A quiet change with big consequences
On 2 March 2026, Anthropic rolled out a feature that looks helpful at first glance: Claude now remembers what you tell it.
Not just within a single conversation. Across all conversations, over time. Tell Claude you work at an accounting firm with twelve employees, that your boss is called Mona, and that you use a particular line-of-business system — and it remembers next time you log in. You don't have to repeat yourself.
Two details turn this from a convenience into something more:
- It's on by default. New users get memory enabled without doing anything.
- It applies to everyone — including free users. You don't need a business agreement or a paid plan. Anyone with an email address gets the feature.
For an individual, this is practical. For a Norwegian business, it's something else: the beginning of a shadow database they don't know they have.
What the memory actually stores
Let's be precise, because the nuance matters.
Claude doesn't store entire conversations verbatim. It stores facts and preferences it infers along the way: what you work on, how you like answers formatted, which tools and projects you mention, which clients and colleagues show up in what you write.
You can view and delete this under Settings > Memory. Anthropic built transparency into the feature, and that's good.
But here's the problem: the transparency sits with the employee — not with the business.
It's the employee who sees the memory bank. It's the employee who can delete it. The business — which actually owns the data being fed in — has no visibility, no control, and no log. And the vast majority of employees have never opened that setting once.
Why this is shadow IT in new packaging
Shadow IT isn't new. It's the technology employees adopt without IT or management knowing — a free file-sharing service here, a personal Dropbox there.
Claude Memory is shadow IT with an extra dimension: it builds itself, in the background, without anyone actively uploading a file.
Think of a typical work week. An employee at a staffing agency uses Claude on their personal account to:
- get help phrasing a difficult email to a candidate — and pastes in the candidate's CV
- summarise notes from an internal meeting
- draft feedback about an employee who's struggling
- rephrase a clause from a client contract
None of this feels dramatic in the moment. But over weeks and months, Claude builds a memory bank containing candidate names, assessments of employees, client names, and contract details — tied to a personal account the business doesn't administer, doesn't see, and can't delete.
The day that employee leaves, they walk out the door with the memory bank. The day Norway's privacy authority asks "what personal data do you process, and where?", you don't have a complete answer.
The GDPR questions you can't answer
For a Norwegian business under GDPR, this raises concrete problems:
Legal basis. When an employee pastes a candidate's CV into their personal Claude account, personal data is processed without the business having assessed the basis for it. Who is the data controller? The business doesn't know the processing is happening.
Data minimisation and storage limitation. GDPR requires that you store no more than necessary, and no longer than necessary. A memory bank that grows quietly, on an account you don't control, breaks both principles.
The data subject's rights. A candidate has the right to access — and deletion of — information about themselves. If that information is scattered across employees' private AI memories, you can't honour that right. You don't even know the data exists.
Internal accountability. You can't document processing you don't know about. And what you can't document, you can't defend in an audit.
These aren't theoretical concerns. They're the ordinary questions an audit asks — and they get uncomfortable to face if you don't have the structure in place.
What you should actually do
The bad response is to ban Claude. It doesn't work — employees use the tools anyway, just more covertly. A ban moves the problem; it doesn't solve it.
The good response is structure. Concretely:
1. Map the actual usage. Who uses which AI tools, on which accounts, for what? Most leaders are surprised by the answer. You can't govern what you can't see.
2. Separate personal from work. Employees who use Claude for work should use a managed business account (Claude Team or Enterprise) — not their personal free account. On business plans, you control retention, access, and deletion centrally.
3. Write an AI policy that actually mentions memory. Most AI policies say "don't paste in sensitive data". That's no longer enough. The policy has to explain what persistent memory is, why a personal account is a problem, and what employees should use instead.
4. Train, don't just instruct. An employee who understands why candidate data shouldn't go into a personal Claude account makes better choices than one who's just been handed a rule. A short course does more than a long rulebook.
This isn't an IT project. It's a governance measure — and that's exactly what IT Buddy helps with.
The point that keeps repeating
Claude Memory isn't a problem because the feature is bad. It's actually well made. The problem is that a powerful feature was switched on by default, for everyone, while most businesses don't have a structure that catches it.
It's the pattern we see again and again: the technology runs ahead, and the structure lags behind. Every new AI feature that rolls out lands in a business that either has its data, access, and guidelines in order — or doesn't.
Those that do, adopt the feature safely and quickly. Those that don't discover the risk only once it has grown large.
AI starts not with technology. It starts with structure.
Get in touch for a free AI Ready assessment →
Read also: Claude Cowork: When the AI Agent Moves to Your Desktop