Okay so what you need is colloquially called a crypto enclave. The point is to have an environment that is completely separate from the rest of your Intranet, with very strictly controlled I/O toward the rest of the world (and the rest of your network).
In an enterprise situation, I’d say the enclave ideally consists of at least an isolated, hardened server and a firewall server running completely separate from this server. Preferably on separate hardware to ensure that low level hardware vulnerabilities won’t allow key exposure. Both in a physically secure location (locked room separate from the regular server room, safebox, etc.) If your private key is in the cloud, it’s no longer your private key.
As others said, using a hardware security module is preferred. I’d say, using it inside the above-described crypto enclave is what’s preferred. HSM inside physically isolated server inside physically isolated network segment.
Now this may sound like overkill, but if you’re managing a lot of money, thieves will be coming after you, and you might as well prepate for sophisticated ones. Make sure the enclave is duly protected from social engineering attacks. No keys in receptionists’ hands to allow an unscheduled fire safety checkup into the room, etc.
Also, implementing a granular onchain authorization scheme is a good idea. The master key should be offline, on a piece of paper or a good quality hardware wallet, in a safe. Where only the CEO personally (or other high level stakeholder with personal liability) has access.
Then, allow the master key to authorize signing keys at a smart contract level, each with specific limitations according to the role they play (eg. allow to pay out tokens, but with a daily amount cap). If a client wants to buy a billion dollars’ worth of tokens, set up a personal meeting, have the CEO ceremonially retrieve the master key and authorize the transaction, etc. Once you get to the high flying level, it’s okay to not be automated. If you are suddenly flooded with legitimate business beyond your wildest dreams, get the master key and raise the cap. If your signing key is compromised, all you lose is the daily cap at most, and you can run get the master key, de-authorize the compromised key, and set up a new one.