Skip to main content
MindStudio
Pricing
Blog About
Log in Get Started
My Workspace
Workflows Multi-Agent Integrations

Shared vs Private AI Agent Memory: How to Design Access Control for Teams

Learn how to structure shared and private memory in a team AI agent system using Notion, GitHub, and PostgreSQL row-level security.

MindStudio Team RSS
Shared vs Private AI Agent Memory: How to Design Access Control for Teams

Why Memory Architecture Is the Hidden Problem in Team AI Systems

When teams start building AI agents together, the first headaches are usually about prompts or model selection. But after a few weeks, a different problem surfaces: memory.

One agent knows something another doesn’t. A sales rep’s agent accidentally surfaces data that should only be visible to finance. A shared Notion database gets overwritten because two agents were writing to the same keys. Nobody planned for any of this, because nobody thought of memory as something that needed a design.

It does. And the difference between shared and private AI agent memory — and how you control access between them — determines whether your multi-agent system is actually usable by a real team or just a proof of concept.

This guide covers how to think about memory tiers, how to implement access control using tools like Notion, GitHub, and PostgreSQL, and how to avoid the most common mistakes teams make when building shared agent infrastructure.

What AI Agent Memory Actually Means

Before getting into access control, it helps to be precise about what “memory” means in the context of AI agents.

There are a few distinct types:

In-context memory

This is whatever lives in the active prompt window — conversation history, retrieved documents, tool outputs. It’s ephemeral. Once the session ends, it’s gone unless something explicitly saves it.

External memory (persistent storage)

Hermes Crash Course — free 1-hour live workshop
The free Hermes Agent crash courseReserve your spot

This is anything the agent reads from or writes to outside its context window: databases, documents, key-value stores, vector databases. This is where most access control issues actually live.

Agent state

Some frameworks track an agent’s internal state — what step it’s on, what it’s decided, what it’s waiting for. This can be per-agent (private) or shared across a workflow.

When people talk about “shared vs. private memory” in a team setting, they almost always mean external persistent memory. That’s what this article focuses on.

The Core Distinction: Shared vs. Private Memory

Think of memory in your team’s AI system the same way you’d think about a shared drive vs. a personal folder.

Shared memory is accessible to multiple agents or multiple users. It might include:

  • A company knowledge base (product docs, policies, FAQs)
  • CRM data that multiple agents query
  • Workflow state passed between agents in a pipeline
  • Audit logs that all agents write to

Private memory is scoped to a single agent, user, or role. It might include:

  • A user’s personal preferences and history
  • An agent’s working notes for a specific task
  • Sensitive data like salary information, health records, or personal communications
  • Draft content that isn’t ready to be shared

The problem isn’t that these two categories are hard to understand conceptually. The problem is that most teams don’t formalize the boundary — and agents don’t enforce it by default.

Why Access Control Can’t Be an Afterthought

AI agents interact with data programmatically, which means they don’t stop and think “should I be accessing this?” They just do what they’re told.

If your agent has read access to a Notion database, it will read any page in that database — including ones meant for executives only. If your agent can write to a shared PostgreSQL table, it can overwrite records it shouldn’t touch.

Three specific failure modes are common:

Cross-role data leakage. An agent built for onboarding new employees queries the same knowledge base as an agent built for HR investigations. The onboarding agent surfaces information it shouldn’t because the knowledge base isn’t segmented.

Unintended overwrites. Two agents write to the same external key-value store (like a shared Notion database property). One agent’s update clobbers the other’s. Now you have corrupted state and no audit trail.

Escalation through chaining. In multi-agent systems, Agent A calls Agent B, which calls Agent C. If Agent C has broader permissions than Agent A should have, the chain creates a privilege escalation path. Each hop adds risk.

Getting memory access control right isn’t about being paranoid — it’s about making your system reliable.

Designing a Memory Tier Architecture

A practical way to structure team AI memory is in three tiers. Each tier has a different access scope, a different persistence model, and different tooling requirements.

Tier 1: Global shared memory

This is information any agent, any user, any role can read. Write access is usually restricted to admins or specific system agents.

Examples: company FAQ, product documentation, public policy docs, shared brand guidelines.

Good storage options: Notion (read-only shared databases), GitHub (docs in a public repo), a read-only PostgreSQL view.

Hermes, walked through line by line — free 1-hour workshop
The free Hermes Agent crash courseReserve your spot

Access control approach: grant broad read permissions; lock down writes to specific service accounts or admin roles.

