Ethical Hyper-Velocity (EHV): A Hardware-Rooted Zero-Trust Runtime Enforcement Architecture for Agentic AI Systems

Riddhi Mohan Sharma

arxiv: 2605.17909 · v2 · pith:QSXJTIX4new · submitted 2026-05-18 · 💻 cs.AI · cs.LO

Ethical Hyper-Velocity (EHV): A Hardware-Rooted Zero-Trust Runtime Enforcement Architecture for Agentic AI Systems

Riddhi Mohan Sharma This is my paper

Pith reviewed 2026-05-20 10:10 UTC · model grok-4.3

classification 💻 cs.AI cs.LO

keywords AI governanceJIT compilerformal verificationpolicy enforcementagentic systemsTLA+ verificationsub-millisecond determinism

0 comments

The pith

A governance-aware JIT compiler makes non-compliant AI actions unreachable while enforcing policies in constant time.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes Ethical Hyper-Velocity as a way to embed policy enforcement directly into the just-in-time compilation of AI agent actions. This approach uses synchronized policy data and secure hardware to verify compliance during execution. Through formal modeling, it shows that violating the rules cannot happen in the system's possible states. A reader should care because it promises to let AI systems update their rules quickly without waiting days for audits, while maintaining strong safety assurances. If this holds, it could change how regulated AI is deployed by removing delays in governance.

Core claim

By relocating the policy enforcement point into the inference pipeline of agentic systems through a governance-aware just-in-time compiler, combined with conflict-free replicated data types for policy updates and epoch-based attestation in trusted execution environments, the architecture achieves sub-millisecond formal determinism. TLA+ verification establishes that non-compliant actions are unreachable within the bounded state space, proving that constant-time runtime enforcement can replace slow retrospective auditing without sacrificing integrity.

What carries the argument

The Governance-Aware JIT Compiler that relocates the Policy Enforcement Point into the AI inference pipeline to achieve sub-millisecond formal determinism.

If this is right

Non-compliant agentic actions are computationally unreachable within the bounded operating state space.
O(1) runtime enforcement eliminates the trade-off between deployment velocity and governance integrity.
Governance Latency reduces from O(days) to O(1).
Policy synchronization via CRDTs and attestation caching in TEEs support the formal guarantees.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

This approach could support real-time adaptation of governance rules in deployed agentic systems without introducing latency.
Extensions might include applying the same relocation of enforcement points to other computational domains requiring high-assurance safety.
Practical validation would involve measuring actual enforcement times on hardware implementations of the described architecture.

Load-bearing premise

The assumption that moving the Policy Enforcement Point into the inference pipeline via a Governance-Aware JIT Compiler with CRDT synchronization and Epoch-based Attestation Caching in TEEs can deliver sub-millisecond formal determinism while preserving formal guarantees without new vulnerabilities or overheads.

What would settle it

A TLA+ model checker run on the system specification that finds a reachable state in which a non-compliant agentic action occurs would falsify the central claim.

Figures

Figures reproduced from arXiv: 2605.17909 by Riddhi Mohan Sharma.

**Figure 2.** Figure 2: System Architecture mapping the complete mediation pattern. The PEP intercepts unmasked logits inside encrypted guest memory, structurally [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗

**Figure 3.** Figure 3: Multi-Agent Causal Provenance. The Reference Monitor extracts a [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗

