An exception that is not tracked is not an exception — it is an invisible gap. EAB’s Exception Register ensures that every deviation, accepted risk, and unresolved condition is a named, owned, time-bound record in the governance layer.
The Exception Register gives Enterprise organizations a structured, searchable record of every governance exception across all AI systems. Each entry carries an owner, a source link, a status, and a review date. Exceptions do not expire quietly — they surface as signals when overdue.
“An exception that is not registered is not an exception under management — it is a gap that has been accepted without acknowledgement. The register does not eliminate exceptions. It makes them governable.”
Non-applicability is an explicit, reviewed governance decision: this obligation does not apply to this system, and here is why. An exception is something different — an unresolved deviation, a risk that was accepted despite remaining, an evidence gap that was acknowledged but not yet closed, or an override that was logged but not reconciled. The Exception Register tracks the latter.
A risk that was identified during governance but accepted rather than resolved. Created automatically when a Risk Acceptance Workflow record is approved. The exception carries the same owner, rationale, and review date as the acceptance record.
An obligation that could not be fully evidenced at the time of approval. The gap is registered, owned, and assigned a resolution horizon. Evidence gaps in the register feed into Evidence Readiness tracking as open items requiring closure.
A governance step that was completed under non-standard conditions — a bypassed gate, a compressed review cycle, or a process deviation with documented justification. The deviation is registered with its justification, approver, and resolution plan.
A supervisor override that was logged during screening and requires a follow-up action beyond the override record itself. Not every override generates an exception — only those where the override creates an unresolved condition that needs to be tracked.
Exceptions surfaced by Governance Exception Detection: obligation drift, evidence staleness, re-screening overdue, review date exceeded. Detection creates a signal that becomes an exception entry when acknowledged and registered.
The Exception Register is not a record of what happened — that is the audit trail. The register is an active management layer. Every entry in it represents an open governance condition that requires resolution, review, or formal closure. When an exception is closed, the record remains — the status changes.
Every exception moves through a defined lifecycle. States are not free text — they are structured transitions that each require an attributed action. An exception can only be closed when its resolution condition is met.
The exception has been created — from a detection signal, a risk acceptance, or a governance deviation — and is awaiting owner assignment and initial assessment. No exception remains in Open state without a responsible owner.
The named owner has acknowledged the exception and is actively assessing the resolution path. The exception may be escalated, mitigated, accepted, or rejected from this state. The review is time-bounded.
The exception has been formally accepted — typically through the Risk Acceptance Workflow. The acceptance record is linked. A review date is required. Accepted exceptions remain visible in the register and in reporting.
The exception cannot be accepted as-is but has a defined resolution path. The mitigation plan, responsible owner, and target completion date are documented. The exception remains active until the mitigation is verified complete.
The review date has passed without a state transition. The exception is flagged in Governance Exception Detection as an overdue signal and surfaces in the Executive Cockpit as a governance health indicator requiring action. The owner is notified.
Closed: the exception has been resolved — the evidence gap filled, the deviation reconciled, the accepted risk expired and not renewed. The record is retained in the register with a closed status and closure timestamp. Rejected: the exception was determined to be invalid or incorrectly classified. Both states are permanent and attributed.
Registering an exception does not mean the organization has resolved its governance obligations. It means the organization has acknowledged an unresolved condition, assigned responsibility, defined a resolution path, and committed to a review date. The register makes that commitment structured and traceable.
When an auditor or regulator identifies a gap that was known but unresolved, the question is not whether the gap existed — it is whether the organization had a governed response to it. A registered exception with an owner, a rationale, and a defined review outcome is a governed response. An email thread is not.
The Exception Register feeds directly into Compliance Reporting, the Executive Governance Cockpit, and the Auditor Workspace. Exceptions are visible across all reporting layers — not hidden in a side process.
The Exception Register is available in the Enterprise plan. Every exception is owned, time-bound, and visible across all governance reporting layers.
EU-hosted · Anchored to CELEX 32024R1689
Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.
