diff --git a/activemodel/lib/active_model/secure_password.rb b/activemodel/lib/active_model/secure_password.rb
index 88e578e626560d18ec612641e39074565392f625..7e179cf4b734b697a1c9e25df7c85352bea7788f 100644
--- a/activemodel/lib/active_model/secure_password.rb
+++ b/activemodel/lib/active_model/secure_password.rb
@@ -1,7 +1,6 @@
 module ActiveModel
   module SecurePassword
     extend ActiveSupport::Concern
-    include ActiveModel::Validations
 
     # BCrypt hash function can handle maximum 72 characters, and if we pass
     # password of length more than 72 characters it ignores extra characters.
@@ -65,6 +64,8 @@ def has_secure_password(options = {})
         include InstanceMethodsOnActivation
 
         if options.fetch(:validations, true)
+          include ActiveModel::Validations
+
           # This ensures the model has a password by checking whether the password_digest
           # is present, so that this works with both new and existing records. However,
           # when there is an error, the message is added to the password attribute instead
diff --git a/activemodel/test/cases/secure_password_test.rb b/activemodel/test/cases/secure_password_test.rb
index 9e68cceb5f66f2688c0d82760b170c1e8d8e4b12..6b21bc68fa18a27b1611d54f068a69145cd6ae34 100644
--- a/activemodel/test/cases/secure_password_test.rb
+++ b/activemodel/test/cases/secure_password_test.rb
@@ -20,20 +20,12 @@ class SecurePasswordTest < ActiveModel::TestCase
     ActiveModel::SecurePassword.min_cost = @original_min_cost
   end
 
-  test "user object should respond to valid?" do
-    assert_respond_to @visitor, :valid?
+  test "automatically include ActiveModel::Validations when validations are enabled" do
     assert_respond_to @user, :valid?
   end
 
-  test "create/update without validations" do
-    assert @visitor.valid?(:create), 'visitor should be valid'
-    assert @visitor.valid?(:update), 'visitor should be valid'
-
-    @visitor.password = '123'
-    @visitor.password_confirmation = '456'
-
-    assert @visitor.valid?(:create), 'visitor should be valid'
-    assert @visitor.valid?(:update), 'visitor should be valid'
+  test "don't include ActiveModel::Validations when validations are disabled" do
+    assert_not_respond_to @visitor, :valid?
   end
 
   test "create a new user with validations and valid password/confirmation" do