diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index cbb7d19cc29db..9d1937d7a8af6 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1975,8 +1975,8 @@ x-pack/platform/plugins/private/cloud_integrations/cloud_full_story/server/confi
 /.github/codeql @elastic/kibana-security
 /.github/workflows/codeql.yml @elastic/kibana-security
 /.github/workflows/codeql-stats.yml @elastic/kibana-security
+/.github/workflows/enforce-dependency-review.yml @elastic/kibana-security
 /.github/workflows/evaluate-dependency-health.yml @elastic/kibana-security
-/.github/workflows/auto-approve-renovate-updates.yml @elastic/kibana-security
 /src/dev/eslint/security_eslint_rule_tests.ts @elastic/kibana-security
 /src/core/server/integration_tests/config/check_dynamic_config.test.ts @elastic/kibana-security
 /src/platform/plugins/shared/telemetry/server/config/telemetry_labels.ts @elastic/kibana-security
@@ -2757,9 +2757,6 @@ src/platform/testfunctional/page_objects/solution_navigation.ts @elastic/appex-s
 /x-pack/test_serverless/functional/page_objects/svl_sec_landing_page.ts @elastic/appex-sharedux
 /x-pack/test_serverless/functional/test_suites/security/ftr/navigation.ts @elastic/appex-sharedux
 
-# Root package.json file
-/package.json @elastic/kibana-security @kibanamachine
-
 # OpenAPI spec files
 oas_docs/.spectral.yaml                       @elastic/platform-docs
 oas_docs/kibana.info.serverless.yaml          @elastic/platform-docs
diff --git a/.github/workflows/auto-approve-renovate-updates.yml b/.github/workflows/auto-approve-renovate-updates.yml
deleted file mode 100644
index 2945379c93949..0000000000000
--- a/.github/workflows/auto-approve-renovate-updates.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-on:
-  pull_request_target:
-    branches:
-      - main
-    types:
-      - opened
-
-jobs:
-  approve:
-    name: Auto-approve renovate bot PRs
-    runs-on: ubuntu-latest
-    if: |
-      startsWith(github.event.pull_request.head.ref, 'renovate') &&
-      github.actor == 'elastic-renovate-prod[bot]'
-    permissions:
-      pull-requests: write
-    steps:
-      - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0
-        with:
-          github-token: ${{ secrets.KIBANAMACHINE_TOKEN }}
diff --git a/.github/workflows/enforce-dependency-review.yml b/.github/workflows/enforce-dependency-review.yml
new file mode 100644
index 0000000000000..fa549c3e36ddb
--- /dev/null
+++ b/.github/workflows/enforce-dependency-review.yml
@@ -0,0 +1,39 @@
+name: Enforce Dependency Review
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+    paths:
+      - 'package.json'
+    branches:
+      - 'main'
+
+jobs:
+  analyze:
+    name: Analyze new dependencies
+    runs-on: ubuntu-latest
+    if: |
+      github.repository == 'elastic/kibana' &&
+      github.actor != 'elastic-renovate-prod[bot]'
+    steps:
+    - name: Checkout kibana-operations
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        repository: 'elastic/kibana-operations'
+        ref: main
+        path: ./kibana-operations
+        token: ${{secrets.KIBANAMACHINE_TOKEN}}
+
+    - name: Run dependency security review
+      working-directory: ./kibana-operations/triage
+      env:
+        GITHUB_TOKEN: ${{secrets.KIBANAMACHINE_TOKEN}}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+        REPO_OWNER: ${{ github.repository_owner }}
+        REPO_NAME: ${{ github.event.repository.name }}
+        HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        BASE_SHA: ${{ github.event.pull_request.base.sha }}
+        EVENT_NAME: ${{ github.event_name }}
+      run: |
+        npm ci --omit=dev
+        node enforce-dependency-review.js