An enterprise organization manages dozens of AWS accounts under a single AWS Organizations hierarchy. The central security team needs to enforce a policy that limits access to specific AWS services or API actions across all accounts. The organization is seeking a scalable and centralized solution that allows them to maintain these restrictions from a single control point without manually configuring each account. What is the most appropriate solution?