read the original abstract

As autonomous agentic systems scale across regulated critical infrastructures, the lack of mechanistic, hardware-rooted enforcement for high-frequency policy updates presents a fundamental safety gap. We present Ethical Hyper-Velocity (EHV), a governance-aware runtime enforcement architecture for agentic systems that combines Grammar-Constrained Decoding (GCD) for inline policy-constrained token generation, Causal Graph CRDT-based policy synchronization with vector-clock ordering, hardware-attested execution in Trusted Execution Environments (TEEs), and OSCAL-formatted machine-readable audit logging. Unlike retrospective auditing frameworks (ISO/IEC 42001, NIST AI RMF) that introduce 14-30 day policy latencies, EHV relocates the Policy Enforcement Point (PEP) into the inference pipeline via a Governance-Aware Just-In-Time (JIT) Compiler. Under explicitly stated assumptions, the architecture reduces enforcement latency, improves traceability, and supports formal verification of safety invariants in a bounded model. We demonstrate via TLA+ model checking that non-compliant agentic actions were unreachable in the verified bounded operating state space (1,738 states generated, 324 distinct, depth 8, zero violations). Under these conditions, O(1) runtime enforcement reduces the traditional trade-off between deployment velocity and governance integrity, targeting Governance Latency from O(days) toward O(1). EHV's differentiating contribution is the integration of GCD, Causal CRDT, TEE attestation caching, and bounded formal verification into a single, hardware-rooted enforcement architecture -- a combination not achieved by any contemporaneous system. The architecture is demonstrated through a pediatric oncology dosage use case, with applicability to regulated critical infrastructures including healthcare, financial compliance, and critical infrastructure control.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 1 minor

Summary. The paper introduces Ethical Hyper-Velocity (EHV), a novel architectural framework for runtime formal verification of AI governance policies in agentic systems. It relocates the Policy Enforcement Point into the inference pipeline via a Governance-Aware JIT Compiler, integrating CRDTs for policy synchronization and Epoch-based Attestation Caching in TEEs to achieve Sub-millisecond Formal Determinism (SMFD). The authors claim TLA+ verification proves non-compliant agentic actions are computationally unreachable in a bounded operating state space and that O(1) runtime enforcement eliminates the deployment velocity vs. governance integrity trade-off, reducing latency from O(days) to O(1).

Significance. If the TLA+ verification and sub-millisecond performance claims are substantiated with explicit models and data, this could be a significant contribution to AI safety and governance for regulated critical infrastructures. Embedding formal methods directly into the JIT inference pipeline to achieve provable, low-latency compliance would address a real gap left by retrospective frameworks like ISO/IEC 42001 and NIST AI RMF.

major comments (3)

Abstract: The central claim that 'We demonstrate via TLA+ formal verification that non-compliant agentic actions are computationally unreachable within the system's bounded operating state space' is unsupported by any TLA+ module, invariant definitions, TLC configuration, or state-space cardinality results. This is load-bearing because the verification requires explicit modeling of JIT translation steps, policy-checking logic, CRDT/TEE synchronization, and LLM token generation to confirm the state space remains finite and non-compliant actions unreachable.
Abstract: The assertion of O(1) runtime enforcement and reduction of Governance Latency from O(days) to O(1) via the Governance-Aware JIT Compiler, CRDT synchronization, and Epoch-based Attestation Caching lacks any performance measurements, overhead analysis, or discussion of how sub-millisecond latency is preserved without introducing new vulnerabilities. This directly undermines the claimed elimination of the velocity-integrity trade-off.
Abstract: The manuscript provides no account of how the formal model encodes LLM inference or JIT semantics while maintaining a bounded state space, as required for the TLA+ claim. Without this, it is impossible to assess whether the model abstracts away the inference pipeline or simply assumes perfect enforcement.

minor comments (1)

The acronym SMFD is introduced in the abstract without an explicit expansion on first use.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed review. The comments correctly identify that the current manuscript presents key claims at a high level without sufficient supporting artifacts. We will make major revisions to address each point by adding explicit formal specifications, performance data, and modeling details.

read point-by-point responses

Referee: Abstract: The central claim that 'We demonstrate via TLA+ formal verification that non-compliant agentic actions are computationally unreachable within the system's bounded operating state space' is unsupported by any TLA+ module, invariant definitions, TLC configuration, or state-space cardinality results. This is load-bearing because the verification requires explicit modeling of JIT translation steps, policy-checking logic, CRDT/TEE synchronization, and LLM token generation to confirm the state space remains finite and non-compliant actions unreachable.

