It is recommended that you define policies at the Organization level and enforce them using Service Control Policies. These are IAM policies that limit permissions granted (Guardrails).
SCPs can be applied to the whole organization, to a specific organizational unit or to a specific account:
And SCPs will restrict the effective maximum permission:
Therefore they are ideal to set up Security Invariants (the things that you want to set up and never change, or at least not frequently):
Think about everything that you never want it to happen in your accounts and enforce it through SCPS.
AWS Organizations is a free service, therefore Service Control Policies are free to use.