An enterprise is designing a multi-account strategy. They want to isolate workloads based on data sensitivity (Public, Internal, Confidential). They also need a centralized networking hub and a dedicated security tooling account. Which AWS Organizations Organizational Unit (OU) structure aligns BEST with AWS Well-Architected multi-account best practices?

Create a foundational Infrastructure OU (containing Network and Security accounts) and a Workloads OU (containing sub-OUs for Public, Internal, and Confidential workloads).

Create OUs based on the company's reporting structure (e.g., HR OU, Finance OU, Engineering OU). Place all network and security accounts in the root of the organization.

Create a single Production OU and a single Non-Production OU. Put all accounts, including network and security, into these two OUs.

Create separate AWS Organizations for Infrastructure, Security, and Workloads. Use AWS Resource Access Manager to share resources between the organizations.