The new code changes from not existing, to existing.

Indeed, the key doesn't change. The new capability comes from the new code.

It would not be a re-evaluation of risk, because this is a new project. The evaluation of risk is supposed to come at the moment when the new capability is implemented, and consciously tied to an existing key type, which was previously advertised as non-secret.