diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7056120..328093b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -160,6 +160,19 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
+  # Dependency policy checks across all execution paths
+  cargo-deny:
+    name: Cargo Deny
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+      - uses: Swatinem/rust-cache@v2
+      - name: Install cargo-deny
+        run: cargo install --locked cargo-deny
+      - name: Run cargo-deny checks
+        run: cargo deny check all
+
   # Benchmarks (only on the main branch)
   bench:
     name: Benchmarks
diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml
index 3082040..16b7e2d 100644
--- a/.github/workflows/maintenance.yml
+++ b/.github/workflows/maintenance.yml
@@ -12,21 +12,28 @@ permissions:
   contents: read
 
 jobs:
-  security-audit:
-    name: Security Audit
+  # Weekly dependency policy drift check.
+  dependency-policy:
+    name: Dependency Policy (cargo-deny)
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
       - uses: actions/checkout@v6
-      - uses: rustsec/audit-check@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+      - uses: Swatinem/rust-cache@v2
+      - name: Install cargo-deny
+        run: cargo install --locked cargo-deny
+      - name: Check advisories, bans, licenses, and sources
+        run: cargo deny check all
 
+  # Weekly toolchain drift check against latest stable.
   latest-stable-smoke:
     name: Latest Stable Smoke
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     steps:
       - uses: actions/checkout@v6
       - uses: actions-rust-lang/setup-rust-toolchain@v1
       - uses: Swatinem/rust-cache@v2
-      - name: Build and test
-        run: cargo test --all-features --all-targets
+      - name: Build and test workspace
+        run: cargo test --workspace --all-features --all-targets
diff --git a/Cargo.toml b/Cargo.toml
index 55a978a..37b0863 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -83,7 +83,7 @@ parking_lot = { version = "0.12", optional = true }
 rustc-hash = "2.1"
 
 [dev-dependencies]
-bench-support = { path = "bench-support" }
+bench-support = { path = "bench-support", version = "0.1.0" }
 criterion = "0.8"
 dhat = "0.3"
 lru = "0.16"
diff --git a/bench-support/Cargo.toml b/bench-support/Cargo.toml
index 99cf292..9c0634b 100644
--- a/bench-support/Cargo.toml
+++ b/bench-support/Cargo.toml
@@ -9,7 +9,7 @@ name = "render_docs"
 path = "src/bin/render_docs.rs"
 
 [dependencies]
-cachekit = { path = "..", features = ["policy-all"] }
+cachekit = { path = "..", version = "0.4.0", features = ["policy-all"] }
 criterion = "0.8"
 rand = "0.10"
 rand_distr = "0.6"
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000..bfe2092
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,57 @@
+[licenses]
+confidence-threshold = 0.93
+unused-allowed-license = "warn"
+include-build = true
+include-dev = true
+allow = [
+    "MIT",
+    "Apache-2.0",
+]
+
+[licenses.private]
+ignore = true
+
+[[licenses.exceptions]]
+crate = "unicode-ident"
+allow = ["Unicode-3.0"]
+
+[[licenses.exceptions]]
+crate = "foldhash"
+allow = ["Zlib"]
+
+[graph]
+targets = [
+    "x86_64-unknown-linux-gnu",
+    "x86_64-apple-darwin",
+    "aarch64-apple-darwin",
+    "x86_64-pc-windows-msvc",
+]
+all-features = true
+exclude-dev = false
+
+[advisories]
+ignore = []
+
+[bans]
+multiple-versions = "deny"
+wildcards = "deny"
+highlight = "all"
+workspace-default-features = "allow"
+external-default-features = "allow"
+allow = []
+deny = []
+skip = []
+skip-tree = []
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = [
+    "https://github.com/rust-lang/crates.io-index",
+]
+allow-git = []
+
+[sources.allow-org]
+github = []
+gitlab = []
+bitbucket = []