This is a really good question and I've seen it done successfully a few ways.

I'll start with most successful I've personally used https://twitter.com/landau_charles/status/1353025057753341954

No matter what if you're using AWS you're going to need a few accounts at minimum.

The first is for learning/experimenting and should have rules to not allow anything to be public (s3, ec2, etc) and automatically wiped with something like cloud custodian

The second account is pre-prod. This isn't for validating deployments (ci/cd, tests, etc give you confidence for safe deploys) but rather for making big changes to infrastructure and experiments

When it comes to resources inside the account I'm a big fan of Attribute Based Access Control (ABAC)

tl;dr your access to something depends on your role and what tags that resource had

https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html

It gets a little tricky if you need selective deny for people but using multiple roles and allowing assume role is pretty common

ABAC can also work with multiple accounts via assume role and you can enforce roles only being able to create resources with specific tags