[awd]

Well, not literally. But it is meant to be the system that is used to gain root access to your domain controller to perform administrative tasks there. Install updates, fix issues, that type of thing.

So, although it does not literally house all passwords/keys/whatever to your network, it has access to a system that indirectly does.

Normal jump hosts should not have your private keys I guess, but I thought it was the closest analogy.

Just put it this way: if an attacker gets on that system, it's complete game over.