🧾 Risk Acceptance, Exceptions, and Decision Records

Intro: Mature programs do not eliminate all risk; they make risk visible, bounded, and reviewable. This page explains how to accept temporary risk without turning exceptions into permanent architecture.

What an exception is and is not

An exception is:

• explicit;
• time-bound;
• owned;
• linked to compensating controls;
• reviewable by a defined authority.

An exception is not:

• undocumented drift;
• “temporary until the roadmap settles down”;
• a substitute for product prioritization;
• a way to bypass platform standards permanently.

Minimum fields for a good exception record

• service or system name;
• business owner and technical owner;
• standard or control being bypassed;
• reason the control cannot be met now;
• risk statement in plain language;
• compensating controls;
• expiry date;
• approval authority;
• evidence of review on expiry;
• plan for closure or renewal.

Decision-record pattern

For meaningful decisions, use a short security ADR or decision record:

1. context;
2. decision;
3. alternatives considered;
4. security trade-offs;
5. expected telemetry or evidence;
6. triggers for re-evaluation.

Compensating controls that often justify a short exception

Examples:

• stricter monitoring during a temporary policy gap;
• narrower deployment scope;
• reduced role permissions;
• manual approval on high-risk actions;
• runtime drift detection for a temporary signing gap;
• time-boxed exposure with board-level visibility.

Exception governance rules that prevent decay

• every exception has an expiry date;
• every renewal requires evidence that the underlying blocker still exists;
• repeated requests from the same service are escalated;
• leadership sees exception age and concentration, not only total count.

What to avoid

• severity-only approval criteria;
• exceptions with no named business owner;
• exception systems that do not integrate with backlog or review cadence;
• renewals approved without discussing whether the standard itself is wrong.

Suggested references

• NIST SSDF — https://csrc.nist.gov/publications/detail/sp/800-218/final
• OWASP SAMM — https://owasp.org/www-project-samm/

Templates

• Policy Exception Governance Pack
• Security Exception Decision Record Template

Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.