You bought an internal developer platform. Or you built one. Either way, your developers now have a beautiful catalog: every service has a tile, every tile has owners, scorecards, runbook links, and a "Deploy" button. Onboarding feels modern. Leadership is happy.
Then a developer clicks "Provision a Postgres database." A Jira ticket gets created. A GitHub Action fires. A Slack message pings the platform team. Three days later, the database exists.
That gap — between the portal saying "click here" and something actually happening — is the entire subject of this article. The market has quietly split internal developer platforms into two fundamentally different things, and most buyers can't tell them apart until they're six months into a rollout. The distinction is portal IDP vs execution IDP: a portal IDP shows you the door; an execution IDP walks through it and does the work.
Get this distinction wrong and you'll spend a year building golden paths that still bottleneck on the same three people who always provisioned the infrastructure. Get it right and self-service stops being a UI and starts being a capability.
TL;DR — Portal IDP vs Execution IDP
- A portal IDP is a developer-facing presentation layer: a software catalog, scorecards, templates, and links into the tools that actually do the work (CI, Terraform, cloud consoles, ticketing). It orchestrates by reference — it tells other systems to act, or tells humans to act, and shows the result.
- An execution IDP owns the action. It provisions cloud resources, deploys workloads, runs Helm operations, opens GitOps pull requests, scales deployments, and remediates incidents — directly against your clusters and cloud accounts.
- Most "IDPs" sold today are portals. That's not a flaw; portals are valuable. But a portal on top of a manual backend is still a manual backend with a nicer front door.
- The question to ask any IDP vendor or any internal build proposal: "When a developer clicks the button, what runs the action — your platform, or a human reading a ticket?"
- This is a different axis from the more familiar IDP vs PaaS comparison. PaaS is about who owns the abstraction; portal-vs-execution is about what owns the action.
Same developer experience on the surface. Completely different machine underneath.
Why this distinction got blurry
Platform engineering exploded as a discipline because the previous model — every developer learning Kubernetes, Terraform, IAM, and Helm — didn't scale. The promised cure was the internal developer platform: a self-service layer that gives developers paved roads (golden paths) so they can ship without becoming infrastructure experts.
The first widely adopted open-source IDP tooling was Spotify's Backstage, and Backstage is, by design, a portal. Its core primitives are the software catalog, the TechDocs system, software templates (scaffolder), and a plugin framework. It is exceptional at surfacing information and kicking off workflows. What it does not do — out of the box — is provision a VPC, roll a canary, or patch a CrashLoopBackOff. It delegates all of that to plugins that, in turn, call your real systems.
That delegation is the crux of the confusion. When a Backstage-style portal has a "Create Service" template wired to a GitHub Action that runs Terraform that hits AWS, the developer's experience looks like execution. But the portal didn't execute anything. It rendered a form, committed a file, and waited for a pipeline somebody else maintains. The execution lives entirely outside the IDP.
This is fine until you ask the operational questions: Who owns the pipeline? What happens when the Terraform apply fails halfway? Where's the approval gate? Who has permission to actually touch production? In a portal model, every one of those answers is "somewhere else." The IDP is a viewer, not an operator.
Useful mental model: a portal IDP is a read-and-link layer with a launch button. An execution IDP is a read-and-act layer that holds the credentials, runs the operation, tracks its state, and can roll it back.
The two layers, defined precisely
Let's make this concrete instead of philosophical. Here is what each layer actually consists of.
What a portal IDP owns
- Software catalog — a registry of services, owners, dependencies, and metadata.
- Scorecards / maturity tracking — "Does this service have a runbook? An on-call? A passing security scan?"
- Templates / scaffolding — generate a new repo from a golden template; create the boilerplate.
- Documentation surfacing — TechDocs, links to dashboards, links to runbooks.
- Workflow launch points — buttons and forms that trigger an external system (a CI job, a webhook, a ticket).
Notice the verbs: register, track, generate, surface, trigger. None of them is provision, deploy, scale, patch, roll back. The portal's job ends the moment it hands off.
What an execution IDP owns
- Provisioning — it stands up clusters and cloud resources (databases, queues, buckets, caches) directly against AWS/GCP, tracks each resource's lifecycle, and polls it to healthy.
- Deployment — it ships your code: builds, pipelines, GitOps reconciliation, rollouts, and one-click rollback.
- Day-2 operations — Helm install/upgrade/rollback, scaling deployments, editing resources, running terminal sessions into pods.
