Abstract Provisioning resources for network services introduces the conflicting requirement for both deterministic traffic models to isolate and police users, and statistical multiplexing to efficiently utilize and share network resources. We address this issue by introducing two complimentary schemes for QoS management for deterministically policed flows. The first is adversarial mode resource allocation: here we bound the stochastic envelopes of policed flows and achieve a statistically multiplexed QoS-controlled service, even in the case that all flows are independently adversarial, i.e. when all flows are non-collusively behaving in a worst-case manner at all time scales within the constraints of their policing functions. The second scheme is non-adversarial mode, maximum-entropy allocation: here we determine the maximum-entropy stochastic envelopes of policed (but non-worst-case) flows. Consequently, this scheme exploits a further statistical multiplexing gain via a characterization of the “most likely” behavior of policed flows. Our key technique is to study the problem within the domain of deterministic and stochastic traffic envelopes, which allows us to explicitly consider sources with rate variations over multiple time scales, obtain results for any deterministic traffic model, and design accurate admission control tests for buffered priority schedulers. We evaluate the schemes’ performance with experiments using traces of compressed video and single and dual time-scale periodic sources and show that substantial statistical multiplexing gains are achieved.