The cursor blinks with a rhythmic, mocking indifference. Marcus clicks ‘Submit’ for the 13th time this hour, and for the 13th time, the screen dissolves into a flat, grey void. A small, blue spinning wheel appears-the digital equivalent of a shrug. He is trying to process a refund for a customer whose basement flooded 3 days ago, a woman who is currently crying into her speakerphone because she needs that $453 back to buy a dehumidifier. But the security protocol doesn’t care about the damp rot in a stranger’s home. It cares that Marcus has been ‘inactive’ for more than 333 seconds.

He reaches for his smartphone, his thumb hovering over the screen to receive the 23rd push notification of the morning. It’s a two-factor authentication dance. Tap. Wait. Fingerprint. Six-digit code. Type the 633-913 into the browser. The browser refreshes, but instead of the order screen, it takes him back to the main dashboard. The session has expired. The lady on the phone is now sobbing. Marcus feels a prickle of sweat on his neck, the same claustrophobic heat I felt about 43 minutes ago when I stood on the sidewalk and watched my car doors click shut with the engine still running and the keys dangling in the ignition.

I’m currently leaning against the warm hood of my sedan, waiting for a locksmith who quoted me $183 for a 3-minute job, and I can’t help but see the parallel.

When Digital Locks are Tighter Than Steel Doors

Simon C.M., a prison education coordinator I’ve consulted with for the last 13 months, lives in the heart of this friction. He once spent 63 days trying to get permission for a set of inmates to access a localized, offline version of a coding manual. The IT security team blocked it. Not because the manual was dangerous, but because the PDF viewer had a ‘Help’ button that, if clicked under the right lunar phase and with a specific sequence of keystrokes, might allow a user to see a file directory.

‘We are teaching men how to reintegrate into a digital society,’ Simon told me over a crackling line, ‘but we are doing it with pencils and paper because the risk-assessment forms are 53 pages long and no one wants to sign them.’

The Paper Trail of Due Diligence

This is the crux of the problem. Most corporate security policies are not actually designed to stop the 13 most sophisticated hacking collectives in the world. They are designed to be defensible in a courtroom after a breach has already happened. If the company gets hacked, the CISO can point to the 10-minute auto-logout and the triple-factor authentication and say, ‘Look, we did everything possible.’

The fact that productivity dropped by 23% and employee retention is at an all-time low is considered an acceptable externality.

Hiring Owners, Forcing Intruders

I’m looking through the window of my car at my keychain. It’s right there. I can see the solution, but the ‘policy’ of the locked door is absolute. Businesses do this every day. They hire brilliant people and then give them a set of handcuffs. Every time a developer has to wait 3 hours for a firewall exception, or a salesperson can’t pull up a deck because the VPN dropped for the 13th time, the business loses a little more of its soul. It loses its velocity.

We force a change every 43 days-a practice that actually leads to people writing their passwords on sticky notes under their keyboards, creating a security hole you could drive a truck through.

The Bureaucratic Machine

To post a single social media update, the team had to log into a secure vault, authenticate via a hardware token, and route the post through a compliance tool. The process for a 280-character tweet took 83 minutes.

Frictionless Agents and Surgical Permissions

This is why the rise of autonomous agents is so disruptive-not because they are ‘smarter’ than humans, but because they can operate within the secure perimeter without the friction that destroys human morale. An AI doesn’t get frustrated when it has to re-authenticate.

We are burning the furniture to keep the security cameras running. If your security policy prevents your employees from helping your customers, you don’t have a security policy-you have a liquidation plan. You are slowly liquidating the goodwill of your staff and the patience of your clients.

The Result: Quiet Quitting and Shadow IT

Simon C.M. once told me that the most dangerous man in a prison isn’t the one with a weapon; it’s the one who has been told ‘no’ so many times for no logical reason that he has nothing left to lose. When you apply that to a corporate environment, you get ‘Quiet Quitting’ or ‘Shadow IT.’

Humans are messy. We are the ‘vulnerability.’ But the solution isn’t to build a world where humans can’t function. The solution is to design systems that assume human error without punishing human productivity.

Calculating the True Cost of Safety

As the locksmith jiggles a long metal strip into my door frame, I find myself wondering: how much is your company spending to stay ‘safe’? And I don’t mean the $23,000 you pay for your firewall. I mean the millions you lose in the gaps between the log-ins. The cost of the moments where Marcus couldn’t help the widow.

Is the fortress actually protecting the business, or is it just making sure that when the business eventually dies of stagnation, the legal team has a very clean set of books to present to the undertaker?