The hardest engineering problem in AI products is not the model; it is memory. What does the system remember between sessions, between users, between tenants? Get it wrong and you ship a product that leaks customer data, hallucinates context, or forgets what it was supposed to be doing.
Three layers, kept separate
Session memory: what the model needs in this conversation. Short, transient, scoped to one interaction. User memory: long-term, preferences and past tasks for a single user. Persisted, encrypted, never crossed with other users. Domain memory: knowledge about the customer's data and workflows. Tenant-isolated by default; never shared across customers.
The isolation guarantee
The system has to be designed so that domain memory cannot leak across tenants under any prompt. This is the single biggest reason enterprise buyers reject AI products: they cannot verify the isolation. Make it architecturally impossible, not just policy-prohibited. Defaults matter more than promises.
What the user controls
Users should be able to see what the system remembers about them, edit it, and delete it. This is a product feature, not a privacy footnote. Memory that the user does not control is memory the user will not trust.