Tier 2: Role-scoped memory

This memory is readable and/or writable by agents acting on behalf of a specific role or team. An agent acting as a “sales assistant” can access sales data; it can’t access finance data.

Examples: CRM records for a sales team, support ticket history for a support agent, internal project notes for a specific department.

Good storage options: PostgreSQL with row-level security (RLS), Notion with page-level permissions, Airtable with role-based views.

Access control approach: tie access to an identity token or role claim passed at runtime. The database enforces scope, not just the agent’s prompt.

Tier 3: User-private memory

This is memory scoped to a single user or a single agent session. No other agent or user can see it.

Examples: a user’s preferences, conversation history, draft outputs, personal notes.

Good storage options: a user-keyed table in PostgreSQL, a private Notion page, a per-user key-value namespace.

Access control approach: enforce at the data layer using user IDs as row keys or namespace prefixes. Don’t rely on prompt-level instructions to keep data separate.

Implementing Access Control with Notion

Notion is a common choice for AI agent memory, especially for knowledge bases and structured content. It’s readable via API and easy for humans to manage directly.

Structuring Notion for multi-tier access

The key is to treat each Notion database as a tier rather than trying to control access at the row level within a single database.

For global shared memory, create a dedicated workspace or database that your agent integration can query in read-only mode. Grant the integration token only database read permissions — not page creation or property editing.

For role-scoped memory, create separate databases per team or role. Give each agent integration access only to the databases relevant to its role. If your sales agent needs customer notes but not compensation data, its Notion integration token should only be scoped to the sales databases.

For user-private memory, consider whether Notion is the right tool. Notion’s permission model is page- and database-level, not row-level. If you need per-user isolation, you’ll often get cleaner results from a database with proper row-level controls.

Practical tips for Notion-backed agent memory

  • Use database properties, not page body text, for structured data your agents write. Properties are easier to query and less likely to be corrupted by free-form writes.
  • Create separate integration tokens per agent role rather than one global token. This makes it easy to revoke access for one agent without affecting others.
  • Add a last_modified_by property to any database agents write to. When something goes wrong, you want to know which agent touched it last.

Implementing Access Control with GitHub

GitHub is less commonly used for agent memory but is well-suited for specific cases: versioned content, code-adjacent knowledge, and audit trails.

When GitHub makes sense as memory

GitHub is a good fit when:

  • Your agents work with documentation or code that benefits from version history
  • You want a built-in audit trail (every write is a commit with author, timestamp, and diff)
  • Your team already manages content through GitHub and wants agents to contribute to that same repo

Structuring GitHub for multi-tier access

Use branch protection and organization-level access control to define tiers.

For global shared memory, store content in the main branch of a repo all agents can read. Restrict push access — agents should only be able to open PRs or push to a staging branch, not write directly to main.

For role-scoped memory, use separate repos per team or role. GitHub’s organization permission model lets you grant team-level access to specific repos. An agent acting as a DevOps assistant can have write access to infrastructure docs without touching marketing content.

For audit-heavy workflows, every agent write becomes a commit. You can grep history, bisect problems, and revert specific changes without custom audit logging infrastructure.

Watch out for this

If you have agents writing to GitHub regularly, manage your commit noise. Give agent commits a consistent format (e.g., a bot prefix in the commit message) so humans can filter them in the commit history. Nothing is more annoying than trying to find a human change buried in hundreds of agent-generated commits.

Implementing Access Control with PostgreSQL Row-Level Security

For teams that need fine-grained, per-row access control, PostgreSQL’s row-level security (RLS) is the most robust option. It enforces access at the database level — which means even if an agent’s query tries to access data it shouldn’t, the database refuses.

How RLS works

RLS lets you define policies that filter which rows a given role or user can see. You define a policy on a table, and PostgreSQL applies it automatically for every query against that table — SELECT, INSERT, UPDATE, and DELETE.

A basic example: a memories table where each row belongs to a user.

-- Enable RLS on the table
ALTER TABLE memories ENABLE ROW LEVEL SECURITY;

-- Policy: users can only see their own rows
CREATE POLICY user_isolation ON memories
  USING (user_id = current_setting('app.current_user_id')::uuid);

When an agent queries this table, it sets a session variable (app.current_user_id) before running queries. PostgreSQL uses that variable to filter results automatically. The agent literally cannot see rows that don’t belong to the current user — even if it tries.

Designing policies for team memory tiers

For role-scoped memory, you’d define policies based on a role claim rather than a user ID:

CREATE POLICY role_isolation ON team_memories
  USING (team_role = current_setting('app.current_role'));

An agent acting as a sales assistant sets app.current_role = 'sales' at the start of each session. It can only read and write rows where team_role = 'sales'.

