Claude Agent SDK Deployment: You Cannot Deploy an AI Agent Like a Lambda Anthropic's Claude Agent SDK cannot be deployed like a stateless function because it operates as a long-running process with a shell, filesystem, and untrusted input, posing data exfiltration risks. The article outlines three container lifecycle patterns and an isolation ladder from sandboxes to microVMs, emphasizing prompt injection as a deployment threat and recommending a non-bypassable proxy for security. Member-only story Claude Agent SDK Deployment: You Cannot Deploy an AI Agent Like a Lambda Part 10: It has a shell, a memory, and untrusted input pointed straight at it. Hosting the Claude Agent SDK is a question of architecture and isolation, not “where do I put the function.” You know how to ship an LLM feature. An agent breaks every assumption you brought with you, and the failure mode is not a bad response, it is your customer data leaving the building. An AI agent is not a stateless function. It is a long-running process with a shell, a filesystem, and untrusted input pointed at it, so deployment is a question of architecture and isolation, not just where you host the function. In this article: You will learn why an AI agent built on the Claude Agent SDK cannot be hosted like a stateless function, the three container lifecycle patterns that cover almost every real deployment, and a practical isolation ladder, from a five-minute sandbox to a hardened container to per-agent microVMs. By the end you will understand prompt injection as a deployment threat, and the one architectural move, a proxy the agent cannot bypass, that makes it survivable.