No, you can't tell your non-SWE friends and family to "just ask an AI" when the potential consequences are them losing access to their vault or having it stolen. They need to know exactly what they're doing.
They're vastly more likely to lose everything they care about by following real security advice, or rather being forced to follow it. 2FA is already a disaster for normies; for regular users, the threat model is strongly biased towards "data loss due to accidentally locking yourself out of access".
In fact, if you consider the impact fully, the best way of managing passwords still seems to be writing them down on a post-it note and keeping it in your wallet - hell, even sticking it to your screen doesn't look so bad these days, compared to alternatives.
Modern infosecurity is absurdly counter-intuitive at high level. Consider that your Google account or your WhatsApp (or Signal) chats are much more secured than your medical data or bank accounts or anything that predates Google. For anything in the real world, there is always a recovery procedure, no matter how much bad luck you had or how badly you screwed up. In the worst case, you might end up needing to chase some documents to authorize or notarize other documents, or show up in court, but you can get your access back. It's insane to imagine the world, in which a single fuckup could wipe out your medical history, your bank account, or any proof of your existence in government systems - and yet, this is exactly what is the case with any modern SaaS that follows "best security practices".
There's literally nothing else in this world that's so easy to mishandle as security in commercial software services.
