the docs seem to suggest I need to do it w/the "new KeyVault" object, but if I set new access policies, wouldn't it delete the old ones as well?