You need to delegate IAM management for Google Cloud projects to individual business units within a large organization. The solution must meet these requirements:

• Each business unit manages IAM roles and permissions for their own projects.
• Each business unit can manage permissions at scale.
• Business units cannot access each other's projects.
• Access is automatically revoked when users move between business units or leave the company.
• User identities and group memberships are managed through an on-premises directory service.

What should you do? (Choose two.)