REGISTRIES & KEY VAULT
Know what exists, who owns it, what it can access.
AI governance fails when inventory is fragmented. Kosmoy keeps platform objects in registries — connected to ownership, risk, permissions, runtime status, and evidence. One place. One source of truth.
Core registries.
AI Systems Registry
Systems that integrate one or more AI models. Captures the system as a whole.
Model Registry
Approved LLMs, SLMs, embedding models, fine-tuned models. Provider, version, deployment, approval metadata.
Agent Registry
Every assistant or agent — internal in Capsules, external on Foundry/Bedrock. Owner, runtime type, status, permissions.
MCP Server Registry
Approved MCP servers. Capabilities exposed, access rules, logging requirements.
Tool & connector registry
Approved SaaS tools, HTTPS endpoints, data sources, vector databases, internal APIs.
Credential profiles
Auth profiles for LLM providers, MCPs, tools — managed centrally, rotated, audited.
Dataset registry
Approved datasets, owners, classification, retention.
AI Key Vault
API keys never reach the application.
Developers call Kosmoy. Kosmoy holds the destination credentials and uses them on the application’s behalf. Rotated centrally; audited centrally.
- API keys never reach end users
- Provider credentials held centrally
- Rotation policies, audited access
- Short-lived runtime credentials for Capsules
- Encrypted at rest in customer-controlled storage
- RBAC on key access by team and use case
Module questions, answered straight.
Is the Key Vault a separate product?
It's part of the Kosmoy platform. Credential profiles for every AI provider, MCP server, tool and integration are managed centrally and used by the Gateway and the Action Plane.
Can it integrate with our existing secrets manager?
Yes. The Key Vault can sync from Vault by HashiCorp, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, and similar. Kosmoy stays the operational layer; the secret of record stays where it is.
What about per-tenant or per-environment scoping?
Standard. Credential profiles are scoped by tenant, environment, use case, and time-to-live. The same Gateway can use a sandbox key in dev and a production key in prod, with the right one selected at request time.
How do registries relate to the Key Vault?
Registries hold the metadata (what exists, who owns it, what it can access). The Key Vault holds the credentials needed to actually call the things the registries describe. Together they cover identity + authorization for every AI call.
See the registries and Key Vault in production.
Walk through ownership, credentials, runtime links, and audit trail.