Many organizations now operate under strict data governance requirements—whether driven by the EU’s General Data Protection Regulation (GDPR), Digital Operational Resilience Act (DORA), or NIS2 directive, by other national security classifications, or by sector-specific regulations in financial services, healthcare, government, and defense. These organizations, like everyone today, are increasingly seeking to adopt AI-powered infrastructure management and intelligence, but regulatory constraints mean they must figure out how to do so without sending data to the cloud.Red Hat Lightspeed (formerly Red Hat Insights) is a predictive analytics service that provides proactive infrastructure health analysis, vulnerability scanning reporting, and remediation guidance. But for disconnected, air-gapped, or privacy-sensitive and regulated environments, sending host telemetry to an external cloud service is a no-go, and may not even be physically possible.Red Hat Satellite 6.19 can help solve this problem. With the Red Hat Lightspeed on premise capability, the advisor engine, vulnerability analysis, host inventory, Kafka message bus, API gateway, and remediation framework all run as a set of containerized microservices directly on your Satellite server. No data leaves your infrastructure. We plan to bring even more functionality for Red Hat Lightspeed on premise in future versions.NOTE: This feature was originally referred to as Insights on Premises, or IOP. For the purposes of backend compatibility and integration, various individual container images, such as iop-gateway-rhel9:6.19, along with other artifacts, retain this original naming convention within the internal service architecture.Built for data sovereignty Red Hat Lightspeed on premise is suitable for environments subject to:GDPR: Personal data processing stays within your data residency boundary.DORA: Critical information and communications technology (ICT) service data remains within the control of regulated entities. NIS2 directive: Essential and important entity infrastructure data stays on-premise.National security classifications: Works with air-gapped deployments with no external data flow.Financial services regulations (BaFin, FCA, etc.): Infrastructure telemetry never leaves the regulated perimeter.Healthcare (HIPAA, other national equivalents): System configuration data stays within the covered entity.When Red Hat Lightspeed on premise is enabled:All host telemetry stays local. Facts, package lists, vulnerability assessments, and advisor recommendations are processed and stored in Satellite's PostgreSQL database. Nothing is transmitted externally.CVE data is a controlled import. The vulnerability service uses a static cvemap.xml file. If you are in a completely disconnected environment, you can download this file and transfer it on your own schedule. You decide when and how security metadata enters your environment.Not a single bit goes to the cloud. Red Hat Lightspeed on premise services have no outbound network requirements. They operate identically whether Satellite has internet access or sits in a fully air-gapped network.Installing Red Hat Lightspeed on premiseThe prerequisites for installation are:Red Hat Satellite 6.19 (or 6.18+) installed and operationalInternal databases (Red Hat Lightspeed on premise cannot be used with external PostgreSQL)Sufficient free resources: the 19 Red Lightspeed on premise containers add approximately 4 to 6 GB of memory usage and some CPU usage as wellPlease note that the Satellite service will restart as part of the setup process, so you should perform these steps during a planned maintenance window.To initiate the setup in a connected environment, simply execute the following command on the Satellite server: #satellite-installer --enable-iopThe installer will:Pull container images from registry.redhat.ioCreate the iop-core-network Podman networkDeploy and start all Red Hat Lightspeed on premise services as systemd-managed Podman quadletsConfigure the Satellite web UI to display the Red Hat Lightspeed menu itemsCreate Kafka topics for inter-service messagingThe process takes approximately 10 to 15 minutes, depending on network speed for the image pulls. In a connected environment, CVE data will be populated automatically. To begin installation from a disconnected or air-gapped environment, load the container images from the Satellite ISO. If you installed Satellite in a disconnected environment, all of these necessary container images will be included in this ISO:#cd /media/sat6/