- Remediation — when something breaks, it doesn't just draw a red dot; it proposes and applies a fix (a
kubectl patch, a scaled replica count, or a pull request to your GitOps repo). - Governance over the action — because it holds the credentials and runs the operation, the approval gate, the audit log, and the blast-radius policy live inside the platform, not in a pipeline nobody fully owns.
The verbs here are operational: provision, deploy, upgrade, scale, patch, remediate, roll back. That's the entire difference. A portal coordinates work. An execution IDP performs it.
A worked example: "give me a staging environment for the payments service"
Picture a developer on a fintech team who needs an isolated staging environment for a payments service — an EKS namespace, a Postgres instance, a Redis cache, and the service deployed with the right secrets.
On a portal IDP: the developer fills out a scaffolder form. It opens a PR adding a Terraform module and a Helm values file. A GitHub Action runs terraform apply (maintained by the platform team), Atlantis or a custom workflow handles state, External Secrets syncs credentials, and Argo CD eventually reconciles the manifests. The portal shows a catalog entry and links to the resulting dashboards. If the terraform apply fails on an IAM permission, the developer sees a failed Action — and files a ticket. The portal is a spectator to its own promise.
On an execution IDP: the developer selects a blueprint, fills in the same parameters, and the platform itself provisions the database and cache through its provider integrations, opens the Argo CD application (or a GitOps PR) for the deployment, wires the secrets, and polls each resource until it reports healthy — surfacing the live status as it goes. If the request crosses a policy boundary (production data, a cost threshold, a regulated namespace), it routes to an approval queue before anything is created. The platform is the actor.
Same developer experience on the surface. Completely different machine underneath.
Portal IDP vs Execution IDP: comparison matrix
| Dimension | Portal IDP (Backstage-style) | Execution IDP |
|---|---|---|
| Primary job | Surface, catalog, link, launch | Provision, deploy, operate, remediate |
| Relationship to your stack | Sits on top of existing tools | Is the operational layer (still integrates) |
| "Deploy" button does what? | Triggers an external pipeline/webhook | Runs the deployment / opens the GitOps PR |
| Provisioning | Delegated to Terraform pipelines you own | Executes via provider integrations + lifecycle tracking |
| Day-2 ops (scale, patch, exec) | Links out to kubectl / cloud console | Performed in-platform via an agent |
| Incident remediation | Shows the alert / links to a runbook | Proposes + applies a fix or PR, then verifies |
| Where credentials live | Mostly in the external pipelines | In the platform (scoped, audited, gated) |
| Where approval/audit lives | Scattered across CI, ticketing, cloud | Centralized in the platform |
| Time-to-value | High (build/maintain every plugin + backend) | Lower (the backend ships with it) |
| Failure mode | "It worked in the UI but nothing happened" | "The action ran; here's its state and rollback" |
| Best when | You already have a mature, automated backend and want a unified front door | You want self-service that actually executes, not just displays |
The matrix is not a verdict that portals are bad. It's a map. If you already operate a fully automated, well-owned backend — every provisioning path is GitOps, every pipeline is bulletproof, every cloud action is codified — then a portal is the missing 10%: the unifying front door. If your backend is partly manual (and for most teams it is), a portal makes the manual parts feel automated without making them automated. That's the trap.
How to tell which one you have (or are about to buy)
You don't need a vendor's marketing deck to classify an IDP. Run these tests.
Test 1: The credential test
Ask: where do the cloud and cluster credentials that perform actions live? If the answer is "in the CI system" or "in the Terraform runners" or "developers still use their own kubectl context," you have a portal sitting on top of an external execution layer. If the answer is "the platform holds scoped, audited credentials and runs the operation itself," you have an execution IDP. The platform that holds the credentials is the platform that executes.
Test 2: The failure test
Trigger a deliberate failure — request a resource that violates an IAM policy, or deploy a manifest with a bad image tag. Where does the failure surface, and who recovers it?
- Portal: the failure appears in the external pipeline (a red GitHub Action, a failed Terraform plan). The IDP shows, at best, a status badge. Recovery happens outside the IDP — usually as a ticket to the platform team.
- Execution IDP: the failure surfaces in the platform, attached to the action you took, with the error, the state of the partially-created resources, and a path to retry, fix, or roll back. The platform owns the recovery story because it owned the action.
