Cloudsmith built Enterprise Policy Management (EPM) on Open Policy Agent (OPA) using Rego to define policies as code, which control how packages move through systems and are versioned, reviewable, and enforceable. EPM draws on extensive metadata collected from artifacts, including format, version, tags, license, vulnerability, malware scan results, and digital signatures. Policies tap into this data to take action based on what matters to teams. The policy code uses Rego rules to evaluate multiple risk indicators across all known vulnerabilities for a package, including CVSS and EPSS scores, patch availability, and CVE exclusion. The policy checks if the vulnerability exceeds configured thresholds for CVSS and EPSS scores and is older than a specified age threshold before triggering an action. Cloudsmith performs automated actions in response to a policy trigger, such as tagging the package as "risky" or quarantining it. The API offers instructions to manage policies using EPM, including simulating policies without enforcing them, while the decision log provides a transparent record of what happened and why.