of that is your data, but it is information about your behavior at aggregate scale. The PCC architecture was not designed to prevent an infrastructure host from making inferences about usage patterns. It was designed to prevent that host from reading your requests or retaining your data. Those are different threat models, and Apple’s blog is honest about which one it addresses.

There is also a gap between “verifiable” and “verified.” Apple’s attestation model is technically auditable. It requires cryptographic expertise, access to the published ledger, and the time to do the work. Security researchers at Apple and a handful of independent institutions do this. iPhone users do not, and most never will. A trust model that requires active monitoring is only as trustworthy as the institutions doing that monitoring — which brings the argument back to trust in institutions, just at one remove. The original claim was “trust Apple because we own the hardware.” The new claim is “trust Apple’s cryptography and the researchers who audit it.” For most users, both claims resolve to the same thing: you trust Apple or you don’t. The architectural improvement is real but it primarily benefits the technical community capable of actually exercising the verification.

Federighi’s framing — “the amount of the Google Assistant we use is none” — is precise and also misleading. Precise because Apple genuinely doesn’t use Google’s client code, deployed models, or search infrastructure. Misleading because the most capable Apple Intelligence tasks now run on Google’s hardware, under Google’s physical custody, with Google’s Titan chip as a root of trust. The distinction between Google-the-AI-provider and Google-the-infrastructure-operator is technically real and practically invisible to the users it would most benefit.

Apple replaced “trust us because we own the hardware” with “verify us because we publish the proofs.” That is a structurally stronger claim — it doesn’t rely on goodwill or physical access, only on cryptography and the researchers willing to check it. The gap is the distance between verifiable and verified: a privacy architecture whose security properties require active monitoring is only as trustworthy as the community doing the monitoring. Apple is betting that community exists and will continue to function. Given the alternative — every AI company running proprietary cloud compute with no public attestation at all — the bet looks reasonable. The architecture that shipped Monday is better than what it replaced. Whether “better” is enough is a question Apple left for someone else to answer.

AI-generated editorial illustration · TemperatureZero · June 11, 2026