For global shared memory, you’d typically use a separate table without RLS — or a view that joins shared and role-scoped data and handles filtering transparently.

Setting role context at runtime

The critical implementation detail is that your agent must set the appropriate session variable before running queries. In practice, this usually means:

  1. The user authenticates (via your app layer).
  2. The app layer issues a JWT or session token with role claims.
  3. When the agent starts a database session, it sets SET LOCAL app.current_role = '<role from token>' before running any queries.
  4. RLS policies use that variable to filter results.
Get set up on Hermes in 1 hour
The free Hermes Agent crash courseReserve your spot

This keeps the enforcement at the data layer. Even if someone crafts a malicious prompt that tries to get an agent to query data it shouldn’t see, the database won’t return it.

Audit logging with RLS

You can extend this pattern to log every row accessed or modified by an agent. A trigger on the table can write to an audit_log table that records who accessed what and when. This is especially useful for compliance-sensitive use cases — healthcare, finance, legal — where you need to demonstrate data access controls are actually enforced, not just assumed.

Multi-Agent Pipelines: Access Control Across Agent Hops

When you’re running a multi-agent workflow — where Agent A calls Agent B which calls Agent C — memory access control gets more complex. The permissions don’t just need to be right for each individual agent; they need to be right across the entire chain.

The least-privilege principle for agent chains

Each agent in the chain should only have the permissions it needs for its specific task — not the permissions of the agent that called it.

A common mistake: Agent A has broad read access because it’s a supervisor agent. It calls Agent B to handle a subtask and passes along its own credentials or session token. Agent B now has broad read access too, even though it only needed narrow access for its subtask.

The fix: each agent authenticates independently. The calling agent passes context (user ID, role), but each agent re-establishes its own permissions based on that context — not by inheriting the caller’s credentials.

Passing memory context safely between agents

When Agent A needs to pass memory to Agent B, be explicit about what you’re sharing.

Don’t pass the entire memory store. Pass only what’s needed for the subtask. This limits blast radius if something goes wrong downstream, and it prevents accidental data exposure across agent roles.

A good pattern: Agent A retrieves what it needs from shared memory, constructs a minimal context object (just the relevant fields), and passes that to Agent B. Agent B only ever sees what A explicitly gave it — it doesn’t get a database connection to query more.

How MindStudio Handles Team Memory and Access Control

If you’re building multi-agent workflows for a team, MindStudio gives you a practical place to implement these patterns without standing up custom infrastructure from scratch.

MindStudio’s workflow builder lets you connect agents to external memory stores — including Notion databases, PostgreSQL instances, and GitHub repos — through its library of 1,000+ pre-built integrations. You can configure each agent with scoped connections, so a sales agent’s Notion integration token is different from an HR agent’s, and neither can access the other’s data.

For multi-agent pipelines, you can define what context gets passed between agents explicitly in the workflow design. Rather than letting agents inherit permissions from the calling step, you control exactly what data moves between nodes — which directly addresses the escalation-through-chaining problem.

A free 1-hour Hermes workshop
The free Hermes Agent crash courseReserve your spot

Teams at companies like Adobe and Microsoft use MindStudio for workflows that span multiple agents and data sources. The platform handles the infrastructure layer (auth, retries, rate limiting) so the access control design stays clean rather than getting tangled up in connection management.

You can try building your first multi-agent workflow on MindStudio for free — most teams have a working prototype in under an hour.

Common Mistakes and How to Avoid Them

Relying on prompt-level access control

If your only access control is “I told the agent not to look at other users’ data,” that’s not access control. It’s a suggestion. Prompts can be overridden by adversarial inputs, unexpected model behavior, or bugs in your logic. Enforce access at the data layer.

Using one integration credential for everything

A single Notion token or database user for all your agents means one compromised or misbehaving agent has access to everything. Use separate credentials per agent role. Revocation becomes surgical instead of catastrophic.

Not thinking about write access

Most teams think carefully about what agents can read, but forget to lock down writes. An agent that can write to shared memory can corrupt state, overwrite other agents’ outputs, or create data inconsistencies. Apply the same tiered approach to write permissions.

No audit trail

When something goes wrong — and it will — you need to know what happened. Build audit logging into your memory architecture from the start, not as an afterthought. Even a simple last_written_by and last_written_at on every row is better than nothing.

Letting memory grow unbounded

Private memory for users accumulates over time. If you’re storing conversation history or preferences per user, you need a retention policy. Old, stale memory can actually degrade agent performance — and it creates unnecessary storage and compliance risk.

