You should check out the blog post on best practices with OU management. There are suggestions for both sandbox environments and logging: https://aws.amazon.com/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/
Check out centralized CloudTrail for logging and auditing. It's a widely adopted best practice. It helps the management account make sure everything is logged (and doesn't let member accounts turn it off).
For IAM role usage. There are many approaches customers can take. I don't have Terraform examples. Stacksets provides easy integration for rollout of IAM roles.
IAM users/roles/groups policies reportsAccepted Answerasked 7 months ago
how can i quickly troubleshoot IAM permission for a serviceasked 7 months ago
Identify in-built or default IAM RolesAccepted Answerasked 6 months ago
IAM as code - centralize the management of IAM roles and policies in a multi-account organizationAccepted Answerasked 2 years ago
Limit scope of AWS Managed IAM Policies?Accepted Answerasked 8 months ago
IAM roles rightsizingAccepted Answerasked 2 months ago
Resolving the error "Ensure IAM policies are attached only to groups or roles"asked 2 months ago
Finding the right policy in IAMasked a month ago
Specify Individual Instance In Trust Policy Of IAM RoleAccepted Answerasked 3 months ago
How to use IAM users, groups and roles with SSOasked 2 months ago