Sub-millisecond Formal Determinism (SMFD)
- Sub-millisecond Formal Determinism (SMFD) is a governance mechanism that guarantees formally deterministic outcomes and constant O(1) runtime checks for agentic actions.
- It integrates CRDT-based policy synchronization with epoch-based TEE attestation to ensure rapid, convergent policy updates and validated enforcement decisions.
- SMFD drastically reduces governance latency from days to sub-millisecond by preemptively blocking non-compliant actions with formally verified safety invariants.
Sub-millisecond Formal Determinism (SMFD) is a term introduced in the Ethical Hyper-Velocity (EHV) architecture to denote runtime governance enforcement that is simultaneously formally deterministic and temporally bounded below one millisecond per action. In this formulation, the outcome of evaluating an agentic action as PERMIT, DENY, or ESCALATE is fixed by a formally specified and verified enforcement mechanism, while governance latency is reduced from retrospective, audit-driven timescales to constant-time runtime checks inside the inference pipeline. The concept is defined for agentic systems operating under EHV’s combination of CRDT-based policy synchronization, epoch-based attestation caching, and Trusted Execution Environments (TEEs) (Sharma, 18 May 2026).
1. Definition and formal structure
In EHV, SMFD has two inseparable components. The first is formal determinism: non-compliant actions are computationally unreachable because enforcement is specified in TLA+ and validated against a safety invariant. The second is a timing bound: governance decisions are made in time per action, with end-to-end governance latency satisfying under the stated hardware assumptions.
The paper defines Governance Latency as
where is the time of a policy decision and is the time when that policy is actually enforced in the running system. Traditional governance frameworks are described as having days, whereas the EHV target is
The logical side of SMFD is expressed by the global safety invariant
This invariant states that for every action under evaluation, if the action is not valid under the current PolicySet, then the system status must be DENY. The formal claim that non-compliant agentic actions are computationally unreachable is exactly the claim that holds for all reachable states. SMFD therefore is not merely a claim about low-latency filtering; it is the conjunction of a verified safety property and sub-millisecond runtime enforcement (Sharma, 18 May 2026).
2. Architectural mechanisms that realize SMFD
EHV realizes SMFD through three main pillars plus an action parsing layer. The first pillar is a Policy Compiler with CRDTs. Policies are represented as a Join-Semilattice CRDT, specifically an LWW-Element-Set. Each policy update has a logical timestamp 0, and merge obeys the rule that if 1, then 2. The global ethical state is
3
Because the merge operation is associative, commutative, and idempotent, all nodes converge on the same 4 regardless of arrival order or network interleavings. Within SMFD, this removes nondeterminism from policy state.
The second pillar is Epoch-based Attestation Caching in TEEs. Enforcement executes inside a Trusted Execution Environment such as Intel SGX/TDX or AMD SEV-SNP. Because full remote attestation is described as expensive at approximately 5, EHV introduces policy epochs. A policy hash is computed as
6
For each epoch 7, the TEE attests itself, obtains keys plus the current epoch hash, and caches policy constraints inside the TEE. Per-action verification is then reduced to a constant-time hash equality check plus constraint evaluation:
8
The example epoch duration given for healthcare is 9. If the epoch expires and attestation cannot be refreshed, the node fails closed and denies all actions.
The third pillar is PEP relocation into the JIT / inference pipeline. The Policy Enforcement Point is moved into the inference stack, inside the TEE, at the token generation or logits masking stage. The enforcement function is
0
where 1 is a structured candidate action and 2 is the constraint set derived from 3. Invalid tokens or actions are masked by setting 4 for disallowed logits. If DENY is returned, the system enters a Safe Halt State; if ESCALATE is returned, control is routed to a human operator. This makes enforcement pre-execution rather than retrospective.
The associated Action Schema Extraction Layer (ASEL) converts unstructured model text into structured tuples 5. The paper’s example maps “administer 1.5mg/m² Vincristine IV” to 6. The guarantees of SMFD are explicitly conditional on correct ASEL extraction, because the invariant is defined over AgentAction. ASEL itself is not formally verified in this version (Sharma, 18 May 2026).
3. Verification basis and complexity claims
The EHV TLA+ model includes the state variables PolicySet, AgentAction, NetworkState ∈ {CONNECTED, PARTITIONED}, and EnforcementStatus ∈ {PERMIT, DENY, ESCALATE}. These variables model the governance-relevant portion of system state. In addition to the safety invariant 7, the paper defines a liveness property:
8
This requires that every policy update is eventually merged into the local PolicySet through CRDT convergence.
Model checking with TLC reports the following bounded results: States generated: 1,738; Distinct states: 324; Depth: 8; Safety violations: 0; Temporal property violations: 0; Deadlocks: 0. The parameterization is MaxPolicyVersion = 5 and Actions = {safe_dosage, unsafe_dosage, escalate_case}. The authors state that this covers the complete state space for this configuration. Within that bounded model, the claim that non-compliant actions are computationally unreachable is therefore established for all reachable states.
The performance argument for SMFD is explicitly complexity-based. Within an epoch, the per-action enforcement path consists of a fixed-size hash equality check, a lookup of constraints for the given action schema in the constraint set, and runtime evaluation of those constraints. These operations are treated as 9, yielding
0
The paper contrasts this with traditional governance latency of 14–30 days. In the healthcare example, using 1, 2, and 3, the number of unsafe actions during the latency window is calculated as 4. By amortizing the 5 attestation overhead across an epoch and retaining only hash checks and constraint evaluation per action, EHV argues that the enforcement path remains within the sub-millisecond bound (Sharma, 18 May 2026).
