Great article Greg! I recently also looked intro Control Tower and found as you said — it can’t inherit existing organizations and is really only useful for a whole new organization.

The other thing I wanted to add is; the network can almost now be separated out into its own core account and then shared across accounts within your organization by utilizing Resource Access Manager. Doing this cut down a huge amount of overhead on a project I work on when it came to provisioning new accounts, as we no longer needed to create new VPCs, peering connections and routes in route tables.