In less than five weeks after the Department of Defense made Google Gemini's Agent Designer available to military and civilian personnel on GenAI.mil, users had built more than 103,000 semi-autonomous AI agents and logged over 1.1 million agent sessions. By mid-April the platform was averaging roughly 180,000 sessions per week. Those numbers represent the fastest enterprise-scale AI deployment in DoD history — and they arrive before the governance architecture to manage what those agents are doing is fully in place.
The agents themselves are varied. Personnel have used the low-code Agent Designer to build tools that draft After Action Reports, generate formal staff estimate documents from user inputs, analyze imagery and produce written descriptions, review official strategy documents, and support financial data analysis. The platform has Authorization to Operate at Impact Level 5, covering sensitive but unclassified information. Within that envelope, a DoD employee can now construct a customized AI agent in an afternoon, deploy it to their colleagues, and generate thousands of sessions before any centralized review has assessed what the agent's instructions actually tell it to do or how it handles edge cases.
Why This Risk Profile Is Structurally Different
DoD's traditional software authorization process — the Authority to Operate — is built around discrete systems. An ATO covers a bounded application with a defined architecture, a known data flow, and a fixed set of behaviors that assessors can evaluate against security and functional criteria. The RMF process is slow precisely because it is thorough: the assumption is that the system under review is the system that will be deployed, and that its behavior in the operational environment is predictable from the assessed configuration.
No-code AI agents break every one of those assumptions. When 103,000 distinct agents exist — each with different system-prompt instructions crafted by individual users, each potentially accessing different data sources and producing outputs for different audiences — there is no single system to authorize. There are thousands of individually configured LLM wrappers, and each wrapper's behavior is emergent rather than deterministic. An agent built by a finance analyst to summarize obligation data may behave correctly in 95 percent of cases and produce systematically biased outputs in the other five percent in ways that are invisible without continuous behavioral monitoring. A traditional point-in-time security assessment of the underlying Gemini model cannot surface that failure mode. The risk is not in the foundation model — it is in the configuration layer that sits on top of it, built by personnel without AI systems engineering backgrounds, deployed at speed, and largely unobserved after launch.
DoD's Response and What It Leaves Open
The Department is not unaware of this. The January 2026 Department of War AI Strategy directed the establishment of a cross-functional team — due to be operational by June 1, 2026 — to create a standardized, Department-wide framework for assessing, governing, and approving the development, testing, and deployment of AI models. Performance, security, documentation, ethics, and testing standards are all in scope. Separately, DoD is standing up an AI Futures Steering Committee to assess advanced AI developments and develop risk-informed adoption strategy. Both efforts are real and both represent progress over the ad-hoc approach that preceded them.
What neither effort directly addresses yet is the specific challenge of enterprise-scale, user-generated AI agents. Governing a model — even comprehensively — is not the same as governing the thousands of agent configurations that wrap that model. The June 1 framework will presumably cover the foundation models and formal AI programs of record. Whether it extends to the long tail of GenAI.mil agents built through low-code tools, with custom system prompts and bespoke data access patterns, is an open question. An agent that drafts an After Action Report using incorrect doctrinal framing, or an imagery analysis agent that systematically misclassifies a vehicle type, does not represent a security vulnerability in the traditional sense — but it represents a capability risk that compounds with usage volume. At 180,000 sessions per week, even a low error rate produces significant output at scale.
What Sound Enterprise AI Governance Requires
The precedent most applicable here is not software authorization — it is the financial audit model. When a large organization deploys a new accounting system, the ATO-equivalent covers the platform. But the ongoing audit function continuously samples outputs, compares them against expected results, flags anomalies, and generates evidence of consistent correct behavior over time. AI agents in enterprise deployment require an equivalent continuous verification layer: behavioral sampling against ground-truth benchmarks, anomaly detection across agent output populations, policy enforcement that can identify when an agent's configuration has drifted from its declared purpose, and automated flagging when usage patterns suggest an agent is operating outside the scope for which it was built.
DoD is moving fast on AI adoption — faster than at any point in its history. The 103,000-agent figure is a genuine capability achievement, not a liability by itself. But capability and verification need to close in parallel, not in sequence. Waiting until an agent population is deeply embedded in operational workflows to ask what those agents are actually doing is exactly the wrong order of operations. The June 1 framework is a necessary first step. The harder work — building the behavioral monitoring infrastructure to continuously verify what 100,000-plus agents are doing in the field — is still ahead.
