Using AWS Control Tower you can implement a multi-account scheme, as recommended by best practices, where you can centrally enforce policies (guard rails) while you centralize and protect AWS Cloudtrail logs in a designated logging account.
The following services are integrated to AWS Organizations (AWS Control Tower uses AWS Organizations) and support delegated administration, therefore, the security team can have visibility about the security and compliance of the whole organization from the security account: