Only account owners can create projects within their account, this cannot be delegated. Permissions to edit existing projects can be (delegated).

Also, the billing for those projects/resources can be tied to separate accounts.

What hierarchy of accounts, projects and permissions would you use for a small company? and when it grows, a large company?

For example, a small company may have a single organization account managed by the CTO. A separate billing account overseen by the CFO. The CTO, would create a project, associate the billing to the CFO's account and invite (delegating permissions) individual developer accounts (or more practically Groups) to work on that project.

Unfortunately, the CTO must still access this single "root" account. Correct?

When the organization grows larger, it would likely make sense to apply for an 'Organization Resource'. Then create separate departmental accounts instead of a single organization user account. These department accounts will be managed by both the heads of departments and the CTO. I haven't looked into practices for larger GCP organizations, so does this sound right? Any suggestions to improve this?