diff --git a/src/Policy/__Libraries/StellaOps.Policy.Storage.Postgres/Migrations/009_exception_applications.sql b/src/Policy/__Libraries/StellaOps.Policy.Storage.Postgres/Migrations/009_exception_applications.sql
new file mode 100644
index 000000000..58c1d27bf
--- /dev/null
+++ b/src/Policy/__Libraries/StellaOps.Policy.Storage.Postgres/Migrations/009_exception_applications.sql
@@ -0,0 +1,22 @@
+DO $$ BEGIN
+IF NOT EXISTS (SELECT 1 FROM information_schema.tables WHERE table_schema = 'policy' AND table_name = 'exception_applications') THEN
+CREATE TABLE policy.exception_applications (
+    id UUID NOT NULL, tenant_id UUID NOT NULL, exception_id TEXT NOT NULL, finding_id TEXT NOT NULL,
+    vulnerability_id TEXT, original_status TEXT NOT NULL, applied_status TEXT NOT NULL,
+    effect_name TEXT NOT NULL, effect_type TEXT NOT NULL, evaluation_run_id UUID,
+    policy_bundle_digest TEXT, applied_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), metadata JSONB NOT NULL DEFAULT '{}',
+    CONSTRAINT pk_exception_applications PRIMARY KEY (id));
+CREATE INDEX ix_exception_applications_exception_id ON policy.exception_applications (tenant_id, exception_id);
+CREATE INDEX ix_exception_applications_finding_id ON policy.exception_applications (tenant_id, finding_id);
+CREATE INDEX ix_exception_applications_vulnerability_id ON policy.exception_applications (tenant_id, vulnerability_id) WHERE vulnerability_id IS NOT NULL;
+CREATE INDEX ix_exception_applications_evaluation_run_id ON policy.exception_applications (tenant_id, evaluation_run_id) WHERE evaluation_run_id IS NOT NULL;
+CREATE INDEX ix_exception_applications_applied_at ON policy.exception_applications (tenant_id, applied_at DESC);
+CREATE INDEX ix_exception_applications_stats ON policy.exception_applications (tenant_id, effect_type, applied_status);
+END IF; END $$;
+ALTER TABLE policy.exception_applications ENABLE ROW LEVEL SECURITY;
+DO $$ BEGIN
+IF NOT EXISTS (SELECT 1 FROM pg_policies WHERE tablename = 'exception_applications' AND policyname = 'exception_applications_tenant_isolation') THEN
+CREATE POLICY exception_applications_tenant_isolation ON policy.exception_applications
+USING (tenant_id = current_setting('app.tenant_id', true)::uuid)
+WITH CHECK (tenant_id = current_setting('app.tenant_id', true)::uuid);
+END IF; END $$;
\ No newline at end of file