Test 3: The day-2 test
After a service is live, can a developer scale it, exec into a pod to debug, upgrade its Helm release, or roll it back — from the platform? Or does the platform link them to a terminal, a cloud console, and a CI re-run?
A portal's job effectively ends at "day 1" (the service exists and is cataloged). Day-2 operations — the 95% of a workload's life — are where the portal-vs-execution gap is most painful, because that's where "link out to kubectl" quietly recreates the bottleneck the IDP was supposed to remove.
Test 4: The remediation test
This is the sharpest test, because it's the one AIOps and AI-SRE hype most often paper over. When an incident fires:
- A portal (and most "observability with AI" tools) detects and displays: here's the CrashLoopBackOff, here's the probable cause, here's a link to the runbook.
- An execution IDP detects, decides, and acts: it can apply the patch, scale the deployment, or open a pull request against your GitOps repo — and then verify the fix held, with a rollback if it regressed.
Detection is table stakes. Actuation is the dividing line. If your "AI SRE" can write a perfect root-cause analysis but can't change a single field in a manifest, it's a portal feature wearing an execution costume.
The new test nobody is running yet: is your IDP AI-operable?
Here is the shift that will decide this category over the next two years, and almost nobody is designing for it.
The audience for developer self-service is no longer only human developers clicking buttons. It is increasingly the AI agents those developers delegate to. And an agent cannot use a dashboard. It cannot read a scorecard, hover a tooltip, or interpret a red badge. What an agent needs is a programmatic surface it can reason about and safely act on — a contract with clear operations, clear preconditions, and clear blast-radius limits.
This exposes the portal model's deepest limitation. A catalog is a human interface. It has no verbs an agent can call, because the verbs were always somewhere else — in the CI system, in the Terraform runner, in a human's kubectl session. You cannot delegate to an agent a platform whose primary capability is rendering.
An execution IDP, by contrast, is agent-shaped almost by accident. Because it already holds the credentials, already exposes real operations (provision, deploy, scale, patch, roll back), and already wraps those operations in RBAC, approval gates, audit trails, and reversibility — it is exactly the kind of surface you can hand to an agent without terror. The guardrails that make an execution IDP safe for a junior developer are the same guardrails that make it safe for an AI.
So add a fifth test to your evaluation: could an AI agent operate this platform on my behalf, under my policies, without me losing sleep? If the honest answer is "no, because there's nothing for it to operate," you have a portal — and you're going to hit that wall sooner than you think.
The honest caveats (this is not portal-bashing)
A fair comparison admits what portals do better.
- Portals are unmatched as a catalog and a system of record. If your real problem is "we have 600 services and nobody knows who owns what," a portal solves that directly, and an execution IDP that ignores cataloging won't.
- Portals are tool-agnostic by design. Because they only link and trigger, they integrate with anything without owning it. That neutrality is genuinely valuable in a heterogeneous, multi-team org with strong existing automation.
- Backstage's ecosystem is a real moat. It's the category standard for a reason: an enormous plugin library, CNCF backing, and a huge community. If you need to integrate with an obscure internal tool, someone has probably already written the plugin.
- Execution IDPs carry more responsibility. A platform that holds credentials and runs
kubectl patchagainst production is a higher-trust, higher-blast-radius system. It must have real RBAC, approval gates, audit trails, and rollback — or it's dangerous. A read-only portal can never accidentally take down prod, because it can't touch prod.
The mature take is not "execution good, portal bad." It's: portals and execution are different layers, and pretending a portal is an execution platform is how you ship a year of UI and still bottleneck on tickets. Many teams ultimately want both — a catalog and an engine. The mistake is buying the catalog and assuming the engine came with it.
Where Atmosly fits: an execution IDP
Atmosly is built on the execution side of this line, and it's worth being specific about why — because "it executes" is a claim that only matters if it's backed by real mechanics.
Atmosly is positioned explicitly as the internal developer platform that does the work — it provisions, ships, and runs, rather than only visualizing other tools. Concretely:
- Direct cluster operations via an in-cluster agent. For both managed and imported clusters, operations are executed by an agent running inside the cluster — not by linking you to a terminal. Helm install/upgrade/rollback, deploying and deleting resources, scaling deployments, live terminal sessions into pods. The agent is read-only by default, and customer data never leaves the cluster.
- Cloud resource provisioning with a real lifecycle. Databases, node groups, and add-ons provisioned from curated blueprints, tracked through their lifecycle and polled to healthy before reporting success.
