A
compensating control provides equivalent protection when the standard control cannot be implemented — e.g., network segmentation when legacy systems can't be patched.
Common in PCI DSS compliance — if you can't meet a requirement directly, document a compensating control that provides equivalent security. Must be equally effective, not just easier.