Security in a single account ends with the intersection of IAM policies and resource policies. However, in organizations with tens to hundreds of accounts, the critical question becomes: "Who, how, and where enforces the upper limit of what each account administrator can do?" AWS Organizations is the governance plane that defines this upper limit, and its central tool is SCP (Service Control Policy). In the security exam, Organizations covers the "ceiling of permissions"; if IAM is about "granting permissions," SCP is about "permission boundary at scale."
AWS Organizations is a tree structure