diff --git a/.policy.yml b/.policy.yml
index d8f732c36..95c0afd59 100644
--- a/.policy.yml
+++ b/.policy.yml
@@ -48,20 +48,22 @@ approval_rules:
       permissions: ["admin", "maintain"]
     if:
       has_author_in:
-        users: [ "svc-excavator-bot" ]
+        users: [ "svc-excavator-bot", "dependabot[bot]" ]
 
   - name: excavator only touched baseline, circle, gradle files, godel files, generated code, go dependencies, docker-compose-rule config or versions.props
     requires:
       count: 0
     if:
       has_author_in:
-        users: [ "svc-excavator-bot" ]
+        users: [ "svc-excavator-bot", "dependabot[bot]" ]
       only_changed_files:
         # product-dependencies.lock should never go here, to force review of all product (SLS) dependency changes
         # this way excavator cannot change the deployability of a service or product via auto-merge
         paths:
           - "changelog/@unreleased/.*\\.yml"
           - "^\\.baseline/.*$"
+          - "^(.+/)?Cargo.toml$"
+          - "^Cargo.lock$"
           - "^\\.circleci/.*$"
           - "^\\.docker-compose-rule\\.yml$"
           - "^.*gradle$"
@@ -83,7 +85,7 @@ approval_rules:
           - "^internal/generated_src/.*"
           - "^gradle-baseline-java/src/main/resources/checkstyle.version$"
       has_valid_signatures_by_keys:
-        key_ids: ["C9AF124A484882E0"]
+        key_ids: ["C9AF124A484882E0", "4AEE18F83AFDEB23"]
 
   - name: excavator only touched config files
     requires: