I found something interesting...
As others have reported, my app would always fail on SecItemAdd() with -34018 on the simulator but work fine on a device. I was about to add the 'Share keychain' entitlement as a workaround but noticed that Xcode 8 was prompting me to add the 'Push Notification' entitlement (that entitlement is now required to use push notificaitons on iOS 10 as the permission is taken from the entitlement rather than the provisioning profile in earlier versions). This *created* an entitlements file because the app didn't have one before. And without adding the 'Share keychain' entitlement the app suddenly started working! No more -34018. I've reverted back and forth and it seems pretty deterministic: no entitlements file gives -34018; entitlements file works.
So, my testing seems to show that SecItemAdd fails if there's no entitlement file, and works if there is one! Perhaps all the developers adding 'Share keychain' entitlement never had an entitlement file before and it is the creation of the file rather than the specific entitlement that fixes the problem?