The correct answer is D. A service control policy (SCP) in AWS Organizations allows you to manage access to AWS services or actions across multiple accounts within an organization. By applying the SCP at the root organizational unit (OU), you can ensure that the policy is enforced across all accounts in a scalable manner. This approach provides a single point of administration for permissions, making it easier to manage and maintain security policies consistently across the organization. Options A, B, and C do not offer the same level of centralized and scalable management as an SCP.