When and how should a security finding be formally risk-accepted, and what makes a good exception process?

Not every finding gets fixed immediately — sometimes the cost or timing makes a documented risk acceptance the right business call. A sound process requires: a written justification and the residual risk, a compensating control where feasible, sign-off by an owner at a level proportional to the risk (a critical needs a senior leader, not an engineer), and crucially a mandatory expiry / re-review date so exceptions don't become permanent. The decision should be the business owner's, with security providing the risk facts — security advises, the business accepts. Track all exceptions in one inventory, review them on cadence, and watch for patterns (many exceptions of one type usually means a missing paved-road control). 'Accept' must be an explicit, accountable decision, never a silent default of an unfixed ticket.