below are some Best Practices with AWS Organizations
-Always enable multi-factor authentication on root account.
-Always use a strong and complex password on root account.
-Paying account should be used for billing purposes only. Do not deploy resources into the paying account.
-Enable/Disable AWS services using Service Control Policies (SCP) either on OU or on individual accounts.