Migrating production amplify/appsync workload to multi-account structure.

I have a production web app created with AWS Amplify/Appsync Cognito working in one account. To improve security I am going to migrate to multi-account. I will use AWS control tower to create the new account structure and will re-create test and staging environments in a new account. That leaves production....

*** I have two ways forward for the production account and was wondering what the community thinks?***

**Option A ** - Create the new account structure then enroll the current production account into the new structure. The benefit being it is already working and ready to go, will just be a case of tightening up the permissions once the account is under the new structure. The risk is that I migrate it into the new structure and our production users cannot access the webapp anymore, and if that occurs how quickly can the account be un-enrolled from control tower?

Option B - Create a whole new replica of production in the new account structure. Migrate dynamodb, cognito, lambdas, S3. Once the new environment is up and running simply switch over to the new-production and retire the old. This allows a quick reversion to the prior state if required. There is a chance something could be missed and it is time and complex to migrate all elements like DynamoDB and Cognito.

What would you do?