Mitigation

Mitigation reduces risk by applying controls and is the most common of the four risk responses. Controls degrade over time — rules go stale, exceptions accumulate, configs drift — so mitigation must be paired with continuous monitoring and periodic validation to stay effective. Defense-in-depth deliberately layers multiple, overlapping mitigations so that no single control failure exposes the asset.