Because the Diagnostic Controller is not a part of the messaging group, no one can send potentially fraudulent messages on the TLS session itself. No other device (other than the TLS client and server) knows the keys during the session itself. If the enterprise authorizes the use after-the-fact, then the keys are securely available. In the next version, there will be an API to provide keys in real-time to authorized monitoring devices. We follow the NIST guidelines best practices for the management of cryptographic keying material.