Users with service account access at organization level can impersonate any service account. Instead, they should be given access to particular service accounts as required.
Privilege escalation, impersonation of any/all services
Provide access at the service-level instead of organization-level, if required
The following example will fail the google-iam-no-org-level-service-account-impersonation check.
The following example will pass the google-iam-no-org-level-service-account-impersonation check.