4. Determinism under distribution, updates, and network faults
SMFD in EHV is explicitly designed for distributed policy updates. CRDT convergence guarantees that all replicas eventually reach the same global ethical state 6, and because the merge operator is path-independent, the arrival order of updates does not affect the converged policy state. This gives deterministic convergence at the policy level.
Determinism during execution is further stabilized by the epoch model. Within an epoch 7, the TEE has already verified 8 and uses cached constraints for all subsequent actions. New CRDT policy updates that arrive mid-epoch do not alter enforcement until the next epoch or an emergency reset. For any given action within the current epoch, the enforcement decision is therefore a deterministic function of the action schema, the cached constraint set, and the PEP code running inside the TEE.
The main residual issue is staleness, which the paper analyzes as the Epoch Staleness Window (ESW):
9
For 0, the worst-case staleness is approximately 1. The corresponding maximum number of actions that may be governed by the previous policy version is given as approximately 2 actions. Compared to the 14-day legacy example with 3 unconstrained actions, the paper characterizes this as a 5-order-of-magnitude improvement.
Network partitions are handled through fail-closed semantics. If a partition exceeds the epoch duration and new attestation cannot be obtained, then
4
This preserves the safety invariant at the cost of availability. A common misconception addressed directly in the paper is that SMFD would require instantaneous global policy adoption. The paper states that SMFD is a per-decision enforcement property, not a claim of instantaneous global propagation; within the current epoch, enforcement remains sub-millisecond and formally deterministic with respect to the attested snapshot (Sharma, 18 May 2026).
5. Trust model, scope, and limitations
The claimed scope of SMFD is restricted to agentic systems in regulated domains such as healthcare, deployed on TEEs capable of confidential computing, and operating over action spaces that can be represented as structured schemas. Policies must be expressible as CRDT-based rules that are evaluated at runtime.
The trust model assumes that the TEE hardware root of trust is uncompromised, that policy updates are cryptographically signed, that the PEP binary is measured and attested at epoch boundaries, and that network partitions eventually heal under partial synchrony. Inside the TEE, model execution, logits, and PEP logic run in encrypted guest memory, and the PEP is defined as non-bypassable by a compromised OS or application.
The paper enumerates several threats. Policy poisoning (T1) is mitigated with signed updates. TEE side-channels (T2), including Spectre and Foreshadow, are acknowledged; mitigation is described as epoch rotation and attestation refresh, with residual risk classified as medium. Stale epochs (T3) are handled through epoch duration and emergency re-attestation. Network partitions (T4) are handled with fail-closed semantics. Model output obfuscation / prompt injection (T5, T6) are addressed by having the PEP operate on decoded semantics, post-generation.
The limitations are explicit. First, there is TEE dependency: without TEEs, SMFD degrades and the system falls back to out-of-band audit with 5. Second, epoch granularity is domain-specific: shorter epochs reduce staleness but increase attestation cost. Third, there is a semantic gap because ASEL is not formally verified. Fourth, the TLA+ verification is bounded model checking over a small model; extending it to unbounded state spaces via TLAPS and inductive invariants is identified as future work. These qualifications define the practical envelope within which SMFD can be relied upon (Sharma, 18 May 2026).
6. Comparative context and illustrative deployments
EHV positions SMFD against traditional governance frameworks that are described as retrospective and procedural. In the paper’s comparison, the NIST AI RMF provides a lifecycle taxonomy with no mechanistic enforcement, ISO/IEC 42001 is a management system with PDCA audits and 6 days, and the EU AI Act relies on regulatory classification and conformity procedures enforced on human timescales. By contrast, EHV makes governance a runtime property compiled into the inference stack rather than an external audit process (Sharma, 18 May 2026).
The pediatric oncology dosage scenario is the paper’s principal illustration. In the legacy workflow, an FDA dosage reduction from Vincristine 1.5mg/m² to 0.75mg/m² is followed by manual approvals, EHR updates, and retraining, giving 7 days. The paper computes 8 actions during that window and notes that even at 0.03% violation there would be approximately 50,400 toxic recommendations. Under EHV, the new dosage policy is encoded as a CRDT update and propagates in <1s; at the next epoch, TEEs attest and cache the new constraints. ASEL produces a dosage schema, and if 9, then Valid is false and Status = DENY; borderline or context-dependent cases are sent to ESCALATE. A recommendation suggesting 1.5mg/m² is therefore blocked at the PEP before it leaves the TEE. The case study also states that a GBOM (Governance Bill of Materials) binds each recommendation to the policy version, epoch, and enforcement outcome.
A related but distinct use of SMFD appears in the DTVM smart-contract execution framework. DTVM describes a deterministic execution stack built around dWasm, dMIR, a hybrid lazy-JIT, and a trampoline hot-switch mechanism. It reports 0.95–0.96 ms latency to first invocation across 30 PolyBench workloads, while emphasizing deterministic traps, gas metering, and cross-hardware stability. At the same time, the paper explicitly states that fully formal SMFD would still require a full formal semantics of dMIR and dWasm, machine-checked proofs of semantic preservation, and formal WCET analysis. In that sense, DTVM serves as an SMFD-like realization in the smart-contract domain rather than the specific governance-oriented definition introduced by EHV (Zhou et al., 23 Apr 2025).
Within current literature, SMFD therefore denotes a specific architectural synthesis: formal safety invariants, deterministic policy state, hardware-rooted enforcement, and sub-millisecond per-action governance decisions. Its strongest formulation is the EHV claim that invalid actions are unreachable in the modeled state space while enforcement remains constant-time at runtime; its main caveats are bounded verification, TEE dependence, epoch staleness, and the unverified semantic front end represented by ASEL.