Evidence-based application security may be implemented at the application and/or application group levels. A manifest may be provided defining at least one trust condition for the application or application group. A policy manager evaluates application evidence (e.g., an XrML license) for an application or group of applications relative to the manifest. The application is only granted permissions on the computer system if the application evidence indicates that the application is trusted. Similarly, a group of applications are only granted permissions on the computer system if the evidence indicates that the group of applications is trusted. If the application evidence satisfies the at least one trust condition defined by the manifest, the policy manager generates a permission grant set for each code assembly that is a member of the at least one application. Evidence may be further evaluated for code assemblies that are members of the trusted application or application group.