The Phoenix Corporation uses AWS Organizations to manage its AWS accounts, and the Cloud Infrastructure team needs to ensure that only administrator roles can perform IAM actions, but they lack direct access to all accounts. Which solution meets these requirements with the LEAST operational overhead?