Skip to content

Enterprise

You have seen how to consume and produce primitives. This section is for teams that need to control which primitives are allowed, how they are secured, and how compliance is maintained at scale. It delivers APM’s third promise: every AI package your developers install is governed by org policy before it touches disk.

Read it as five phases. Most teams move through them in order; jump to the phase you are in.

Build the case and plan the rollout.

  • Making the case — problem-at-scale narrative, talking points by audience, objection handling, sample RFC, ROI framework.
  • Adoption playbook — phased rollout from pilot team to organization-wide, with milestones, success metrics, and rollback options.

Understand the install-time security model and the execution-trust surfaces.

  • Security model — pre-deploy gate, content scanners, hidden-Unicode threat model, integrity, provenance, and the MCP trust boundary. Read verbatim by procurement and security reviewers.
  • Lifecycle scripts — custom actions at install/update/uninstall, and the trust model that decides what runs and who authorizes it.

Write apm-policy.yml and test it before it bites.

  • Policy files — conceptual model of apm-policy.yml plus your first policy in 20 minutes.
  • Policy pilot — the warn-then-block rollout so a new rule does not break every repo on day one.
  • Policy reference — complete schema for every field.

Make the policy authoritative on every pull request.

  • Enforce in CI — wire apm audit --ci as a required check.
  • Drift detection — the eight non-bypassable lockfile baselines and what each catches.
  • GitHub rulesets — the GitHub-side config that makes the check unbypassable.

Run governance at organization scale.

  • Registry proxy — route all dependency traffic through Artifactory or a compatible proxy; air-gapped CI playbook.
  • Governance deep-dive — the full trust contract: bypass surfaces, install-gate guarantees, audit-log schema, known gaps. The due-diligence reference for a CISO deciding to make apm audit --ci a required check.