The Personal vs Work AI Context Leak Problem

5 minMemplex

Your work AI shouldn't surface what you wrote on a Saturday night. Your personal AI shouldn't surface confidential project decisions. Current AI memory has no concept of scope. Here's what scope actually requires.

The Personal vs Work AI Context Leak Problem

Real scenario, real friend, lightly anonymized.

Friend uses ChatGPT for everything — work, personal, side projects, even drafting messages to family. They have memory turned on so the model remembers them.

One Monday morning at the office, sharing their screen during a meeting, they ask ChatGPT to help draft an email. ChatGPT, helpfully, references something it remembered from a personal conversation the prior weekend — visible on the projector, to everyone in the meeting.

This is the personal-vs-work AI context leak. It's not a privacy violation in the traditional sense — the user is the one who put the personal context in. It's an architecture failure: the AI system has no concept of scope, so it surfaces personal context in work contexts and work context in personal ones, with equal confidence.

Why current AI memory leaks

Most AI memory systems have one global memory per user. Everything you've told them, everything they've inferred about you, lives in one pool. Retrieval pulls from the pool based on relevance.

There is no concept of:

  • "This memory was created in a personal context; don't surface it at work."
  • "This memory references a confidential project; don't surface it in consumer-grade tools."
  • "This memory is about a coworker; surface it when discussing them at work, not when chatting personally."

The relevance scoring will happily pull a personal memory into a work context if the personal memory is similar enough to the work query. The model doesn't know any better, because the retrieval layer didn't tell it.

What scope actually requires

Scope is a routing concept, not a content concept. It is metadata about the context of creation and the allowed contexts of retrieval.

A complete scope model needs at least:

  • Origin scope — where was this memory created? Personal session, work session, specific project, specific destination.
  • Allowed destination scope — what destinations is this memory permitted to surface in? Same project, same scope level, any work tool, never at all.
  • Sensitivity tier — public, internal, confidential, restricted.
  • Project affinity — which projects is this memory relevant to?

A retrieval request specifies its current scope (the user's current context, the destination, the project). The router cross-references the request scope with each candidate memory's scope metadata. Memories whose allowed destination scope doesn't include the current request are filtered out before any similarity scoring happens.

This is different from filtering after retrieval. The filter has to happen before, because once a candidate is in the response, the model can use it, and the surface-area for leakage is gone.

What Memplex does

Memplex captures origin scope at ingestion time. A Claude Code session in a project's working directory is scoped to that project. A personal chat is scoped personal. A cross-project research session can be tagged appropriately by the user.

At retrieval time, the request specifies the current scope (typically inferred from the destination and current project). The router filters candidates by allowed destination scope before similarity ranking.

Personal context doesn't surface in work tools. Project A context doesn't bleed into Project B. Confidential project content doesn't flow to consumer-grade destinations.

Crucially, this isn't a user-configured firewall — it's the default. The user can override it explicitly ("I want my personal context available in this work tool too"), but the default is segregation, not commingling.

Why this matters more in the agent era

The leak problem gets worse as AI agents take more autonomous action. A leak when you're chatting with the AI is embarrassing. A leak when the AI is autonomously sending emails or making decisions on your behalf is potentially catastrophic.

If an agent is acting on your work account and pulls a personal memory in, the personal memory might end up in an email sent to your boss. If an agent is acting on a personal account and pulls a work memory in, you might disclose confidential information to a friend.

The scope-as-routing-input architecture is the only thing standing between you and these failure modes. Bolting it on after the fact is much harder than designing for it from day one, which is why we did.

PrivacyAIEnterprise

● More from Memplex