The Pentagon’s AI vendor count changed. The agent boundary is still the harder question.

The public evidence for the Pentagon’s 100,000-plus AI agents is narrower than the number sounds. The available GenAI.mil documentation describes agents for unclassified office work, not autonomous software roaming classified networks.

That boundary matters more than the user-count headline. Google Public Sector’s March 10 GenAI.mil post says Agent Designer lets Defense Department personnel build custom agents “to support unclassified work tasks,” such as drafting read-aheads, planning projects, and automating repetitive administrative work, according to the Google Cloud blog. An AI agent is software that can carry out a multi-step task, not just answer a prompt. The public version is a productivity tool with a stated unclassified scope, not proof of autonomous classified operations.

The U.S. War Department said on May 1 that it signed agreements with eight frontier AI companies, SpaceX, OpenAI, Google, Nvidia, Reflection AI, Microsoft, Amazon Web Services, and Oracle, to deploy models on IL6 and IL7 classified networks, the environments used for secret and top secret government work, according to the War Department press release. Anthropic, the AI safety company behind Claude, was not on the list.

The count changed during the day. Reuters initially reported seven companies, SpaceX, OpenAI, Google, Nvidia, Reflection AI, Microsoft, and AWS, according to Reuters. Federal News Network later reported that the Defense Department said Oracle had “agreed to join the list of AI companies” after the initial Friday morning announcement, bringing the total to eight, according to Federal News Network.

The user count is large, but the agent count is the sharper pressure point. Defense One reported that up to 3 million users have access to GenAI.mil and that users had already built more than 100,000 AI agents, according to Defense One. The War Department’s own release said more than 1.3 million personnel have used the platform in five months, generating tens of millions of prompts and deploying hundreds of thousands of agents.

That means the Pentagon is already past the chatbot stage. It is building workflow software that can take instructions, chain steps together, and hand work back to humans inside a defense bureaucracy. The public docs describe that work as unclassified and administrative. The new agreements describe a classified-network expansion. The missing piece is the boundary between the two.

The War Department framed the agreements as a way to bring commercial frontier models into lawful operational use across classified systems. It did not disclose contract values, deployment timelines, or the specific workloads each vendor will handle.

The word “agent” can mean anything from a glorified form filler to software that plans and executes a sequence of actions across tools. If GenAI.mil’s agents remain tightly sandboxed for unclassified paperwork, the Pentagon’s public documentation describes a hard operational boundary. If the classified expansion brings similar agent-building patterns into IL6 and IL7 environments, then the question is what controls stop an approved assistant from becoming an approved actor.

The vendor list makes that question harder to separate from the guardrail fight. CNBC reported that the Defense Department declared Anthropic a supply-chain risk after the two sides failed to agree on how the agency could use Anthropic’s models, and that Anthropic sued the Trump administration in March to reverse the blacklisting, according to CNBC. A supply-chain-risk label treats the vendor itself as a national security concern, not merely as a company with a disputed contract clause.

Anthropic’s exclusion would be simpler if the Pentagon did not want Anthropic’s technology. CNBC reported that the National Security Agency is using Mythos, Anthropic’s cyber-focused AI model, citing Axios. Emil Michael, the Defense Department’s chief technology officer, told CNBC that Mythos is a “separate national security moment” because the model has capabilities “particular to finding cyber vulnerabilities and patching them,” according to CNBC.

So the Pentagon is doing two things at once. It is expanding classified access for eight AI vendors while fighting with the company most publicly associated with model guardrails, the rules a lab puts on how its systems may be used. It is also scaling agent-style workflows before the public has a clear view of whether the “unclassified administrative work” boundary survives contact with classified deployment.

There is a strong defense of the Pentagon’s position. A classified network cannot depend on a vendor that withholds mission-critical capabilities or reserves too much control over government use. Anthropic can argue that some uses should remain off-limits even for the state, especially if the model can accelerate cyber operations or autonomous targeting. The facts now in public do not tell readers who had the better legal argument, because the disputed contract language remains undisclosed.

What is public is the shape of the risk. The Pentagon has more than 1 million users, more than 100,000 agents, and a new classified-AI vendor roster that excludes Anthropic. The next thing to watch is not another model benchmark. It is whether “unclassified administrative work” is a durable architecture, or just the label on the first phase before the agents move deeper inside the fence.