The US Department of Defense confirmed it had created more than 103,000 AI agents in five weeks. That’s twenty thousand new agents per week. Twenty-five thousand daily active sessions at peak. All of it running on unclassified government networks handling sensitive data, built by military and civilian personnel using vibe coding — describing the software you want in plain language and letting AI build it — with no coding required.
That is not a pilot programme. That is institutional vibe coding at a scale no single organisation has publicly documented before.
Here’s the kicker: the very same week this deployment scale became public — late April into early May 2026 — the Five Eyes intelligence community jointly published guidance recommending “careful adoption” of agentic AI systems. The same US government apparatus that authorised GenAI.mil co-authored the warning against deploying exactly what GenAI.mil was already doing at scale.
This article documents what the Pentagon did, how Agent Designer made it possible, and why the governance gap between those two signals matters for any organisation running AI agents right now. For the broader security picture, see our broader analysis of vibe coding’s security reality.
What is GenAI.mil and how did the Pentagon become the world’s largest vibe coding shop?
GenAI.mil is the DoD’s enterprise-wide generative AI platform, launched December 9, 2025. Within a week it had 500,000 users. Within a month, one million — with zero latency issues and zero downtime, according to Pentagon Chief Data Officer Gavin Kliger. Today, up to 3 million DoD personnel have access.
The platform includes Gemini 3.1 Pro (added April 2026), with DoD users getting access only eight weeks behind commercial customers.
The mechanism behind the 103,000 agents is Agent Designer — a no-code agent builder built into GenAI.mil. Any user describes what they want in plain language and the system generates and deploys the agent. No coding required. No engineering team in the loop. DoD sources use the term “vibe coding” without embarrassment.
GenAI.mil operates at Impact Level 5 (IL5) — the highest classification tier for unclassified US government systems. IL5 covers Controlled Unclassified Information (CUI), Protected Health Information (PHI), and Personally Identifiable Information (PII). That is the data environment these vibe-coded agents operate in.
The full vibe coding security landscape explains why that combination — data sensitivity plus unreviewed agent creation — is the central risk question.
How does the DoD vibe coding workflow actually work — who is building these agents?
Any DoD user opens Agent Designer, describes what they want in natural language, and it gets built and deployed. That is the entire workflow.
Breaking Defense described it plainly: these are low-code/no-code tools that guide the user through figuring out what they want in natural language, then autonomously build the agent to their specifications. No software experience required. No mandatory code review. The human is supposed to review the agent’s output before acting on it, but the agent itself goes through no formal security or quality gate before deployment.
The DoD frames this as democratisation. Warfighters, intelligence analysts, logisticians, administrators — anyone across the department can build advanced AI tools for their own context without waiting for a software development cycle.
If you’ve ever used Zapier, Power Automate, or Make, you already understand what Agent Designer is. It’s that category of tool — at a higher data classification tier. And the critical thing to understand for your risk framing: these agents are not automations running predefined rules. They take actions, access data, make decisions, and operate with whatever level of human oversight the individual user decides to configure.
100,000 agents in five weeks: what the usage numbers reveal about deployment velocity
Breaking Defense reported on April 23, 2026 with direct Pentagon attribution: over 103,000 agents built and more than 1.1 million agent sessions recorded as of mid-April. Average weekly sessions: 180,000. That works out to roughly 25,700 daily active sessions — consistent with Defense One’s April 27 reporting citing 25,000 daily sessions at peak.
TechRadar independently confirmed the 20,000 agents per week creation rate. The arithmetic: 103,000 agents over five weeks is roughly 2,900 new agents per day, seven days a week.
The scale matters not just as a number but as an attack surface. Over 100,000 distinct autonomous agents, built without individual review, running on IL5 networks that handle CUI, PHI, and PII. For what that creation velocity likely means in terms of defect density, see what 2.74x vulnerability density means at DoD scale.
