Somebody/organization or something that is not included in or does not fit into a security policy. Typically a policy management process will include the option of granting an exception to a standing policy when it cannot be met or can only partially be met. In this way, the Information Security team is aware of the existence of a scenario that is out of compliance and can therefore understand the associated risk and monitor the exception. Sometimes the exception is time bound to give an opportunity for a remediation plan to be met.