My colleagues are welcome to jump in here. An end-user certificate is implied to be the assurance. At the that there is perceived to be some risk, that could be mitigated by further assurances, verbal or written, whereby you go to the end-user—the consignee—and say that you want to be certain these won't be diverted, misused or so forth. That would be an additional assurance and therefore a mitigation measure.
On April 27th, 2021. See this statement in context.