The admin control plane supports company agent configuration and provider keys. Provider keys are handled as protected server-side material, and admin APIs return metadata rather than exposing raw key values.
For shared AI secrets, the vault model stores opaque ciphertext and per-user wrapped keys. Wrapping happens client-side, while the server orchestrates custody, re-wrap operations, and audit records.