# Governance exception RFC (template)

Use when a team requests temporary relief from an SCP, tag policy, or declarative
policy. **Permanent** policy changes go through normal change management — not this form.

## Request

| Field | Value |
|-------|-------|
| RFC ID | GOV-YYYY-NNN |
| Requester / team | |
| Account ID(s) | |
| OU (current) | |
| Policy to except | SCP / RCP / declarative / tag policy — name + ID |
| Specific API or config blocked | |
| Business justification | |
| Risk if denied | |
| Compensating controls | e.g. manual review, read-only break-glass, shorter credential TTL |

## Time box (required)

| Field | Value |
|-------|-------|
| Exception start | YYYY-MM-DD |
| Exception end | YYYY-MM-DD (max **90 days** unless CISO extension) |
| Auto-revert mechanism | Detach exception SCP / move account back to standard OU |

## Approvals

| Role | Name | Date | Decision |
|------|------|------|----------|
| Platform lead | | | |
| Security | | | |
| FinOps (if cost-related) | | | |

## Rollout checklist

- [ ] Exception SCP attached **only** to Exceptions OU or named account
- [ ] CloudTrail alert on denied/allowed API in scope
- [ ] Calendar reminder 14 days before expiry
- [ ] Exit criteria documented (what "fixed" looks like)

## Post-exception

- [ ] Account moved out of Exceptions OU
- [ ] Exception SCP detached
- [ ] Retrospective: was policy too broad, or was workload mis-placed?