Artificial Intelligence for Cybersecurity in IoT-Edge Systems: A Structured Review of Methods, Datasets, Evaluation, and Deployment Challenges

The convergence of the Internet of Things (IoT), edge computing, and artificial intelligence (AI) is reshaping cyber defense in distributed cyber–physical environments. IoT-edge systems expose heterogeneous, resource-constrained, and intermittently connected devices to threats that unfold close to sensing and control processes, making purely signature-based or rule-based defenses increasingly insufficient. This article presents a structured review of AI for cybersecurity in IoT-edge systems from a systems-oriented perspective. Rather than surveying AI for IoT security in general, it organizes the literature around four practical lenses: AI methods, datasets and benchmarks, evaluation practice, and deployment constraints. The review reconstructs a workspace-verifiable corpus of 96 references, emphasizes literature published between January 2023 and April 2026 while retaining foundational benchmark papers, and uses a conservative 26-paper empirical subset for paper-level gap coding. Because this subset was purposively sampled and the original retrieval logs were not preserved, coded counts are interpreted as recoverable reporting signals and comparability indicators rather than field-level prevalence estimates. The revised synthesis further stratifies the coded evidence by task, model family, dataset, application scenario, metric type, and deployment signal, and translates deployment feasibility into a minimum reporting checklist and edge-hardware decision matrix. Within this evidence boundary, recent work remains dominated by intrusion and anomaly detection, with continued use of traditional machine learning, deep learning, federated learning, explainable AI, and graph-based approaches. However, experimentation remains concentrated around a small set of public benchmarks, while latency, memory, energy, communication overhead, operational robustness, and reproducibility are reported inconsistently. The field is therefore constrained less by classifier novelty than by benchmark concentration, weak deployment reporting, limited response-and-mitigation analysis, undercoverage of authentication, access-control, and trust-management tasks, and limited reproducible edge-aware evaluation.