FAQ

What’s the difference between shared memory and a shared knowledge base?

A shared knowledge base is a type of shared memory — specifically read-only reference content that multiple agents use for context. Shared memory is broader: it includes any persistent state that multiple agents can access, including writable state like workflow progress, shared task queues, or cross-agent communication channels.

Can I use vector databases for tiered memory access control?

Yes. Most vector databases (Pinecone, Weaviate, Qdrant) support namespace or collection-level isolation. You can store global shared embeddings in one namespace and role-scoped or user-private embeddings in separate namespaces, each with their own access credentials. The same tier model applies — the implementation just uses namespaces instead of database tables.

How do I handle memory for agents that serve multiple users?

The standard pattern is to include a user_id in every memory record and filter by it at query time. In PostgreSQL, RLS handles this automatically once you configure policies. In Notion or GitHub, you’d typically use separate pages or files per user, organized in a predictable structure your agent can navigate. The key is never letting one user’s data leak into another’s context, even implicitly.

Is row-level security in PostgreSQL enough on its own?

One coffee. One working app.

You bring the idea. Remy manages the project.

WHILE YOU WERE AWAY
Designed the data model
Picked an auth scheme — sessions + RBAC
Wired up Stripe checkout
Deployed to production
Live at yourapp.msagent.ai
RemyThe world's most powerful product manager agentTry Remy today

RLS is a strong enforcement layer, but it works best as part of a broader approach. You still need to manage how role context gets set at runtime (which means securing your app layer), and you should combine RLS with proper credential management (service accounts with minimal permissions rather than a superuser connection). RLS prevents data leakage at query time; it doesn’t protect you from a compromised connection string or misconfigured session setup.

What happens when an agent needs to access data from multiple tiers?

This is common. A supervisor agent might need to read from global shared memory and user-private memory in the same workflow. The right approach is to make each read explicit and scoped: query the global tier with a read-only credential, query the user-private tier with the appropriate user context set. Don’t combine them into a single query if you can avoid it — keeping them separate makes the access pattern auditable and easier to debug.

How often should I review and update memory access policies?

Treat memory access policies like IAM policies in cloud infrastructure: review them when you add new agents or roles, when the scope of an existing agent changes, and on a periodic schedule (quarterly is reasonable for most teams). The biggest risk is permissions creeping over time as agents are updated without revisiting what they actually need access to.

Key Takeaways

  • Memory in AI agent systems has three practical tiers: global shared, role-scoped, and user-private. Design all three deliberately — don’t let the boundary between them be implicit.
  • Prompt-level access control isn’t access control. Enforce permissions at the data layer using tools like PostgreSQL RLS, scoped API credentials, and namespace isolation in vector databases.
  • Notion, GitHub, and PostgreSQL each have different strengths: Notion is good for structured knowledge with human oversight; GitHub adds version history and audit trails; PostgreSQL gives the most granular per-row enforcement.
  • Multi-agent pipelines need per-hop permissions. Each agent in a chain should authenticate independently — don’t pass caller credentials downstream.
  • Write access deserves as much attention as read access. Uncontrolled writes to shared memory cause data corruption and state inconsistencies that are hard to debug after the fact.

If you’re building team AI workflows and want a platform that handles the integration and orchestration layer so you can focus on designing good memory architecture, MindStudio is worth exploring. Start free and see how far you can get.

Related Articles

How to Build an Agent-First Product: Lessons from Stripe, Google, and Anthropic

Discover the design principles behind agent-first products, from payment rails to discovery APIs, and how to make your app callable by AI agents.

Multi-Agent Workflows Integrations

What Is the Agent Integration Layer? How Compose.io Solves the N×M Enterprise Tool Problem

Every agent touching your CRM, ticketing, email, and calendar creates an N×M integration nightmare. Here's how managed integration layers fix it.

Multi-Agent Integrations Enterprise AI

How to Share AI Agent Memory Across a Team Without Exposing Private Data

Learn how to design shared vs private memory for team AI agents using Notion permissions, GitHub repos, and row-level security in a shared PostgreSQL database.

Multi-Agent Workflows Enterprise AI

What Is the Dark Factory Approach to AI Agent Pipelines? How to Remove Human Bottlenecks

A dark factory AI pipeline uses agents for PR reviews, merge conflicts, and monitoring so humans move from in-the-loop to over-the-loop oversight.

Automation Workflows Enterprise AI

Presented by MindStudio

No spam. Unsubscribe anytime.