Timelocks beat combos

In the 1870s, bank robbers stopped cracking safes and started kidnapping bankers. 

When a combination lock was too hard to bypass, bank robbers went around it. Grab the manager at home, walk them to the vault, make them dial it open. The safe was secure. The person who knew the combination wasn’t.

A locksmith named James Sargent saw the real problem. The vault didn't need a tougher lock. It needed to be something even the right person couldn't open on command. In 1873, he wired a combo lock to two kitchen clocks. It wouldn't open for anyone until a set hour the next morning. Not a thief. Not the manager. The combo didn’t matter, the vault was dead until nine.

Now, you kidnap the banker and you've grabbed someone who can't help you. The secret in his head stopped being worth taking.

We're back at that problem with AI agents.

In September 2025, developers handed the keys to their email to a tool called postmark-mcp. It behaved perfectly the first 15 times people used it. But, version 16 added one line of code that quietly copied every outgoing message to a server the attacker controlled: passwords, invoices, internal memos. It slipped past every filter, because the tool was trusted. It snuck into 300 companies. Up to 15,000 emails a day.

Anthropic's new security guide has a one-line test: “Does this make the attack impossible, or just tedious?” Rate limits, extra login steps, odd ports — if it took too long, a human would quit. But an agent can try every combo. Theoretical bank robbers can kidnap every banker. Security now needs more timelocks, fewer combos. 

Sargent didn't build a stronger vault.

He built one the banker couldn't open at gunpoint.

That's the bar for the tools we're building now.

—

Source: “Zero Trust for AI Agents,” Anthropic, May 2026