And this deployment velocity was a deliberate policy choice. Pentagon acting principal deputy Chief Digital and AI Officer Andrew Mapes was direct about it: “We just don’t have the luxury of taking such a deliberate approach.” Kliger cited competition with China as the strategic justification. The trade-off between pace and review rigour is explicit in their public communications — not accidental, not an oversight. That same week, the intelligence agencies that partner with the US published their answer to exactly that trade-off.
The governance gap: CISA says “careful adoption,” the Pentagon is creating 20,000 agents per week
On May 1, 2026 — within days of the Pentagon’s deployment scale being publicly confirmed — CISA, the NSA, Australia’s ACSC, the UK’s NCSC, Canada’s CCCS, and New Zealand’s NCSC-NZ jointly published “Careful Adoption of Agentic AI Services.” It is the first joint Five Eyes publication specifically addressing agentic AI.
The guidance is straightforward. Deploy incrementally. Start with low-risk tasks. Enforce strict privilege controls. Maintain continuous monitoring. Establish human oversight before scaling. The Register reported the core conclusion: organisations “should assume that agentic AI systems may behave unexpectedly.”
The Pentagon’s deployment — 103,000 agents created by non-technical users over five weeks, no mandatory code review, on networks handling Controlled Unclassified Information — is the opposite approach.
DoD officials point to the IL5 Authorization to Operate (ATO) as the governance answer. GenAI.mil has IL5 ATO — the platform’s infrastructure meets US government security requirements. What it doesn’t cover is the behaviour, data access patterns, or security posture of each of the 103,000 agents created on that platform. ATO is a risk-acceptance sign-off on the platform, not a continuous audit of what every agent built on it is actually doing.
The fact that the Pentagon vibe-coded 100,000 AI agents at the same time CISA and its partners were advocating for careful adoption is institutional irony, not institutional failure. Both signals came from the same US government ecosystem in the same news cycle. That is the governance gap made concrete.
For the security implications of 100,000+ unreviewed agents on sensitive networks, 91.5% of vibe-coded apps assessed in Q1 2026 carried at least one flaw.
What this means when your team is doing the same thing without IL5 oversight
The Pentagon’s deployment is the largest documented case, but the structure is identical everywhere. Microsoft’s 2026 Cyber Pulse survey found that more than 80% of Fortune 500 companies now use active AI agents built with low-code and no-code tools. Only 10% have a clear management strategy. The average enterprise manages 37 deployed agents, with more than half running without any security oversight or logging.
That is shadow AI at enterprise scale. Employees building and deploying agents outside formal IT governance, using exactly the same no-code tooling that powers Agent Designer.
If your teams are using GitHub Copilot, Cursor, or any no-code agent builder connected to production systems or customer data, the structural risk is the same: creation velocity has outpaced review infrastructure. The Five Eyes guidance applies directly to your context — identify what data your agents can access, define the scope of actions they can take, and establish a human review gate before agents are granted persistent permissions.
Shadow AI is already the operating condition of most organisations. That is the present state of the Fortune 500. The difference between the DoD and your organisation is not the technology — it is the presence of any governance layer at all.
The institutional vibe coding policy question
The Pentagon’s deployment makes one thing clear: vibe coding has entered institutional operations at a scale that policy has not kept pace with. The Five Eyes guidance is a post-hoc framework. That sequencing is the point. Policy is the trailing variable in institutional AI adoption.
The accountability question is concrete. When an IL5-authorised platform is used to create tens of thousands of agents per week without individual agent review, what is the accountability chain if an agent mishandles CUI? That gap has no formal answer in current public documentation.
The Five Eyes guidance explicitly acknowledges the threat intelligence landscape for agentic AI is still developing: “some attack vectors unique to agentic AI may not be fully captured or addressed” by existing frameworks like OWASP or MITRE ATLAS.
The Pentagon’s approach is evidence that institutional deployment is already happening at this scale — which means the governance question is urgent rather than theoretical. For organisations that want to build policy before the deployment gets ahead of them, what institutional vibe coding governance should look like is where to start.
What the DoD deployment establishes is that vibe coding at institutional scale requires a governance layer that is not yet standard — and that the absence of one is already the default condition in most organisations.
