When Apple unveiled its Foundation Models framework at WWDC 2025, giving developers direct access to the on-device model powering Apple Intelligence, the announcement included a subtle but profound design principle: “Users are always in control, and nothing is shared with ChatGPT without their permission.”
This wasn’t a throwaway line about privacy. It was a declaration of design philosophy for the next generation of AI interfaces. This marks a fundamental shift from traditional UX approaches, moving toward dynamic, intent-driven systems enabled by agentic AI.
As AI agents move from responsive assistants to proactive actors—initiating actions based on on-screen context, personal data, and inferred intent—designers face a paradox: the faster and more automatic we make AI, the less users trust it. Unlike traditional UX, which relies on static interfaces and predictable user journeys, agentic AI represents a departure from established norms by introducing autonomous, decision-making artificial intelligence that adapts and learns.
The solution isn’t to slow agents down artificially. It’s to design intentional friction that transforms automation anxiety into informed consent. Looking to the future, artificial intelligence will continue to redefine UX design, requiring designers to anticipate and embrace new patterns of human-AI interaction.
The Invisible Shift: From Assistive to Agentic
The distinction between traditional AI assistants and true AI agents is behavioral, not technical. Apple’s framework documentation makes this clear: their on-device model can access your notes, calendar, messages, and screen content. It doesn’t just respond when prompted—it “recognizes when a user is looking at an event and suggests adding it to their calendar,” extracting date, time, and location automatically.
This is proactive agency: the AI observes, infers intent, and acts without explicit instruction. This shift creates an agentic experience, where the system transitions from static, interface-centric interactions to dynamic, intent-centric ones, fundamentally differing from previous approaches by enabling AI agents to act on behalf of users.
Google’s PAIR (People + AI Research) guidelines, originally written for assistive AI, are now being updated for the generative AI era. Unlike traditional UX design, which focused on predictable user journeys and direct manipulation, these new guidelines address the unique requirements of agentic AI, where user experience must adapt to more dynamic and autonomous agent behaviors. The team noticed a 560% spike in guidebook traffic between February and August 2023—not coincidentally, right when ChatGPT made AI agency mainstream. Their core principle remains unchanged but gains new urgency: “Empower users with intelligent tools… We respect how our users choose to use these tools to accomplish their goals.”
The word “choose” is doing heavy lifting there. When AI, with the ability to act on inferred intent, proactively makes decisions based on personal context, what does choice even mean?
Privacy as UX: Apple’s On-Device Architecture
Apple Intelligence’s technical architecture provides the first design principle for agentic UX: keep the agent local. When building systems for agentic AI UX design, it is crucial to prioritize privacy and user control at every layer of the architecture.
Their on-device model runs at approximately 0.6 milliseconds per prompt token with a generation rate of 30 tokens per second on iPhone 15 Pro. This isn’t just about speed—it’s about creating a UX where privacy is inherent, not promised. The data never leaves the device. The agent can access deeply personal information (your photos, messages, fitness history) precisely because it never transmits that data anywhere. These systems enable secure and private agentic experiences by ensuring all processing and decision-making remain on the user’s device.
For Workout Buddy on Apple Watch, this architecture enables something previously impossible: real-time motivational insights generated from your heart rate, pace, Activity rings, and fitness milestones—processed entirely on-device. The agent knows when you’re struggling on mile 3 because you struggled at the same point last Tuesday. But this knowledge stays between you and your wrist.
Design Principle 1: On-device processing enables proactive personalization without privacy compromise.
This technical constraint becomes a UX feature. Users can tolerate an agent with deep context awareness because they understand it’s not “telling” anyone. The agent is theirs, not a conduit to a company’s servers.
The Trust Problem: Why Transparency Isn’t Enough
The Nielsen Norman Group’s research on prompt suggestions reveals a critical finding: users need to understand not just what the AI can do, but how to control it. Their study emphasizes “helping users quickly understand what they can use the AI tool for and how to interact with it.” These measures are essential to establish trust between users and agentic AI, ensuring that users feel confident in the system’s reliability and intentions.
