What does your access control look like?
Once fetched or decrypted, do you protect them in-use?
Does frequent access change how you do audit logging?
Do you have per-customer encryption keys?
I'm not sure if this has anything to do with what you're asking about, but I've been wondering if anyone uses the built in to Windows "Credential Manager" and best practices around it.