diff --git a/policies/gh_org_ip_allowlist_enabled.rego b/policies/gh_org_ip_allowlist_enabled.rego
index 214c79e..9740847 100644
--- a/policies/gh_org_ip_allowlist_enabled.rego
+++ b/policies/gh_org_ip_allowlist_enabled.rego
@@ -37,7 +37,11 @@ risk_templates := [
   }
 ]
 
-_ip_allow_list := object.get(input, "ip_allow_list", [])
+_ip_allow_list := object.get(input, "ip_allow_list", null)
+
+skip_reason := "IP allow-list data is unavailable (collection may be disabled or token may lack permissions), cannot evaluate IP allow-list configuration" if {
+    _ip_allow_list == null
+}
 
 _has_active_entry if {
     some entry in _ip_allow_list
@@ -45,6 +49,7 @@ _has_active_entry if {
 }
 
 violation[{"id": "ip_allowlist_not_configured"}] if {
+    _ip_allow_list != null
     not _has_active_entry
 }
 
diff --git a/policies/gh_org_ip_allowlist_enabled_test.rego b/policies/gh_org_ip_allowlist_enabled_test.rego
index b5ce7a4..8202967 100644
--- a/policies/gh_org_ip_allowlist_enabled_test.rego
+++ b/policies/gh_org_ip_allowlist_enabled_test.rego
@@ -24,6 +24,16 @@ test_ip_allowlist_empty if {
     }
 }
 
-test_ip_allowlist_missing if {
-    count(violation) > 0 with input as {}
+test_ip_allowlist_null_skips if {
+    count(violation) == 0 with input as {
+        "ip_allow_list": null
+    }
+    skip_reason == "IP allow-list data is unavailable (collection may be disabled or token may lack permissions), cannot evaluate IP allow-list configuration" with input as {
+        "ip_allow_list": null
+    }
+}
+
+test_ip_allowlist_missing_skips if {
+    count(violation) == 0 with input as {}
+    skip_reason == "IP allow-list data is unavailable (collection may be disabled or token may lack permissions), cannot evaluate IP allow-list configuration" with input as {}
 }
diff --git a/policies/gh_org_sso_enabled.rego b/policies/gh_org_sso_enabled.rego
index 2874ace..0096f07 100644
--- a/policies/gh_org_sso_enabled.rego
+++ b/policies/gh_org_sso_enabled.rego
@@ -45,9 +45,17 @@ risk_templates := [
 
 _sso := object.get(input, "sso", {})
 
-_sso_enabled := object.get(_sso, "enabled", false)
+skip_reason := "SSO configuration data is unavailable (token may lack permissions), cannot evaluate SSO enforcement status" if {
+    input.sso == null
+}
+
+_sso_enabled := object.get(_sso, "enabled", false) if {
+    _sso != null
+}
 
-_sso_enforced := object.get(_sso, "enforced", false)
+_sso_enforced := object.get(_sso, "enforced", false) if {
+    _sso != null
+}
 
 _sso_enabled_and_enforced if {
     _sso_enabled
@@ -55,6 +63,7 @@ _sso_enabled_and_enforced if {
 }
 
 violation[{"id": "sso_not_enabled"}] if {
+    not skip_reason
     not _sso_enabled_and_enforced
 }
 
diff --git a/policies/gh_org_sso_enabled_test.rego b/policies/gh_org_sso_enabled_test.rego
index d515987..243cb9c 100644
--- a/policies/gh_org_sso_enabled_test.rego
+++ b/policies/gh_org_sso_enabled_test.rego
@@ -36,3 +36,12 @@ test_sso_enabled_but_not_enforced if {
 test_sso_missing if {
     count(violation) == 1 with input as {}
 }
+
+test_sso_null_with_skip_reason if {
+    skip_reason == "SSO configuration data is unavailable (token may lack permissions), cannot evaluate SSO enforcement status" with input as {
+        "sso": null
+    }
+    count(violation) == 0 with input as {
+        "sso": null
+    }
+}