One account, org, federated, whatever. You don't need to store the root credentials.

An email per account where only security team has access. Whoever can modify domain can already do this.