Image 1: Workforce hub – components overview

Workforce hub – components

The Workforce Hub by Things Solver is an AI-powered platform designed to create, manage, and optimize digital employees—AI agents tailored to perform specific business tasks. It integrates advanced tools like Agent Studio, Skills Studio, Tools Registry, Brain Studio, and Knowledge Studio to streamline operations, enhance efficiency, and ensure consistent, human-like interactions across various business functions.

Image 2: Workforce hub – components explained

Agent studio: Crafting your ideal AI agent

Agent Studio empowers businesses to design AI agents with specific roles and responsibilities. Whether you need a service representative, banking assistant, sales agent, or marketing specialist, you can select from pre-made templates or customize agents to fit unique requirements. By defining the agent's name, role, and skills, and setting communication guardrails, you ensure that each AI agent aligns with your brand's voice and operational standards.

Image 3: Agent studio

Image 4: Agent studio - creating new agent

Skills studio: Defining agent capabilities

In Skills Studio, you can assign and customize the skills your AI agents need to perform their tasks effectively. This includes selecting appropriate tools from the Tools Registry, which offers a range of pre-built utilities for tasks like data retrieval, calculations, and API calls. For specialized needs, you can develop custom tools using Python code, ensuring that your AI agents are equipped to handle complex, domain-specific tasks.

Image 5: Skill studio

Image 6: Skill studio – creating new skill

Brain studio: Enhancing human-like interactions

Brain Studio integrates advanced Large Language Models (LLMs) to enable AI agents to understand context, interpret diverse inputs, and provide intelligent, human-like responses. This capability ensures that customer interactions are more natural and effective, moving beyond the limitations of traditional chatbots.

Knowledge studio: Centralizing information access

Knowledge Studio serves as the AI agent's knowledge base, allowing you to provide resources such as company policies, guidelines, and other relevant information. By supporting various data sources and formats, it ensures that AI agents have immediate access to up-to-date information, enabling accurate and consistent responses. This centralized approach reduces the risk of human error and enhances overall productivity.

Tools registry: Expanding agent functionality

The Tools Registry complements the Skills Studio by offering a suite of tools that can be integrated into AI agents to perform specific tasks. From automating workflows to handling complex calculations, these tools enhance the capabilities of your AI workforce. For unique operational needs, custom tools can be developed, ensuring that AI agents are tailored to your business processes.

Image 7: Tool registry

Image 8: Tol registry – creating new tool

Conclusion

The Workforce Hub provides a comprehensive platform for developing AI agents that can seamlessly integrate into various business operations. By leveraging its modular components—Agent Studio, Skills Studio, Tools Registry, Brain Studio, and Knowledge Studio—you can create a customized AI workforce that enhances efficiency, ensures consistency, and delivers human-like interactions across your organization.

Architecture overview

The following image shows a solution components overview. 

Image 9: Solution components 
 

At the foundation, the platform leverages Istio's service mesh capabilities to establish a secure communication framework, where every service-to-service interaction is protected by mutual TLS (mTLS). Istio's control plane manages service discovery and configuration, while its data plane (Envoy proxies) handles traffic management and security policy enforcement. This mesh layer provides automatic certificate management, rotation, and identity-based authentication between services, creating a zero-trust network architecture where all communications are encrypted and authenticated by default.

Building on this secure foundation, Keycloak provides a sophisticated identity and access management layer that implements both role-based (RBAC) and attribute-based (ABAC) access control. Custom RBAC policies allow fine-grained control over service-specific permissions, while ABAC extends this by incorporating dynamic attributes like user clearance levels, resource classifications, and environmental conditions into access decisions. Sensitive data protection is achieved through context-aware redaction rules that can mask, or filter sensitive information based on JSON paths and regular expression patterns. This combination of Istio's service mesh security and Keycloak's advanced IAM capabilities creates a comprehensive security model that ensures secure service-to-service communication while maintaining fine-grained access control and data protection.

