You do not need to create SSO in different AWS account to restrict or Deny permissions to users for different services especially IAM and SSO itself.