Authors: We accept the observation. The manuscript describes the TLA+ approach conceptually but does not include the actual modules or configurations. In revision we will add an appendix containing the complete TLA+ specifications, the key invariants, the TLC configuration, and a state-space cardinality analysis. The model will explicitly represent JIT translation steps, policy-checking logic, CRDT/TEE synchronization, and a finite abstraction of token generation to demonstrate that non-compliant actions are unreachable. revision: yes
Referee: Abstract: The assertion of O(1) runtime enforcement and reduction of Governance Latency from O(days) to O(1) via the Governance-Aware JIT Compiler, CRDT synchronization, and Epoch-based Attestation Caching lacks any performance measurements, overhead analysis, or discussion of how sub-millisecond latency is preserved without introducing new vulnerabilities. This directly undermines the claimed elimination of the velocity-integrity trade-off.

Authors: We agree that empirical support is currently missing. The O(1) claim follows from the architectural placement of checks inside the JIT pipeline together with TEE caching, but no measurements are provided. We will add a new evaluation section that reports simulated and measured end-to-end latencies, quantifies CRDT and attestation overheads, and discusses side-channel and synchronization vulnerabilities that could affect sub-millisecond determinism. revision: yes
Referee: Abstract: The manuscript provides no account of how the formal model encodes LLM inference or JIT semantics while maintaining a bounded state space, as required for the TLA+ claim. Without this, it is impossible to assess whether the model abstracts away the inference pipeline or simply assumes perfect enforcement.

Authors: This criticism is accurate. The current text does not detail the abstractions used to keep the state space finite. In the revised manuscript we will expand the formal-model section to specify that LLM inference is represented as a finite sequence of token-production steps, each guarded by a policy check, and that JIT compilation is modeled as deterministic, bounded rewrite rules. We will show how these abstractions, combined with the policy invariants, render non-compliant paths unreachable while preserving a finite overall state space. revision: yes

Circularity Check

0 steps flagged

No significant circularity; claims rely on external formal methods and standard technologies

full rationale

The paper introduces EHV as a new architectural framework that relocates policy enforcement into the inference pipeline using CRDTs for synchronization and TEEs for attestation caching. The central claim of proving non-compliant actions unreachable via TLA+ formal verification in a bounded state space is presented as a demonstration using an external specification language and model checker. No equations, self-citations, or definitions in the abstract reduce the result to the architecture by construction. The referenced technologies (TLA+, CRDTs, TEEs) and standards (ISO/IEC 42001, NIST AI RMF) are independent external elements, keeping the derivation self-contained against external benchmarks rather than tautological.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

The central claims rest on several domain assumptions about bounded state spaces and hardware integration that are not independently evidenced in the provided abstract; no explicit free parameters are fitted to data.

axioms (2)

domain assumption The operating state space of the agentic system is bounded and fully capturable in a TLA+ model such that non-compliant actions are unreachable.
Directly invoked to support the claim that non-compliant actions are computationally unreachable.
ad hoc to paper CRDT synchronization and TEE-based attestation caching can be integrated into the JIT compiler without violating the sub-millisecond formal determinism guarantee.
Required for the claimed SMFD but not justified in the abstract.

invented entities (1)

Ethical Hyper-Velocity (EHV) architecture no independent evidence
purpose: To relocate policy enforcement into the inference pipeline for O(1) governance latency
New named framework introduced to achieve the stated goals.

pith-pipeline@v0.9.0 · 5722 in / 1506 out tokens · 58557 ms · 2026-05-20T10:10:13.350631+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

We demonstrate via TLA+ formal verification that non-compliant agentic actions are computationally unreachable within the system's bounded operating state space.
IndisputableMonolith/Foundation/AbsoluteFloorClosure.lean absolute_floor_iff_bare_distinguishability unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

Safety Invariant Ig ≜ ∀a∈AgentAction: ¬Valid(a,PolicySet) ⟹ Status=DENY

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.