But what happens when the AI starts initiating interactions?
Apple’s Visual Intelligence feature demonstrates the problem. When you look at an event poster on your screen, the system “recognizes” it and “suggests” adding it to your calendar, automatically extracting key details. This is elegant proactive design. It’s also potentially alarming.
NN/g found that successful prompt suggestions must be:
Easy to dismiss
Visually unobtrusive
Clearly tied to common user goals
But these principles assume user-initiated actions. Agentic AI flips the script—the system initiates. Now “easy to dismiss” becomes “easy to prevent,” “visually unobtrusive” becomes “visibility of system status,” and “clearly tied to goals” becomes “alignment with inferred intent.”
Traditional transparency (showing what the AI is doing) isn’t sufficient. Users need to see what the AI is about to do before it does it. These transparency principles are essential for a positive user experience in agentic AI systems.
The Non-Obvious Solution: Friction as Feature
Here’s what most designers get wrong about agentic AI: they try to minimize friction. They optimize for speed, seamlessness, and the “delightful” experience of AI just handling things.
This is backwards. In fact, agentic AI UX design represents a new paradigm—one that requires rethinking traditional approaches and principles to create digital interactions that are more adaptive and user-centered.
In agentic UIs, strategic friction increases trust, improves accuracy, and paradoxically creates a smoother long-term experience. The key is designing specific types of speed bumps at critical decision points, as UX design is evolving to incorporate these elements for greater trust and accuracy.
Speed Bump 1: Preview Cards
When Apple’s Visual Intelligence recognizes an event on your screen and wants to add it to your calendar, it doesn’t just do it. It shows a preview of what will be created:
Preview: Comedy Show at The Bell House Date: December 15, 2025, 8:00 PM Location: 149 7th St, Brooklyn, NY
This approach to interface design supports user trust and control in agentic AI by making the system’s actions visible and interpretable.
This preview card serves three functions:
Accuracy check: Users catch extraction errors (wrong time, wrong venue)
Intent confirmation: Maybe you don’t want to attend; you were just reading about it
Trust building: The system’s transparency reinforces that it’s not making unauthorized changes
The 2-second preview creates trust that saves 20 minutes of calendar cleanup later.
Speed Bump 2: Editable Intents
Apple’s Shortcuts integration with Apple Intelligence exemplifies this pattern. When you build a shortcut that uses the AI model to “compare an audio transcription of a class lecture to the notes you took,” the system doesn’t just run. It shows the inferred intent and the specific tasks the agent will perform, allowing you to review and edit these tasks before execution.
From Apple’s WWDC announcement: “Now users will be able to tap directly into Apple Intelligence models… maintaining the privacy of information used in the shortcut.”
The magic word is “tap directly into”—this implies a manual trigger, not automatic execution. Even when the agent could infer you just finished a lecture and have both recording and notes available, it waits for you to initiate the comparison.
Design Principle 2: For high-stakes actions involving personal data synthesis, require explicit initiation even when intent is obvious.
Google’s PAIR guidelines emphasize this through their principle of “Design with care: We take precautions at every stage… to identify how our AI tools may be misused or lead to potential harm.”
Editable intents are that precaution, made concrete. The UI shows:
What the agent thinks you want to do
What data it will use
A chance to modify parameters and review the tasks before execution
Speed Bump 3: Source Peek
When Anthropic’s Claude creates on-device artifacts or Apple’s Writing Tools suggest changes to your text, showing where the suggestion comes from matters enormously.
Apple’s foundation models paper explains their training approach: “We train our foundation models on licensed data, including data selected to enhance specific features, as well as publicly available data collected by our web-crawler, AppleBot.”
But in the interface, this meta-information disappears. Users see suggestions without understanding if they’re based on:
Your personal writing patterns
Generic language models
Specific domain knowledge
Source peek doesn’t mean exposing technical training details. It means contextual attribution:
Without source peek:
Suggested rewrite: “The quarterly results exceeded expectations.”
With source peek:
Based on your previous reports → “The quarterly results exceeded expectations.” vs. Professional style suggestion → “Q3 performance surpassed projections.”
The difference in user trust is substantial. When users understand the agent is drawing from their context versus generic patterns, they’re more likely to accept suggestions—and more likely to catch when the agent misunderstands their intent. Providing actionable insights through clear source attribution further enhances user trust, as users receive specific, practical recommendations they can immediately apply.
Speed Bump 4: Reversible Actions
Apple’s implementation of Live Translation in Messages demonstrates this principle. When translating as you type, the system doesn’t auto-send translations. Instead:
You type in your language
The AI translates in real-time (shown as preview)
You review the translation
You explicitly send or modify
This multi-step process seems slower than automatic translation-and-send. But it’s actually faster because it prevents the workflow-destroying scenario of sending mistranslations and having to apologize and re-explain.
The best friction is friction that prevents bigger friction later.
For actions that involve external parties (sending messages, sharing documents, making purchases), reversibility must be built into the interaction model from the start. This means:
Staged commits (preview → confirm → execute)
Undo as a first-class action (not buried in settings)
Clear state indication (what has the agent done vs. what is it proposing)
The Context Problem: When Personal Data Becomes Prompt
The most sophisticated agentic UX challenge is handling on-screen and personal context. Apple’s visual intelligence extends to “a user’s iPhone screen so they can search and take action on anything they’re viewing across their apps.”
AI systems are enabling new types of digital experiences by leveraging both personal and on-screen context, allowing for more intelligent and autonomous interactions that better understand and fulfill user intent.
This creates extraordinary opportunities:
Seeing a lamp in a photo and instantly searching for similar products
Highlighting specific objects on screen for targeted search
Recognizing structured information (addresses, phone numbers, dates) and offering relevant actions
It also creates extraordinary risks. The agent now has access to information you haven’t explicitly selected or copied. It’s observing your screen continuously.
NN/g’s research on individualized prompt suggestions found that “prompt suggestions become more useful when they are tailored to the individual user.” But there’s a critical distinction between:
Explicit personalization: “Based on your previous searches for generators…” Implicit personalization: “Based on the text message you’re currently reading…”
The second requires different UX patterns:
Pattern 1: Visibility of Data Access
When Apple’s Visual Intelligence analyzes on-screen content, it uses a distinctive activation gesture (pressing screenshot buttons) rather than being always-on. This serves multiple purposes:
Cognitive signal: The user knows when the agent is “looking”
Intentionality: Accidental activation is unlikely
Control: The user initiates observation
This approach supports effective human computer interaction by making data access both visible and intentional, ensuring users are aware of and in control of how the AI agent engages with their information.
Design Principle 3: For ambient data access (screen content, audio, location), require explicit activation gestures.
Pattern 2: Scoped Permissions
Apple Wallet’s order tracking feature “can now identify and summarize order tracking details from emails sent from merchants or delivery carriers.”
This requires email access—one of the most sensitive permission types. The implementation scopes this tightly:
Not “read all emails”
But “identify order confirmations and extract tracking data”
The UX distinction matters. Users understand what the agent is looking for and why, rather than granting blanket email access.
Pattern 3: Human-in-Loop for High-Stakes Inferences
When Google PAIR talks about “respect[ing] how our users choose to use these tools,” they’re addressing a fundamental question: who decides what your data means? In high-stakes scenarios, it is crucial to keep humans in control of sensitive decisions to ensure trust and user autonomy.
If an on-device agent notices you’re texting your boss at 11 PM every night and browsing job sites during lunch, should it suggest updating your resume? The inference might be accurate. The suggestion might be unwelcome.
For actions based on sensitive inferences about user state or intent, always put a human in the loop before execution. This approach ensures that AI agents serve human needs and respect user autonomy.