The platform's networking foundation is designed to be cloud-agnostic and deployable on-premises. It follows a segmented network architecture with clear separation between public and private zones. Public zones are limited to hosting components such as load balancers and bastion hosts, while private zones contain the core application workloads and data stores. Virtual firewalls (e.g., security groups or network ACLs, depending on the environment) enforce the principle of least privilege—for instance, application servers in private zones are only accessible from load balancers on designated ports, and database systems accept connections solely from application servers on specified database ports. For secure hybrid deployments, site-to-site VPN connections are supported using standard IPSec tunnels with pre-shared keys or certificate-based authentication, enabling encrypted communication between on-premises systems and the platform's infrastructure across any environment.

For data protection, the platform enforces comprehensive encryption both at rest and in transit. All sensitive data at rest is encrypted using customer-managed keys (CMKs) via the native key management solution of the chosen environment—whether a cloud provider's KMS or an on-premise HSM. This applies to block storage volumes, databases, and object storage systems. Secure storage and rotation of secrets and configuration values are handled using a centralized secrets management system such as HashiCorp Vault, cloud-native secrets managers, or Kubernetes-native mechanisms. In transit, data is protected through multiple layers: TLS for external traffic terminating at the ingress layer (e.g., load balancers or API gateways), mutual TLS (mTLS) between internal services via a service mesh like Istio, and encrypted communication for internal services using platform-native protocols. Additionally, all internal service communications are secured—even when using private endpoints or internal networks—ensuring sensitive data does not traverse public infrastructure unprotected.

• Building on a secure and flexible infrastructure foundation, the platform integrates service mesh capabilities (e.g., Istio) and identity and access management through solutions such as Keycloak or Microsoft Entra ID. This enables application-level security as part of a defense-in-depth strategy, with enforcement across the network, infrastructure, and application layers—regardless of the deployment environment (cloud or on-premise).

• Database placement: Databases should reside outside the Kubernetes cluster for better data persistence, lifecycle management, and performance isolation.

• IAM integration: Identity providers like Microsoft Entra ID and Keycloak can be configured for unified authentication and role-based access control across services

• GPU requirements: Translation and LLM-related APIs require access to GPU resources with sufficient VRAM to support low-latency inference workloads.

• Custom Resources: Istio introduces Custom resource definitions (CRDs) to extend Kubernetes functionality and enable fine-grained control over service behavior and traffic policies.

• Ingress options: The Istio Ingress gateway can be exposed via a Load Balancer in cloud environments or through NodePort when deployed on-premise or in bare-metal setups.

• Storage performance: Storage classes should use SSD-backed volumes with high IOPS to ensure fast data access and response times, especially for latency-sensitive applications.

• Realtime communication: Client-server interaction is established via WebSocket connections to support low-latency, bidirectional communication.

The platform is designed to fully support on-premise deployments, in addition to cloud-based environments. All key components—including the service mesh, IAM, secrets management, secure ingress, and WebSocket-based APIs—can be deployed within a local data center using Kubernetes or other orchestration platforms. Databases are hosted externally to Kubernetes for better control and durability, and GPU support is provisioned on-premise to serve latency-sensitive AI workloads such as translation and LLM inference.

In hybrid deployments, application workloads, APIs, and user access management are hosted on-premise, while large-scale AI models are accessed securely from the cloud. Communication between the on-premise environment and the cloud model endpoints is encrypted end-to-end using TLS and mTLS where applicable. Site-to-site VPNs or dedicated private links ensure traffic never leaves trusted network boundaries unencrypted. The platform enforces strict identity-based access control for every interaction with cloud-based models, preventing unauthorized access and maintaining data confidentiality even when model inference is offloaded to the cloud.

This hybrid approach combines local control, data residency, and performance, with the scalability and flexibility of cloud-based AI models, making the platform adaptable to strict regulatory or latency-sensitive use cases without compromising security.