Three kinds of controls exist:

preventive

detective

proactive.

Three categories of guidance apply to controls:

mandatory

strongly recommended

or elective.

Control tower create Preventive Guardrails, which disallow API actions using SCPs.

It also created Detective Guardrails ( based on AWS config rules and Lambda to monitor and govern compliance )

Already by just looking at their name, they clearly express the intentions of policies, check more in detail how they work here