Exception Decision Record (EDR) — AI Use‑Case

Version: v1.0

Use this when approving an exception to a default Prohibited classification in the matrix (e.g., any D3 Restricted data use, O2 automated external output, or C2 high‑impact decision support).

Principle: exceptions must be time‑boxed, have named accountability, and include compensating controls and an exit plan.

1) Summary

• EDR ID: EDR‑YYYY‑###
• Date:
• Use‑case name / ID (from register):
• Business owner (accountable):
• Approvers: (Risk / Legal / Privacy / Security)
• Exception type: (D3 / O2 / C2 / Other)

2) What is being approved (plain language)

Describe the exact behavior being allowed.

• What the system does:
• Who uses it:
• Where outputs go:
• What data is used:

3) Why the exception is needed

• Business rationale:
• Alternatives considered (and why insufficient):

4) Risk assessment summary

• Main people‑harm risks (top 3):
• Main data/privacy risks (top 3):
• Residual risk after controls (Low/Med/High):
• Link(s) to risk register rows:

5) Compensating controls (required)

Reference control IDs from 04-controls-map.md.

• Controls to implement before go‑live:
• Evidence required before go‑live:

6) Monitoring + rollback

• Metrics to monitor:
• Alert thresholds:
• Kill switch owner:
• How to disable immediately:
• Rollback/containment steps:

7) Time box + review

• Effective date:
• Expiry date (required):
• Review cadence:
• Conditions that auto‑revoke the exception:

8) Decision

• Decision: (Approved / Rejected / Approved with conditions)
• Conditions / notes:
• Signatures (names/roles):