receiving, at a networking device in a network, a policy for an endpoint device in the network, the policy specifying one or more component tags and one or more activity tags that were assigned to the endpoint device based on deep packet inspection of traffic associated with the endpoint device, wherein the one or more component tags that were assigned to the endpoint device are indicative of at least one of: a device type of the endpoint device or software executed by the endpoint device;

identifying, by the networking device, a set of tags for a particular traffic flow in the network associated with the endpoint device based on receiving, from a telemetry exporter in the network, a traffic flow record for the particular traffic flow, wherein the set of tags are embedded in the traffic flow record, and wherein the set of tags comprises one or more component tags or activity tags associated with the particular traffic flow;

making, by the networking device, a determination that the particular traffic flow violates the policy based on the set of tags for the particular traffic flow comprising a tag that is not in the policy, wherein the determination that the particular traffic flow violates the policy is made by comparing the set of tags for the particular traffic flow with the one or more component tags and the one or more activity tags specified by the policy; and

initiating, by the networking device and based on the determination that the particular traffic flow violates the policy, a corrective measure with respect to the particular traffic flow.