On April 23, Jacob Glassman, deputy assistant secretary of defense for science and technology foundations in the R&E directorate, told a room at the Box Federal Summit that the Pentagon's enterprise generative AI platform had hit a new milestone: "Here we are two weeks later, we have 100,000 agents that have been built in that." GenAI.mil had more than 1.2 million discrete users at that point. A week later, the Pentagon's own press release raised the count to "over 1.3 million Department personnel" generating "tens of millions of prompts" and deploying "hundreds of thousands of agents in only five months."
That is the fastest enterprise AI rollout in U.S. government history and the largest single concentration of generative AI use against Controlled Unclassified Information anywhere in the world. The security story most DoD CIOs and defense-contractor CISOs need to watch is not the .mil platform itself — it is the browser tab next to it that still has consumer ChatGPT, Claude, or Gemini open.
The strategy is "AI should be in your battle rhythm every single day"
The directive driving the rollout is unambiguous. In his January 9, 2026 memorandum to senior Pentagon leadership, combatant commanders, and Defense Agency directors, Secretary of War Pete Hegseth directed the Department to "accelerate America's Military AI Dominance by becoming an 'AI-first' warfighting force across all components, from front to back." Of the strategy's seven Pace-Setting Projects, two are squarely about putting commercial LLM access on every government desktop: PSP #6 GenAI.mil ("putting America's world-leading AI models directly in the hands of our three million civilian and military personnel, at all classification levels") and PSP #7 Enterprise Agents ("Building the playbook for rapid and secure AI agent development and deployment").
When the platform went live December 9, 2025, Hegseth told the force: "I expect every member of the department to login, learn it, and incorporate it into your workflows immediately. AI should be in your battle rhythm every single day." Within two months, the Army, Navy, Marines, Air Force, and Space Force had all designated GenAI.mil as their mandated enterprise platform.
The platform itself is hardened. Google's Gemini for Government — the first model live — carries FedRAMP High and Impact Level 5 authorization, the highest level for environments storing and processing CUI. ChatGPT and Grok were announced for integration in February. GenAI.mil is the contained, audited, cleared-to-touch-CUI environment defense AI policy says it should be.
The gap is not the platform. The gap is the desktop.
Read the DefenseScoop reporting on how personnel are actually using it. Tyler Saltsman, an Army veteran and founder of EdgeRunner AI who has deployed AI systems for the military, told the publication the biggest concern across the services is data leakage through prompts: "even on a .mil domain, people naturally paste in too much context to get a better answer, such as planning details, internal emails, or tactics, techniques, and procedures."
That is on the .mil tool. The harder problem is that personnel using GenAI.mil are also using the same Chrome or Edge window to open chat.openai.com, claude.ai, gemini.google.com, and grok.com on personal accounts. DefenseScoop notes personnel "had already been using commercial models" for the same administrative tasks GenAI.mil is now built for — "configuring awards packages, emails, memorandums, performance reviews and order writing" — and the mandate has not eliminated the older habit. One defense official told the publication that "no training whatsoever has been provided on the tool."
The IL-5 perimeter on GenAI.mil does not see the consumer LLM tab open on the same desktop. The Common Access Card session does not govern what happens when someone hits Ctrl+T and types chat.openai.com. The CDAO's directive applies to the .mil platform; it cannot reach the browser tab one keystroke away.
The FY26 NDAA does not solve this. Yet.
Congress has noticed. The Fiscal Year 2026 National Defense Authorization Act, signed into law December 18, 2025 as P.L. 119-60, contains the most aggressive set of AI-cybersecurity requirements ever directed at the Department. Section 1533 required DoD to stand up a cross-functional team for AI model assessment and oversight by June 1, 2026 — that deadline passed last week. The team must produce a department-wide assessment framework by June 2027. Section 1512 directs DoD to establish, within 180 days of enactment, a Department-wide cybersecurity and governance policy for AI and machine learning, addressing lifecycle security, industry standards, workforce training, and protections against AI-specific threats such as model tampering and data leakage.
But the FY26 NDAA is silent on the case that matters most this week: a uniformed user, on a government-furnished endpoint, typing into a personal-account ChatGPT tab. The cybersecurity framework Congress mandated will govern the AI systems the Department buys. It does not govern the AI systems an individual employee can reach in a browser. Section 1513's contractor framework leverages CMMC. CMMC governs the network, the system, the SPRS score — not the browser session of a cleared engineer logged into Claude on personal email.
Where the data-boundary layer sits
There is a missing layer in DoD's current AI governance stack — the same one the rest of the regulated enterprise market is converging on: real-time enforcement at the point where data crosses the LLM boundary, regardless of which LLM. The DoD AI Cybersecurity Risk Management Tailoring Guide makes clear that AI models do not need their own ATO — the system infrastructure does — and that AI must be used inside cybersecurity environments with documented assessment evidence. ATO-level controls govern the systems the Department operates. They do not govern the consumer chat surfaces a service member can open in Edge.
Containment.ai's product was built for this gap. It runs at the browser layer where the user actually pastes data, and it enforces an organization's policies — what is allowed to be shared, with which model, under which classification, with which audit trail — independent of whether the destination is the IL-5-authorized GenAI.mil session or a personal-account commercial chat tab. The same enforcement runs in both contexts; the same audit log captures both events. That is the layer the Department's hardened platform cannot reach from inside its own perimeter.
For defense contractors preparing for Section 1513 and for DoD components preparing for the Section 1512 lifecycle-security policy, the work is not to wait. It is to instrument the data-boundary layer now, in production, with audit-grade evidence of what crossed which boundary. The contractor or component that has the evidence chain in place when the framework lands will be one of the few who pass without remediation.
GenAI.mil is the right platform for the .mil session. The browser, on the same desktop, is the other half of the surface. Both have to be governed if "AI in your battle rhythm every single day" is going to coexist with CUI handling rules. The IL-5 authorization on the .mil tool does not transfer to the consumer tab. The Department has put 1.3 million people on the AI accelerator. The browser tab next to it is still wide open. Someone has to close the loop before the next Section 1512 status report lands on the Hill.