Manage risk exceptions

Mark entities as exceptions to acknowledge acceptable risks and resolve risk queries

Overview

This guide explains how to manage exceptions for risk queries in Veza. When an entity appears in a risk query but represents an intentional or acceptable configuration, you can mark it as an exception. Exceptions acknowledge that you have reviewed the flagged access and determined it does not require action.

Use exceptions to:

Acknowledge intentional configurations that trigger risk queries
Reduce noise from known acceptable access patterns
Document decisions for audit and compliance purposes
Move risks to "Resolved" status without changing the underlying access

Before you start

Before marking exceptions:

Review the flagged entity to understand why it matches the risk query
Confirm the access is intentional and acceptable per your security policies
Prepare a note explaining why the exception is appropriate

When to use exceptions

Exceptions are appropriate when:

Intentional configuration: The access is by design, such as a break-glass account with elevated privileges
Business requirement: The access is necessary for a specific business function and has been approved
False positive: The query logic flags something that is not actually a risk in your environment
Temporary acceptance: The risk is known and scheduled for resolution, but you want to track it separately

Exceptions are not appropriate when:

The access should be removed or modified
You haven't reviewed the entity to understand why it's flagged
The exception would mask a genuine security issue

Mark entities as exceptions

From the All Risks tab

Go to Access Intelligence > Risks.
On the All Risks tab, click the Affected Entities count for a query.
Select the entities you want to mark as exceptions.
Click Mark as Exception.
Add a note explaining why the exception is appropriate.
Click Confirm.

On the All Risks tab, click the Actions menu (⋮) for a query.
Select Manage Exceptions.
Review the list of affected entities.
Select entities and click Mark as Exception.
Add a note and click Confirm.

Use Bulk Omit to exclude queries from scoring

If a query consistently produces false positives for certain entities, you can exclude it from their risk score calculation using Bulk Omit.

In Query Details > Results view, click on a risk score to view score details in the sidebar.
Click Bulk Omit.
Select the queries you want to exclude from the calculation.
Click Omit Selection.

The risk score will recalculate within a few hours to reflect the exclusion. This is useful when specific queries don't represent genuine risks for certain entity types or configurations.

Review existing exceptions

To see which entities have been marked as exceptions for a query:

Go to Access Intelligence > Risks.
On the All Risks tab, review the Exceptions column for each query.
Click the exceptions count to view the list of excepted entities.

Remove exceptions

If an exception is no longer appropriate:

Navigate to the query's exception list.
Select the entities to remove from exceptions.
Click Remove Exception.

The entities will return to the affected entities list, and the risk will reopen if it was previously resolved.

How exceptions affect risk status

A risk query's status depends on its results and exceptions:

Open: The query has one or more affected entities that are not marked as exceptions
Resolved: All affected entities are marked as exceptions, OR the query returns no results

When you mark all affected entities as exceptions, the risk automatically becomes Resolved. If new entities later match the query, the risk will reopen.

Alternative: Refine the query

Instead of marking exceptions, you can modify the query to exclude certain entities automatically:

Click Actions > Open in Query Builder.
Add filter conditions to exclude entities that don't represent genuine risks.
Save the updated query.

This approach is better when you have a pattern of entities that should always be excluded, rather than individual one-off exceptions.