This looks like:
Suggestions, not automatic actions
Explicit reasoning shown (“I noticed [X behavior]”)
Easy dismissal with “Don’t suggest this again” option
The Performance Paradox: Faster Processing, Slower UX
Apple’s on-device model achieves 30 tokens/second generation. Google’s PAIR team emphasizes speed in their principles. Everything in modern AI development pushes toward lower latency.
Advances in technology, especially in AI and software systems, have enabled these capabilities, making real-time, personalized experiences possible.
But speed without control creates anxiety, not delight.
Consider Apple’s Workout Buddy, which analyzes your heart rate, pace, and fitness history to provide real-time motivational insights. The technical achievement is generating personalized encouragement at the exact moment you need it, processing data with near-zero latency.
The UX achievement is making this feel supportive rather than surveilling. How?
Built-in delays for review:The insight is generated instantly, but delivered through a voice interface that takes time to speak. This voice interface leverages natural language processing, allowing users to interact with the system using everyday language for seamless, intuitive experiences. This creates natural space for users to process what they’re hearing and decide if they want to continue receiving suggestions.
Explicit opt-in:Workout Buddy requires Bluetooth headphones and an Apple Intelligence-supported iPhone. These prerequisites create setup friction that signals: “This is a feature you’re choosing to enable, not something happening to you.”
Easy disable:At any point during a workout, users can turn off the audio guidance. The system continues tracking (its primary job) but stops the agentic commentary.
This is sophisticated friction design: slow down the interaction (spoken voice) even though the processing is instantaneous. Give users time to process what the agent knows and what it’s doing with that knowledge.
The Developer Experience: Friction at the API Level
Apple’s Foundation Models framework reveals another layer of intentional friction. Despite offering “as few as three lines of code” to access the on-device model, the framework includes:
Guided generation: Constraints on what the model can output
Tool calling: Explicit definition of agent capabilities
Native Swift integration: Type safety that prevents unintended data access
These aren’t technical limitations—they’re design guardrails. Apple is building friction into the developer experience to prevent apps from creating poor agentic UX. Design systems and agent systems are essential for maintaining high-quality agentic UX at scale, ensuring that both the interface and the underlying multi-agent architecture support consistent, trustworthy, and adaptable user experiences.
Compare this to the “move fast and break things” ethos of cloud API access. When developers can send any data to any model and receive any response, the path of least resistance is to minimize user control. Add a text box, send the contents to GPT-4, display the result. No preview, no source attribution, no undo.
On-device frameworks can enforce better UX patterns at the API level.
From Assistive to Agentic: The New Design Checklist
When evaluating whether your AI should act proactively on user data or context, run through these questions:
Keep in mind that different agents may require tailored approaches to proactive behavior and user data handling, as their unique functions and use cases can influence how UX design principles are prioritized and implemented.
Data Sensitivity
What personal information does the agent access? For example, in a SaaS product, personal data sensitivity is a key concern.
Is this information already visible to the user, or is the agent inferring/synthesizing?
Could the agent’s access to this data feel surveilling?
Action Risk
Is the proposed action reversible?
Could incorrect execution harm the user (lost work, sent message, spent money)?
Does the action create external obligations (shared content, scheduled meetings)?
If an AI assistant is handling the action, does the level of risk (such as financial transactions or sharing sensitive information) require additional user confirmation or safeguards?
Intent Confidence
How certain is the system about user intent?
Are there multiple plausible interpretations of the context?
Could the user’s actual goal differ from the apparent goal?
In ai interactions, the system’s confidence in user intent directly influences the design pattern—higher confidence allows for more proactive, personalized responses, while lower confidence may require clarification or fallback strategies to maintain a natural, relationship-like experience.
Speed Bump Selection
Based on your answers, choose appropriate friction:
In traditional UX design, static wireframes provide structured, unchanging layouts that guide user navigation. However, agentic AI UX design shifts away from these static wireframes toward more dynamic friction patterns that adapt to user intent and context.
