How do you enforce "what no account in our organization should ever do" across hundreds of accounts? Deploying IAM policies to each account creates gaps every time a new account is added, and root users can't even be controlled via IAM policies. The answer to this problem is AWS Organizations' SCP (Service Control Policy).
SCP is the top layer of the "permission ceiling" we saw in day1 and day2. It applies guardrails to the entire account, including the root user. It's the core of Specialty exam domain 1 (security governance), and you must precisely understand OU design, SCP evaluation, and inheritance rules.
Organizations organizes accounts into a tree structure.