The hardware floor of edge computing has shifted from sensors to GPU-capable Linux compute running containerized AI workloads. Most current management approaches were not built for this floor. The State of the Intelligent Edge names the gap, sets out the architectural pattern that closes it, and gives operators three diagnostic questions for evaluating their current setup.

What's Inside

• The hardware shift at the edge
• The management gap: where standard Kubernetes, traditional fleet management, and VPN-based remote access each fail
• A four-principle reference architecture: lightweight orchestration, outbound-only connectivity, single management plane, process-level access
• Three deployment models from single-device to distributed mini-cluster
• Compliance mapping for NIS2, IEC 62443, FIPS 140-3, HIPAA, and PCI DSS
• Customer evidence from Aveiro Tech City, Cummins, and a global surgical intelligence provider

Who It's For

OT engineers, IT and platform leaders, and procurement teams responsible for distributed edge compute deployments. The report sits at the IT/OT convergence and speaks to both sides.

Download the Full Report

Download the complete State of the Intelligent Edge Report

‍

Frequently Asked Questions About the Intelligent Edge

What is the intelligent edge?

The intelligent edge is the layer of distributed compute that runs AI inference, computer vision, predictive analytics, and autonomous decision-making on hardware close to where the data is produced. Unlike sensor-class IoT, intelligent edge devices run the workloads themselves on GPU-capable Linux compute.

What is edge management architecture?

Edge management architecture is the combination of orchestration, connectivity, access control, and lifecycle management used to operate fleets of edge devices. A fit-for-purpose edge management architecture survives intermittent connectivity, runs on constrained hardware, and keeps the device's attack surface closed by design.

What is lightweight edge orchestration?

Lightweight edge orchestration is a Kubernetes distribution purpose-built for single-device deployment. It runs under 200MB of RAM, requires no etcd quorum or multi-node networking layer, and remains compatible with standard Kubernetes tooling. Portainer's KubeSolo is one example of this pattern.

What is outbound-only edge connectivity?

Outbound-only edge connectivity is a network architecture where edge devices initiate encrypted tunnels to a self-hosted management plane and listen for no incoming traffic. Inbound ports are closed. To any external observer, the device does not appear on the public internet. This removes the attack surface created by VPN-based remote access patterns.

What is process-level access control?

Process-level access control grants network tunnels to specific processes or workloads rather than subnets. A workload on the edge device is granted a tunnel only to the specific process at the control plane it needs to communicate with. A compromise of the local operating system cannot be used to pivot to the broader network.

What is a single management plane for edge devices?

A single management plane governs OS lifecycle, container orchestration, workload deployment, and access control through one interface. Operators see services, sites, and roles rather than the underlying Kubernetes complexity. The plane consolidates capabilities that most edge environments currently spread across separate fleet management, container runtime, observability, and identity tools.

Why don't data-center orchestration tools work at the edge?

Data-center orchestration assumes constant connectivity, abundant compute, and uniform hardware. None of those hold at the edge. When the network drops, standard Kubernetes loses quorum and can terminate local workloads. The control-plane footprint also exceeds what most edge devices can spare.

Why is VPN-based remote access a problem at the edge?

A VPN opens an inbound port on the device to listen for management connections. That port is enumerable on the broader network. Any vulnerability in the VPN client, device firmware, or OS becomes a fleet-wide doorway. Outbound-only connectivity removes the attack surface by construction.

How do I evaluate my current edge management approach?

Three diagnostic questions surface whether your current setup will hold at the next fleet expansion: whether per-device management cost compounds as the fleet grows, whether your attack surface includes inbound ports on field devices, and whether one management plane governs OS, orchestration, workload, and lifecycle. The full diagnostic framework is in the report.

What is KubeSolo?

KubeSolo is a lightweight Kubernetes distribution from Portainer designed for single-device edge deployment. It removes etcd, replacing it with a SQLite-backed key-value store via Kine, and runs the full Kubernetes API server, scheduler, controller manager, and kubelet as a single process under 200MB of RAM. KubeSolo retains full API compatibility with standard Kubernetes tooling, including Helm, manifests, CRDs, and ecosystem operators.

What is Portainer?

Portainer is a self-hosted operational control plane for container platforms in industrial and IoT environments. It manages Docker, Podman, and Kubernetes deployments through a single interface, from single edge devices to multi-node clusters, with an emphasis on operational simplicity, security, and offline-capable architecture.

‍

Download the Full Report

Download the complete State of the Intelligent Edge Report