Low sensitivity + Low risk + High confidence = Minimal frictionExample: Autocorrecting obvious typosPattern: Automatic with subtle undo hint
Medium sensitivity + Medium risk + Medium confidence = Preview frictionExample: Extracting event details to suggest calendar entryPattern: Show preview card, require confirmation
High sensitivity + High risk + Low confidence = Maximum frictionExample: Inferring job dissatisfaction and suggesting resume updatePattern: Show reasoning, require explicit initiation, offer permanent opt-out
The Long-Term UX: From Anxiety to Trust
The Nielsen Norman Group’s research on AI adoption found that even novice users “quickly understood” the value of AI overviews and planned to use them more. But this adoption happened in assistive contexts where users initiated interactions.
Proactive agents face a steeper trust curve. Apple’s approach—combining on-device privacy with interaction patterns that maintain user control—provides a blueprint.
The key insight: Trust compounds through repeated positive experiences with controlled automation.
Each time Apple’s Visual Intelligence correctly identifies event details and the user confirms them into their calendar, trust increases. Each time the suggested calendar entry is almost right but the user catches and fixes the venue name in the preview, trust still increases—because the system gave them the chance to correct it.
But one instance of the system making an incorrect change without asking? Trust plummets.
This is why friction isn’t just ethically correct; it’s strategically essential for adoption. The goal isn’t to remove all obstacles to automatic action. The goal is to remove obstacles to user confidence in automatic action. These patterns are not only building trust for today, but also preparing for an agentic future and shaping the future of UX, where user agency and intelligent systems will redefine how we interact with technology.
Implementation Patterns: Friction as Code
For designers and developers building agentic interfaces, here are concrete patterns:
AI technologies are enabling new implementation patterns for agentic UX, allowing designers to integrate artificial intelligence into user experience design in ways that augment human capabilities and enhance system behavior.
Pattern: Progressive Trust
Start with maximum friction, reduce as the system learns individual user preferences:
First time: Full preview + editable fields + explicit confirm
After 3 successful similar actions: Preview with single confirm
After 10 successful similar actions: Auto-execute with undo notification
UX leadership, such as that demonstrated by Cindy Brummer, plays a crucial role in driving the adoption of progressive trust patterns by guiding teams and organizations in implementing these user experience strategies.
But always maintain escape hatches: “Show me previews for these actions again”
Pattern: Contextual Permission
Not “Can this app access your calendar?” but “Add this event to your calendar?”:
Action-specific consent
↓
Scoped to current context
↓
With preview of what will be added
↓
Primary users—often AI agents in agentic UX—make contextual permission decisions
↓
And one-tap undo afterward
Pattern: Source Attribution Stack
Layer transparency based on user expertise:
For all users:
“Suggested based on your photos”
On tap/hover:
“Found 3 similar photos from June 2024”
In settings:
Full model documentation and training data info
Conclusion: The Agentic Paradox
The paradox of agentic AI design is that the most helpful automation isn’t the fastest—it’s the most transparent and controllable.
Apple’s Foundation Models framework succeeds not just because it’s fast and private, but because it makes proactive AI legible to users. When Visual Intelligence recognizes an event on your screen, you understand:
What triggered the recognition (you’re looking at an event poster)
What the system wants to do (add to calendar)
What information it extracted (specific date/time/place)
How to confirm, edit, or dismiss the suggestion
This isn’t “friction” in the negative sense—delay for delay’s sake. It’s intentional interaction design that transforms ambient AI from creepy to collaborative.
Google’s PAIR principles emphasize that we must “represent our users” and “design with care” when building AI tools. In the agentic era, this means acknowledging a hard truth: the AI that acts fastest isn’t necessarily serving users best.
Sometimes the most human-centered design is one that asks: “Is this really what you wanted?”
The answer to that question—whether it’s a 2-second preview card, an editable intent screen, source attribution, or a simple undo button—is what transforms automation anxiety into informed control.
In agentic UIs, friction isn’t a bug. It’s the feature that makes every other feature trustworthy.
