diff --git a/modules/organization/main.tf b/modules/organization/main.tf
index 1c115f24e..c1d28b9a7 100644
--- a/modules/organization/main.tf
+++ b/modules/organization/main.tf
@@ -85,6 +85,37 @@ resource "google_organization_iam_member" "additive" {
   member = each.value.member
 }
 
+resource "google_organization_iam_policy" "authoritative" {
+  count       = var.iam_bindings_authoritative != null || var.iam_audit_config_authoritative != null ? 1 : 0
+  org_id      = local.organization_id_numeric
+  policy_data = data.google_iam_policy.authoritative.policy_data
+}
+
+data "google_iam_policy" "authoritative" {
+  dynamic "binding" {
+    for_each = var.iam_bindings_authoritative != null ? var.iam_bindings_authoritative : {}
+    content {
+      role    = binding.key
+      members = binding.value
+    }
+  }
+
+  dynamic "audit_config" {
+    for_each = var.iam_audit_config_authoritative != null ? var.iam_audit_config_authoritative : {}
+    content {
+      service = audit_config.key
+      dynamic "audit_log_configs" {
+        for_each = audit_config.value
+        iterator = config
+        content {
+          log_type         = config.key
+          exempted_members = config.value
+        }
+      }
+    }
+  }
+}
+
 resource "google_organization_iam_audit_config" "config" {
   for_each = var.iam_audit_config
   org_id   = local.organization_id_numeric
diff --git a/modules/organization/outputs.tf b/modules/organization/outputs.tf
index 869f8185a..6f2a1e5ef 100644
--- a/modules/organization/outputs.tf
+++ b/modules/organization/outputs.tf
@@ -22,6 +22,7 @@ output "organization_id" {
     google_organization_iam_binding.authoritative,
     google_organization_iam_custom_role.roles,
     google_organization_iam_member.additive,
+    google_organization_iam_policy.authoritative,
     google_organization_policy.boolean,
     google_organization_policy.list
   ]
diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf
index 976bfeb71..4e168aebc 100644
--- a/modules/organization/variables.tf
+++ b/modules/organization/variables.tf
@@ -49,6 +49,23 @@ variable "iam_audit_config" {
   # }
 }
 
+variable "iam_bindings_authoritative" {
+  description = "IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution."
+  type        = map(list(string))
+  default     = null
+}
+
+variable "iam_audit_config_authoritative" {
+  description = "IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution."
+  type        = map(map(list(string)))
+  default     = null
+  # default = {
+  #   allServices = {
+  #     DATA_READ = ["user:me@example.org"]
+  #   }
+  # }
+}
+
 variable "organization_id" {
   description = "Organization id in organizations/nnnnnn format."
   type        = string