A company's security team mandates that all external Application Load Balancers (ALBs) and Amazon API Gateway APIs must be associated with AWS WAF web ACLs. The company manages hundreds of AWS accounts within a single AWS Organizations setup and has implemented AWS Config across the organization. During a recent audit, the company identified some external ALBs that lack AWS WAF web ACL associations. What actions should a DevOps engineer implement to ensure compliance with the security requirement for future ALB and API Gateway deployments?