FAQ
What is GenAI.mil and who can use it?
GenAI.mil is the US Department of Defense’s official generative AI platform, launched December 9, 2025. Up to 3 million DoD personnel — military and civilian — have access, with more than 1.3 million actively using it. It includes Agent Designer (a no-code agent builder) and access to LLMs including Google Gemini. It operates at IL5, the highest unclassified security tier, covering Controlled Unclassified Information, Protected Health Information, and Personally Identifiable Information.
What is Agent Designer on GenAI.mil?
Agent Designer is the no-code agent builder built into GenAI.mil. Any DoD user — regardless of technical background — can describe what they want an agent to do in plain language, and the system generates and deploys it. No coding or code review is required. It is the mechanism behind the 20,000-agents-per-week creation rate.
What is Impact Level 5 (IL5) and what data does it protect?
IL5 is the highest classification tier for unclassified US government systems. It covers Controlled Unclassified Information (CUI), Protected Health Information (PHI), and Personally Identifiable Information (PII). GenAI.mil’s IL5 authorisation means the platform itself is certified to handle that data. Individual agents created on the platform are not individually reviewed or certified.
What is an Authorization to Operate (ATO) for AI systems?
An ATO is a formal US government security risk-acceptance sign-off required before deploying systems on government networks. It is not a continuous security audit. For GenAI.mil, the ATO covers the platform’s infrastructure and configuration — not the behaviour or data access patterns of each of the 103,000+ agents created on it.
What is the Five Eyes joint guidance on agentic AI?
“Careful Adoption of Agentic AI Services” was published May 1, 2026, jointly by CISA, NSA, and their counterpart agencies in Australia, New Zealand, the UK, and Canada. It is the first joint Five Eyes publication specifically addressing agentic AI. The core recommendation: deploy incrementally, start with low-risk tasks, and scale only after establishing monitoring, human oversight, and accountability frameworks.
What is shadow AI in the enterprise context?
Shadow AI refers to AI tools and agents deployed by employees outside sanctioned IT governance. Microsoft’s 2026 Cyber Pulse survey found 80% of Fortune 500 companies have deployed AI agents, yet only 10% have a management strategy in place. The average enterprise manages 37 deployed agents, with more than half running without any security oversight or logging.
Is vibe coding used officially in DoD contexts or is it an informal term?
DoD-adjacent sources including Breaking Defense use “vibe coding” freely when describing Agent Designer’s workflow. The DoD frames it as enabling non-technical warfighters and administrators to build their own tools without programming knowledge. The term has made it into official programme discussions without embarrassment.
Why did the Five Eyes publish agentic AI warnings at the same time the Pentagon was deploying 100,000 agents?
Because institutional adoption has outpaced governance. CISA, which co-authored the Five Eyes warning, is part of the same US federal apparatus that authorised GenAI.mil. Both signals emerged in the same news cycle — Resilient Cyber #96 called it “institutional irony, not institutional failure.”
Does Google Gemini being in GenAI.mil create additional security considerations?
Yes. The Five Eyes guidance addresses supply chain risk for agentic AI — the model provider’s data handling, training practices, and update cadence all become part of your risk surface. Getting the latest model “only eight weeks behind commercial customers” compresses the supply chain evaluation window considerably.
How does the Pentagon’s AI agent deployment compare to what enterprise organisations are doing?
Larger in scale, identical in structure. Agents deployed faster than governance can follow, via no-code tooling, by non-technical users. The difference: the DoD has an IL5 ATO as a partial governance layer. Most enterprises have nothing comparable.
What is the difference between an AI agent and a simple automation or chatbot?
A chatbot responds to prompts. A simple automation runs predefined rules. An AI agent takes actions — it can access data, make decisions, call external services, and operate with varying degrees of autonomy. Agent Designer enables the creation of agents in that third category, which is why the governance implications go well beyond a standard chatbot deployment.
Where can I read the Five Eyes agentic AI guidance?
The full text is available on the CISA resources page, co-released with partner agencies in the UK, Australia, Canada, and New Zealand on May 1, 2026.
