When ChatGPT and Claude Say “Memory,” They Mean Three Different Things

The first time I really understood this, I was sitting with a partner who had just been told by his IT director that ChatGPT memory was “off.” He showed me the toggle. He showed me the setting. He felt fine.

Then he asked ChatGPT to summarize a contract.

It opened by referencing his other client.

He didn’t paste anything. He didn’t upload anything. He didn’t even mention the other matter. Something was still on.

That’s the whole point. A setting labeled “memory” does not necessarily cover every place a product can pull in prior context. The toggle he flipped was one of several. The others kept doing their work.

That moment is what this post is about.

TL;DR

When ChatGPT or Claude talk about “memory,” they’re describing at least three different things stacked on top of each other. The privacy concern isn’t really what the model “knows.” It’s what the product silently retrieves from one matter and drops into another. For law firms, two of the sharpest practical risks today are non-Enterprise ChatGPT projects with default memory on, and Claude used as standalone chats instead of project-scoped workspaces. Fix those two things and you’ve cut most of the practical exposure.

Memory is not one thing

Here’s what’s happening under the hood, in plain English.

The first kind is the active thread. When you continue that same chat, the model can use the prior messages in it. Start a new chat, and that thread is not automatically included, unless a memory feature, a project, a chat search tool, or another retrieval surface pulls it back in.

The second kind is the context window. That’s how much the model can hold in its head at once. Numbers vary by plan and model, but think of it as working memory for one task.

The third kind is the one that causes problems. It’s persistent storage. Saved facts about you. Summaries of prior chats. Indexed documents in a project. Files in a library. Connected apps that, once authorized, can be referenced when the product decides the data is relevant.

That third layer is what most people mean when they say “memory,” and that’s where ChatGPT and Claude diverge architecturally.

ChatGPT’s design: convenience that crosses matters

OpenAI gives you two persistent stores. Saved memories are facts the system writes down about you. Reference chat history is looser reuse of helpful details from past chats. These are separate stores. Deleting a chat does not delete what the system already wrote down about you from that chat. To actually remove a fact, you have to delete the saved memory entry, delete the originating chat, and sometimes also remove files from your library and disconnect any app that fed in data.

That’s not one click. It’s a runbook.

Now layer on projects. In ChatGPT projects, you get a choice when you create one: default memory or project-only memory. The behavior of “default” depends on your plan. On Enterprise and Edu, projects stay contained inside the project boundary. On non-Enterprise accounts, including Plus, Pro, and Business, default-memory projects can reference chats from outside the project unless the other project is set to project-only.

Read that again. On a non-Enterprise account, a default-memory project can pull in conversations you had outside the project.

Think about what that means in a firm. Same user, multiple matters, default memory on, no project-only setting. The model can reference context from one client’s project while you’re drafting in another. There might be a small “remembering” indicator. Most users won’t read it. The answer just lands.

A side note on shared ChatGPT projects. Every member can see the project’s chats and files, so the visibility risk goes up. The memory risk actually goes down, because shared projects automatically switch to project-only memory. The exposure is real, but it’s a different shape of exposure than the cross-project memory bleed above. Don’t confuse the two.

Claude’s design: stricter walls by default

Anthropic made different choices.

In Claude, each project is its own workspace. Project knowledge is the main intentional shared context across chats. Claude also runs a separate per-project memory summary when memory is enabled. So the right way to think about it: the whole project is the matter boundary, not any single chat inside it.

The important point is what does not happen. Claude’s memory is separated by project. If you’re using projects matter by matter, Claude should not pull from another matter’s project into the current one. Within the same project, project memory and project knowledge can still shape later chats. That’s working as intended if you’ve kept that project to one matter.

Outside projects is where the bigger risk lives. Claude runs standalone memory too. It synthesizes summaries from your standalone chats, updates them every 24 hours, and uses those summaries to inform new standalone chats. If you do client work in standalone chats, those summaries can travel across matters. So the rule is simple: client work belongs in projects, not standalone chats.

Sharing also works differently in Claude. Sharing a project gives teammates access to the project’s knowledge base and instructions, but individual chats stay private unless you explicitly share them. That’s the opposite of ChatGPT’s default sharing model, where project chats are visible to all members.

One detail compliance officers should know. Disabling memory at the organization level in Claude Enterprise wipes everyone’s memory synthesis. The toggle has teeth. But Team plans don’t have org-level memory controls at all. If centralized governance matters to you, that’s an Enterprise question, not a Team question.

The risk most firms aren’t thinking about: memory poisoning

This one is newer and uglier. It applies to agentic tools, including Claude Code and managed agent setups, where the AI can write to its own memory store as part of doing work.

If an agent reads input from an untrusted source (a webpage it scrapes, a document someone emailed in, a tool output it doesn’t control) and that input contains instructions telling the agent to write something into memory, the agent might do it. The next session reads that poisoned note as if it were a real, trusted fact and acts on it.

Anthropic warns about this directly in its documentation for read-write memory stores. It’s not theoretical. Cisco’s research team published a proof of concept against Claude Code memory earlier this year, and Anthropic has been working through mitigations.

For a firm, the practical translation: any AI tool that can both write to memory and read untrusted content needs tighter scope. Read-only references for trusted material. Read-write stores only for tightly controlled matter-local data. No shared writable memory across matters.

A point about prompts

There’s a temptation to think this can be solved with instructions. “Tell the AI not to use other matters.” “Tell the agent not to write to memory.”

It can’t.

Anthropic says this explicitly about Claude Code memory files: they are context, not enforced configuration. The same principle should be applied across vendors. Prompts can guide behavior, but they don’t bind it. Storage controls, workspace boundaries, connector permissions, and admin settings are the real control surfaces. Treat prompts as helpful supplements, not as security walls.

What to do Monday morning

Three things, in order.

1. Move active client work off consumer accounts. Commercial and business tiers generally improve the privacy posture, including no training by default. Enterprise tiers are where firms get stronger retention controls, compliance and audit exports, SSO, SCIM, and the contractual terms a firm actually needs. The price difference is small compared to the exposure.

2. One matter, one workspace. In ChatGPT, that means project-only memory, one project per matter, and avoid shared projects unless the entire matter is genuinely team-shared. In Claude, that means projects rather than standalone chats, each matter in its own project, and only matter-approved documents in the knowledge base.

3. Write down your deletion runbook. When a matter closes, what gets deleted, in what order, by whom? In ChatGPT that’s chats, saved memories, library files, and connected apps. In Claude that’s chats, memory reset if needed, and project knowledge or the whole project. If you can’t answer this in writing today, that’s the first gap to close.

The line that matters

Memory is convenience. Memory is also exposure. The vendors aren’t hiding any of this, but they describe it across a dozen help pages and three different products, so it’s easy to miss.

The firms that get this right won’t be the ones with the longest AI policy. They’ll be the ones whose lawyers know, without thinking about it, which workspace this matter lives in.

Memory isn't a feature. It's surface area. The firms that handle this well won't be the ones with the thickest AI policy on the shelf. They'll be the ones whose lawyers know, without thinking, which workspace this matter lives in and what gets deleted when it closes. If you want a second set of eyes on what your firm is actually exposed to, I'm at steve@intelligencebyintent.com. The toggle was never the answer. The workspace is.

Share Intelligence by Intent