Establish distinct Organizational Units (OUs) within AWS Organizations for each development unit, mapping these OUs to the company's AWS accounts. Craft individual Service Control Policies (SCPs) with a deny action and a StringNotEquals condition on the DevelopmentUnit resource tag corresponding to each development unit's name, and apply these SCPs to their respective OUs.

Incorporate a DevelopmentUnit attribute as an AWS Security Token Service (AWS STS) session tag during SAML federation. Amend the IAM policy associated with the developers' assumed IAM roles to include a deny action and a StringNotEquals condition on both the DevelopmentUnit resource tag and the aws:PrincipalTag/DevelopmentUnit.

Integrate a DevelopmentUnit attribute as an AWS Security Token Service (AWS STS) session tag during SAML federation. Develop a Service Control Policy (SCP) with an allow action and a StringEquals condition on both the DevelopmentUnit resource tag and the aws:PrincipalTag/DevelopmentUnit, and attach this SCP to the root Organizational Unit (OU).

Designate separate IAM policies for each development unit, each containing an allow action and a StringEquals condition on the DevelopmentUnit resource tag and the development unit's name. During SAML federation, employ AWS Security Token Service (AWS STS) to link the appropriate IAM policy to the assumed IAM role, ensuring it aligns with the development unit's name.