Your Notification Is Now Edited by a Model You Cannot Inspect
A push notification used to be neutral transport. You wrote the string, the platform delivered the string, the user read the string. The contract was boring and that was the point. Nobody between sender and reader rewrote your words.
That contract is gone. On iOS and Android, an on-device model now sits in the delivery path. It summarizes long notifications into one line. It groups and demotes the ones it judges low-value. It can surface a different sender ahead of yours. The user no longer reads what you sent. The user reads what a model decided to show them, after editing.
This is the same governance question we raised about disposable interfaces: when the UI is skipped, where does control go? Here the surface is different and the stakes are sharper, because the comms layer is where most software still believes it has a direct line to the human. It does not. The line now runs through a model neither the sender nor the reader can inspect.
The editor you never hired
Jacques Corby-Tuech’s analysis of what Apple and Google are doing to push notifications lands the mechanism plainly. The delivery path is no longer a pipe. It is an editorial desk, staffed by software.
Apple Intelligence runs a roughly 3-billion-parameter model on the device, with a server-side mixture-of-experts reached through Private Cloud Compute when the on-device model defers. Google ships Gemini Nano inside AICore, with LoRA adapters tuning behavior per task. Both can read an incoming notification and decide what the human sees: the full text, a compressed summary, a demoted position in a stack, or nothing surfaced at all until later.
The numbers say users are voting with the toggle. According to Batch, which measured more than 800 billion messages across 10,000 apps in 2025, Android notification opt-in fell from 85% to 67% in a single year. The cross-platform average sits at 61%. When the channel gets noisier and less trustworthy, people shut it off. The model promises to fix that noise by editing on the user’s behalf. The side effect is that it edits on the sender’s behalf too, and the sender never agreed to the edit.
From editing to acting
Editing is the visible half. The agentic half is arriving underneath it.
Apple patent US 12,243,523 describes an assistant that detects an attended notification, takes a spoken instruction about it, and executes the corresponding action inside the relevant app. Read that sequence again. The notification stops being a message to a human. It becomes a trigger for an agent. App Intents on iOS and App Actions on Android are the plumbing that lets a platform assistant act on a notification’s content without the human opening anything.
So the comms surface is being reclassified. A notification is no longer only a thing a person reads. It is an event a model parses, possibly summarizes, possibly suppresses, and increasingly can act on. The recipient of your message may not be a person at all. It may be an agent deciding whether the message warrants a tap, a reply, a purchase, or silence.
This is why the disposable-interface argument extends here so cleanly. The interface was the place we put consent, disclosure, and the audit trail. Strip the interface and those controls have nowhere to attach. A notification that an agent consumes never renders the screen where the user would have seen what they agreed to.
The opacity is the governance problem
None of this would alarm a platform team if the editorial model were inspectable. It is not.
You cannot see why your notification was summarized one way and a competitor’s another. You cannot see why yours was demoted in the stack. There is no appeal, no log you can pull, no policy document that tells you the ranking criteria. The model is a closed function sitting between your system and your user, and its decisions are unappealable by design. For a regulated sender, a healthcare alert, a fraud warning, a payment confirmation, that opacity is not a UX detail. It is a delivery-assurance question your compliance team cannot currently answer.
There is precedent for a model in the delivery path manufacturing false signal. When Apple shipped Mail Privacy Protection, its prefetching inflated reported email open rates from 22.6% to 40.5% in six months, per Omeda. The opens were not human. A machine fetched the pixel, and every downstream metric that trusted “open” as a proxy for human attention was now measuring a machine. Notification summarization and agentic triggers will do the same thing to engagement signals, only worse, because the distortion is non-uniform and invisible. You will not know which of your “delivered” notifications a human ever actually read.
Where the checkpoint moves
The instinct is to fight for the channel: louder copy, more notifications, gaming the summarizer. That instinct loses. You cannot out-shout a model whose entire job is to suppress shouting, and trying degrades the trust signal further, which is what drove opt-in down to 67% in the first place.
The governed move is to accept that the checkpoint relocated, and to rebuild it below the interface. If the human may never see your exact words, then the meaning, the consent, and the audit trail have to live in the structured payload, not in the rendered string. Three implications follow.
First, treat the notification as a machine-readable contract, not a human-readable sentence. Send structured intent the platform’s model can parse without distorting: what this is, how urgent, what action it implies. Assume an agent, not a person, is the first reader.
Second, instrument for the model in the middle. Stop trusting “delivered” and “opened” as proxies for human attention. They now include machine reads, summarizer passes, and agent triggers. Build the audit trail at the point you control, your own send and outcome data, because the platform will not give you its ranking log.
Third, govern the agentic path explicitly. If your notification can trigger an in-app action through App Intents or App Actions, that action is now reachable without a human ever touching your UI. Every consent gate, rate limit, and confirmation you assumed the screen enforced has to be enforced server-side, on the action itself.
Do this now
Pull your last 30 days of notification analytics. Look at the delivered-to-engaged ratio on iOS 18-and-later and recent Android devices versus older ones. If the newer cohort shows a quiet decline you have been attributing to fatigue, you are probably watching the summarizer, not your users. Then pick one high-stakes notification type, a payment alert, a security warning, an appointment reminder, and ask one question: if a model summarized it wrong, suppressed it, or let an agent act on it without the user reading it, who in your organization would know, and how? If the answer is nobody, the governance checkpoint has already moved below your interface and you have not followed it down.
The comms surface was the last place software felt it owned the line to the human. It does not anymore. An uninspectable model holds the pen, and an agent is waiting downstream to act on what it writes. Govern that model’s input and the agent’s actions, because the rendered notification, the thing you used to control, is no longer yours to govern.
This analysis synthesizes What Apple and Google Are Doing to Your Push Notifications (Jacques Corby-Tuech, May 2026).
Victorino Group helps teams govern the AI layers that now sit between their systems and their users. Let’s talk.
All articles on The Thinking Wire are written with the assistance of Anthropic's Opus LLM. Each piece goes through multi-agent research to verify facts and surface contradictions, followed by human review and approval before publication. If you find any inaccurate information or wish to contact our editorial team, please reach out at editorial@victorinollc.com . About The Thinking Wire →
If this resonates, let's talk
We help companies implement AI without losing control.
Schedule a Conversation