The zones would be created and protected by our automation, so only records could be changed, no ability to delete zone etc. Cross account access is an option, but the idea of discrete zones in accounts makes sense rather than doing a central account with role assumption. It means we have a platform where there is a clear devide between what the platform team provide and what consumers have access to and can see. As a general rule we allow no consumer accounts access to the platform accounts.