diff --git a/cmd/policy/kasKeys.go b/cmd/policy/kasKeys.go
index 63e10174..ef4a79e7 100644
--- a/cmd/policy/kasKeys.go
+++ b/cmd/policy/kasKeys.go
@@ -18,6 +18,8 @@ import (
 	"github.com/opentdf/platform/protocol/go/policy"
 	"github.com/opentdf/platform/protocol/go/policy/kasregistry"
 	"github.com/spf13/cobra"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 )
 
 const (
@@ -419,6 +421,16 @@ func policyListKasKeys(cmd *cobra.Command, args []string) {
 		cli.ExitWithError("Invalid kas identifier", err)
 	}
 
+	if kasIdentifier != "" {
+		_, err := h.GetKasRegistryEntry(c.Context(), kasLookup)
+		if err != nil {
+			if status.Code(err) == codes.NotFound {
+				cli.ExitWithError(kasRegistryMissingErrorMessage(kasIdentifier), nil)
+			}
+			cli.ExitWithError("Failed to resolve KAS registry entry", err)
+		}
+	}
+
 	// Get the list of keys.
 	resp, err := h.ListKasKeys(c.Context(), limit, offset, alg, kasLookup, legacy)
 	if err != nil {
@@ -466,6 +478,10 @@ func policyListKasKeys(cmd *cobra.Command, args []string) {
 	common.HandleSuccess(cmd, "", t, resp)
 }
 
+func kasRegistryMissingErrorMessage(kas string) string {
+	return fmt.Sprintf("KAS %q is not registered; create one with `policy kas-registry create`", kas)
+}
+
 func policyListKeyMappings(cmd *cobra.Command, args []string) {
 	c := cli.New(cmd, args)
 	h := common.NewHandler(c)
diff --git a/e2e/kas-keys.bats b/e2e/kas-keys.bats
index 5f1c5d55..cb9b192c 100644
--- a/e2e/kas-keys.bats
+++ b/e2e/kas-keys.bats
@@ -803,6 +803,16 @@ format_kas_name_as_uri() {
   delete_kas_registry "$KAS_ID_LIST"
 }
 
+@test "kas-keys: list keys (kas not registered)" {
+  MISSING_KAS_NAME=$(generate_kas_name)
+  MISSING_KAS_URI=$(format_kas_name_as_uri "${MISSING_KAS_NAME}")
+
+  run_otdfctl_key list --kas "${MISSING_KAS_URI}"
+  assert_failure
+  assert_output --partial "is not registered"
+  assert_output --partial "policy kas-registry create"
+}
+
 
 @test "kas-keys: list legacy keys" {
   KAS_NAME_LIST=$(generate_kas_name)