At a bank with no disciplined route for deviation, teams swing between two bad habits: they ignore architecture guidance, or they treat any departure from it as a political crisis. Compliance assessment, architecture contracts, and waivers exist to replace both. Together they make a deviation visible, reasoned, time-bound where that helps, and traceable to the risk and the enterprise consequence it carries, so the conversation is about evidence rather than blame.
Many people equate good governance with a strict no-waiver rule, on the assumption that standards are safest when they are never broken. In practice a rigid ban pushes non-compliant decisions into the shadows, while having no compliance position at all lets the architecture drift. The managed middle path is to allow an exception through an explicit waiver that the right forum can see, with a reason stated against enterprise risk and an end date where appropriate. The aim is to be strict about visibility and reasoning, not strict for the sake of ceremony.
A compliance review is not a yes or no verdict either. The standard grades an implementation along a spectrum, from irrelevant and consistent, through compliant and conformant, to fully conformant, with non-conformant kept for a real breach. Placing a system on that scale is what makes the assessment objective rather than a matter of opinion, and it is the evidence that shows whether a waiver is genuinely needed or whether the gap can be accepted as it stands.