First off, welcome to the IS Stack Exchange!
However, if the third party makes a secret copy, then they can covertly sell it for large amounts of money.
The thing about this is when it comes to a pivotal and highly-valued asset such as said key, it should never be,
by a third-party vendor. These processes if possible should be done internally.
Let’s say if you would want to task a third-party vendor to delete said assets, it should be done with automation and limit that human/employee interaction, or keep it to the bare minimum.
Another solution would be, another layer of encryption on this already encrypted key. So that even if the vendor would to lay their eyes on this key, it wouldn’t mean much to them, only your organization can see it, but this kinda deems the purpose of the third-party vendor a tad bit redundant.