Configure all instances across each account in the OU to integrate with AWS Systems Manager. Utilize a Systems Manager Automation runbook to enforce the prevention of public IP addresses being assigned to these instances.

Implement an AWS Control Tower proactive control to monitor instances within the OU's accounts for public IP addresses. Set the AssociatePublicIpAddress property to False and apply this proactive control to the OU.

Develop a Service Control Policy (SCP) that disallows the initiation of instances with public IP addresses. Additionally, configure the SCP to block the assignment of public IP addresses to any existing instances. Attach this SCP to the OU.

Create a custom AWS Config rule to identify instances with public IP addresses. Set up a remediation action that employs an AWS Lambda function to remove public IP addresses from detected instances.