The processing logic may transmit a request for approval to perform the requested operation on the cryptographic item to a set of entities based on a corresponding policy (block 220). As previously discussed, the cryptographic items stored at the key management system may be assigned to a group. Each of the groups may have an associated quorum policy and approving entities. The quorum policy for a particular group may specify which operations require quorum approval for the cryptographic items assigned to the particular group. For example, the policy may specify that any operation that exports, modifies, or deletes a cryptographic item requires quorum approval before that operation is performed. A modification of the quorum policy itself may be approved by the set of entities of a group that is assigned to the quorum policy. In some embodiments, a modification of the quorum policy may be assigned to another set of entities of another group. For example, the modification of the quorum policy may be approved by a higher level quorum that may be used to approval or reject a modification to a quorum policy that is applied for a lower level quorum.

The policy may specify a threshold number of approvals that are required before the operation is performed on the cryptographic item. For example, the policy may specify that three approvals from approving entities should be received before the operation is performed on the cryptographic item. In embodiments, the policy may specify different thresholds for different subsets of entities whose approval is required to perform the operation. For example, the policy may specify that three approvals may be received from subset A of the approving entities and/or that two approvals may be received from subset B of the approving entities.