Enterprise organizations can configure encrypted AI provider keys and an allowed models list on the organization record.
The AI provider keys settings page lets admins store keys used for org-scoped playground, refine, and generation—subject to plan and policy.
Model allowlist enforcement applies on playground/run routes via requireAllowedModel. If a user selects a model outside the allowlist, the API returns a policy-style error.