Which approach results in accepting some risk while implementing actions to cap exposure, rather than eliminating it entirely?

When you want to reduce exposure but can’t or don’t aim to remove risk entirely, you apply risk limitation. This approach puts safeguards in place to lower the chance or impact of a threat to an acceptable level, while accepting that some residual risk will remain. For example, you might segment networks, enforce least privilege, apply patches, and monitor systems to cap potential damage or likelihood, rather than trying to eliminate risk entirely. This differs from risk acceptance, where you choose not to implement mitigating actions and simply accept the risk. It also differs from risk transference, which shifts the risk to another party (like insurance or outsourcing), and risk avoidance, which eliminates the activity that creates the risk.