diff --git a/client/foundries_tuf_root.go b/client/foundries_tuf_root.go
index 942ffb6c..1d6af088 100644
--- a/client/foundries_tuf_root.go
+++ b/client/foundries_tuf_root.go
@@ -26,12 +26,19 @@ type RootChangeReason struct {
 	Message   string    `json:"message"`
 	Timestamp time.Time `json:"timestamp"`
 }
+
+type RootKeyOwner struct {
+	PolisId   string    `json:"polis-id"`
+	CreatedAt time.Time `json:"created-at"`
+}
+
 type AtsRootMeta struct {
 	tuf.SignedCommon
 	Consistent bool                           `json:"consistent_snapshot"`
 	Keys       map[string]AtsKey              `json:"keys"`
 	Roles      map[tuf.RoleName]*tuf.RootRole `json:"roles"`
 	Reason     *RootChangeReason              `json:"x-changelog,omitempty"`
+	KeyOwners  map[string]RootKeyOwner        `json:"x-key-owners,omitempty"`
 }
 
 type AtsTufRoot struct {
diff --git a/subcommands/keys/tuf_utils.go b/subcommands/keys/tuf_utils.go
index e366e780..4b234d8c 100644
--- a/subcommands/keys/tuf_utils.go
+++ b/subcommands/keys/tuf_utils.go
@@ -14,8 +14,10 @@ import (
 	"io"
 	"os"
 	"strings"
+	"time"
 
 	canonical "github.com/docker/go/canonical/json"
+	"github.com/spf13/viper"
 	tuf "github.com/theupdateframework/notary/tuf/data"
 
 	"github.com/foundriesio/fioctl/client"
@@ -321,6 +323,17 @@ func addOfflineTufKey(
 	creds[base+".sec"] = key.atsPrivBytes
 	root.Signed.Keys[key.signer.Id] = key.atsPub
 	root.Signed.Roles[role].KeyIDs = append(oldKids, key.signer.Id)
+
+	factory := viper.GetString("factory")
+	user, err := api.UserAccessDetails(factory, "self")
+	subcommands.DieNotNil(err)
+	if root.Signed.KeyOwners == nil {
+		root.Signed.KeyOwners = make(map[string]client.RootKeyOwner)
+	}
+	root.Signed.KeyOwners[key.signer.Id] = client.RootKeyOwner{
+		PolisId:   user.PolisId,
+		CreatedAt: time.Unix(time.Now().Unix(), 0).UTC(), // Strip millis
+	}
 }
 
 func removeUnusedTufKeys(root *client.AtsTufRoot) {