Modern Industrial Control Systems (ICS) increasingly operate across heterogeneous compute tiers, from cloud servers to resource-constrained edge nodes, making it difficult to deploy a single anomaly detection solution that is both accurate and lightweight. The rapid evolution of the Industrial Internet of Things (IIoT) has exacerbated this divide, creating a fragmented security landscape in which critical remote edge devices often lack the sophisticated monitoring capabilities found in central command centers, thus creating blind spots that sophisticated adversaries can exploit, particularly in geographically distributed edge devices. To address this gap, we present EAI-ABA (Edge AI-based Anomaly Behavior Analysis) architecture, an edgefirst architecture for anomaly behavior analysis that scales from lightweight, on-device monitoring to stronger back-end analysis while preserving detection quality. At its core is AICAT, which extends the Anomaly Transformer by fitting an EM-optimized Gaussian Mixture Model to anomaly scores and using AIC to select mixture complexity, enabling adaptive, datadriven thresholding without manual tuning. EAI-ABA provides two coordinated modes: Edge mode delivers low-latency ondevice anomaly detection and response, leveraging TorchAO quantization and the ExecuTorch runtime to reduce memory and compute cost, and pairing detection with a compact, modematched RAG-based assistant that summarizes evidence and recommends mitigation actions locally. When additional resources are available, Performance mode runs the full pipeline on a server for deeper analysis and maximum stability, with LLM configurations scaled accordingly for richer investigation support. Experiments on SWaT ICS testbed show that Performance mode achieves an F1 score of 96.33%, outperforming strong baselines, while Edge mode significantly reduces computational cost with only a small F1 drop, enabling fast on-site detection and reliable long-term operation.