# Risk Acceptance, Exceptions, and Decision Records > **Intro:** Mature programs do not eliminate all risk; they make risk **visible, bounded, and reviewable**. This page explains how to accept temporary risk without turning exceptions into permanent architecture. ## What an exception is and is not An exception is: * explicit; * time-bound; * owned; * linked to compensating controls; * reviewable by a defined authority. An exception is not: * undocumented drift; * “temporary until the roadmap settles down”; * a substitute for product prioritization; * a way to bypass platform standards permanently. ## Minimum fields for a good exception record * service or system name; * business owner and technical owner; * standard or control being bypassed; * reason the control cannot be met now; * risk statement in plain language; * compensating controls; * expiry date; * approval authority; * evidence of review on expiry; * plan for closure or renewal. ## Decision-record pattern For meaningful decisions, use a short security ADR or decision record: 1. context; 2. decision; 3. alternatives considered; 4. security trade-offs; 5. expected telemetry or evidence; 6. triggers for re-evaluation. ## Compensating controls that often justify a short exception Examples: * stricter monitoring during a temporary policy gap; * narrower deployment scope; * reduced role permissions; * manual approval on high-risk actions; * runtime drift detection for a temporary signing gap; * time-boxed exposure with board-level visibility. ## Exception governance rules that prevent decay * every exception has an expiry date; * every renewal requires evidence that the underlying blocker still exists; * repeated requests from the same service are escalated; * leadership sees **exception age and concentration**, not only total count. ## What to avoid * severity-only approval criteria; * exceptions with no named business owner; * exception systems that do not integrate with backlog or review cadence; * renewals approved without discussing whether the standard itself is wrong. ## Suggested references * NIST SSDF — * OWASP SAMM — ## Templates * [Policy Exception Governance Pack](/metrics-audit-risk-evidence-and-compliance/index/policy-exception-governance-pack.md) * [Security Exception Decision Record Template](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/reporting/security-exception-decision-record-template.md) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/strategy-governance-and-leadership/index/risk-acceptance-exceptions-and-decision-records.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.