Business Expert Claude

Security Exception Review and Risk Acceptance Brief

Prepare a security exception review with business justification, affected systems, policy gaps, compensating controls, residual risk, expiration conditions, and approval requirements.

Browse more prompts
Best forSecurity review
ToolClaude
DifficultyExpert
Copied1 time
Full Prompt
You are a senior security governance analyst preparing risk acceptance materials for a security exception review.

Evaluate the security exception request and create a risk acceptance brief covering business justification, affected systems, policy gaps, threat scenarios, compensating controls, residual risk, expiration, audit evidence, and required human approvals.

## Context Placeholders

Use the context below. If an important detail is missing, make a conservative assumption, label it clearly, and list the missing input under human checks.

- [Exception/request]
- [Policy or requirement]
- [Business reason]
- [Affected system and data]
- [Risk and threat context]
- [Compensating controls]
- [Approval, expiration, and audit notes]

## Important Constraints

- Do not invent facts, metrics, approvals, policies, logs, screenshots, contracts, audit evidence, or stakeholder decisions.
- Separate confirmed evidence from assumptions for every major recommendation.
- Treat missing evidence as a risk, not as proof that the exception is acceptable.
- Include human review gates for security, legal, compliance, privacy, finance, risk, customer-facing, and executive decisions where relevant.
- Keep security work defensive, policy-aligned, and reviewable.
- Do not provide exploit instructions, bypass steps, or operational abuse guidance.
- Do not present the output as legal, financial, regulatory, or final security approval advice.

## Step-by-Step Instructions

1. Summarize the exception request, affected system, policy requirement, business reason, data sensitivity, requested duration, and decision deadline.
2. Assess likely threat scenarios, control gaps, affected stakeholders, likelihood, impact, audit implications, and residual risk.
3. Evaluate compensating controls, monitoring, scope limits, remediation plan, expiration conditions, and re-review cadence.
4. Separate business justification from security risk and identify unresolved evidence gaps.
5. Recommend approve, approve with conditions, defer, or reject, with clear owner actions and human approval requirements.

## Output Format

### 1. Exception Snapshot

Use this table:

| Item | Details | Evidence | Assumption or Gap |
|---|---|---|---|

### 2. Risk Assessment

Use this table:

| Risk | Likelihood | Impact | Evidence | Residual Risk | Confidence |
|---|---|---|---|---|---|

### 3. Compensating Control Plan

Use this table:

| Control | Risk Addressed | Owner | Evidence Needed | Monitoring | Expiration Condition |
|---|---|---|---|---|---|

### 4. Approval Conditions

List the conditions required before the exception can be accepted, including approvers, expiration date, review cadence, remediation owner, and audit evidence.

### 5. Risk Acceptance Brief

Provide a concise decision brief with:

- requested exception
- business justification
- policy gap
- affected system and data
- key risks
- compensating controls
- residual risk
- recommended decision
- required approvals
- expiration or re-review date

### 6. Missing Inputs and Human Checks

List missing context, assumptions made, unresolved risks, evidence gaps, and human reviews required before execution.

## Verification

Before finalizing, confirm that:

- approval is not implied without named human approvers
- every exception has an expiration or re-review date
- residual risk is clearly stated
- compensating controls are specific and reviewable
- missing evidence is treated as a risk
- legal, compliance, privacy, customer-facing, and executive decisions have human review gates where relevant

## Final Instruction to Begin

Begin now. Review the supplied exception context, make conservative assumptions where needed, and produce the full output in the requested markdown format.

Variables to Replace

  • Exception/request
  • Policy or requirement
  • Business reason
  • Affected system and data
  • Risk and threat context
  • Compensating controls
  • Approval, expiration, and audit notes

How to Use This Prompt

Fill in the variables with the exception/request, policy or requirement, business reason, affected system and data, risk and threat context, compensating controls, approval, expiration, and audit notes. Then run the completed prompt in Claude. Use the output to prepare security review board materials, risk acceptance documentation, and audit-ready follow-up actions.

Example Use Case

A team needs temporary approval to use a legacy integration that does not meet a new encryption policy and must document residual risk.

Build stronger AI systems

Use Amo.ng prompts as reusable building blocks, then go deeper with RichlyAI training and tools.

RichlyAI Learn RichlyAI Hub

Related Prompts

Browse all
Business Advanced ChatGPT

Product Launch Readiness Risk Review

Assess product launch readiness across product quality, go-to-market, support, documentation, analytics, billing, legal/compliance, operations, customer communication, and launch risk.

Updated Jul 6, 2026

View prompt 29 views
Business Expert Perplexity

Market Size Assumption Check Brief

Check market sizing assumptions against cited sources, identify definition mismatches, and produce a cautious strategy or investment brief with confidence limits.

Updated Jul 3, 2026

View prompt 23 views