We first sign in to AWS to create an account by providing our email address and other relevant information. We are given an identity that is a root user account identity that has access to all the resources. Associated with this root account are access keys.
At the organization level we can set SCP ( Service Control Policies ) that will not give permissions but restrict permissions.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
"SCPs alone are not sufficient to granting permissions to the accounts in your organization. No permissions are granted by an SCP. An SCP defines a guardrail, or sets limits, on the actions that the account's administrator can delegate to the IAM users and roles in the affected accounts."