Use Organizations. If you’re creating new standalone independent accounts for teams you’re just seeking yourself up for some kind of billing/security/governance catastrophe down the road.

I was referring to the root accounts in your organization. The blast radius is more limited, but still a root account that has access to everything within that AWS account.

You can restrict what the root account can do in a member account using SCPs as an additional safeguard as well.