Three kinds of controls exist:
preventive
detective
proactive.
Three categories of guidance apply to controls:
mandatory
strongly recommended
or elective.
Control tower create Preventive Guardrails, which disallow API actions using SCPs.
It also created Detective Guardrails ( based on AWS config rules and Lambda to monitor and govern compliance )
Already by just looking at their name, they clearly express the intentions of policies, check more in detail how they work here