# Exception governance

Exceptions provide controlled, auditable overrides for policy or workflow
gates. They are time-bound and reversible.

Lifecycle
- Create request with scope, reason, and TTL.
- Route for approval based on tenant and environment.
- Record signed approval or rejection.
- Revoke or expire with audit trail.

Scope patterns
- Tenant and environment are required.
- Resource scope targets assets, findings, or policy gates.
- Exceptions do not mutate evidence; they annotate decisions.

Compliance notes
- Exceptions must include reason codes and approvals.
- All records are retained for audit and replay.

Offline posture
- Export and import exception bundles with signatures.
- Use deterministic ordering for exports.

Related references
- docs/governance/exceptions.md
- docs/security/authority-scopes.md