- Self-service with governance — because it holds the action. Since the platform performs the action, the controls live where they belong: guardrails on every provisioning action, scoped and audited, with approval gates for anything that crosses a policy boundary.
- Delivery and GitOps actuation. Visual and GitOps pipelines with one-click rollback, plus environment cloning for a full preview environment per pull request.
- Remediation that acts and verifies. Astra, the AI SRE agent, goes past detection: on a real failure it infers the root cause and opens the pull request that fixes it — reviewed and merged by a human, with a full audit trail and every action reversible.
None of that is a catalog tile linking out to a console. It's the platform performing operations directly, with the credentials, the approval gate, the audit trail, and the rollback living inside the platform that did the work. And critically: a human still merges the PR. Reviewability isn't a limitation here — it's the reason teams trust it enough to actually adopt it.
A decision framework: which do you actually need?
Choose based on where your real bottleneck is.
Choose a portal IDP (or portal-first) when:
- Your dominant pain is discovery and ownership — "who owns this, is it healthy, where are the docs" — across hundreds of services.
- You already have a mature, fully automated, well-owned backend (every provisioning path is codified GitOps; pipelines are reliable; nobody recovers failures by hand).
- You have a platform team with the appetite to build and maintain the plugins and backend integrations that make the portal's buttons real. Integrating a portal's backend is not a one-time job; it's a standing commitment — typically two to three dedicated engineers, indefinitely.
Choose an execution IDP when:
- Your bottleneck is the action: provisioning still routes through tickets, deploys depend on a few experts, day-2 ops live in cloud consoles, and incidents wait on humans to apply fixes.
- You want self-service that genuinely removes the platform team from the critical path — not a UI that re-files the same request more elegantly.
- You need governance on the action itself (approvals, policy, audit, rollback) and don't want it scattered across CI, ticketing, and the cloud console.
- You're a startup or scale-up without the headcount to build and forever-maintain a portal's execution backend. Building a usable IDP in-house typically means four to six engineers and roughly twelve months before developers see real golden paths — then it becomes a permanent cost centre.
- You expect AI agents to operate your infrastructure, and you need a programmatic surface with real guardrails rather than a dashboard.
Often, the honest answer is "both, sequenced." Many organizations land on an execution IDP for the heavy operational lifting and a portal as the catalog/system-of-record on top, integrated. Atmosly coexists with a portal — it powers the workflows while Backstage or Port stays the front door. The error to avoid is buying only the portal and discovering, two quarters in, that the door you so elegantly labeled still requires a human on the other side to open it.
Key Takeaways
- A portal shows you the door. An execution IDP walks through it. That's the whole distinction, and it decides whether your platform removes toil or repackages it.
- Most IDPs sold today are portals. That's not a flaw — but a portal on top of a manual backend is still a manual backend with a nicer front door.
- Run the five tests: credentials, failure, day-2, remediation, and AI-operability. They classify any IDP faster than a vendor deck.
- Detection is table stakes; actuation is the dividing line. An AI SRE that can't change a field in a manifest is a portal feature in an execution costume.
- The next user of your IDP is an agent. Agents can't click dashboards. They need a programmatic surface with real guardrails — which is what an execution IDP already is.
Conclusion: a button is a promise; execution keeps it
The portal IDP vs execution IDP distinction matters because it maps directly to whether your platform investment removes toil or merely repackages it. A portal shows you the door — beautifully, with scorecards and golden-path templates and a tidy catalog. An execution IDP walks through the door and does the work: it provisions the database, ships the code, scales the deployment, patches the incident, and rolls back if the fix regresses.
With GitOps as the default deploy model and AI SRE moving from "explains the problem" to "fixes the problem," the teams that win are the ones whose platform acts. Evaluate every IDP — bought or built — with one question: when the developer clicks the button, what runs the action? If the answer is "a human reading a ticket," you have a portal. If the answer is "the platform," you have an execution IDP.
Where to Go Next
- The Atmosly Internal Developer Platform — provision, ship, and run on one control plane.
- Internal Developer Platform vs PaaS — the adjacent question of who owns the abstraction.
- Golden Paths in Platform Engineering — how to give developers a paved road instead of a blank page.
- Best Kubernetes Management Platforms: Top 15 Compared — where the portals and platforms actually land.
If you want to see execution rather than read about it, connect a cluster read-only and watch a provision, a deploy, and a remediation run end to end on your own workloads — then compare that to the button on your current portal. Free, no sales call.
