The Access Control and SSO settings determine how strictly invites to the Organization space are managed, and if invited users need to be approved by Admins.
If an Organization Account has strict access rules, or a user is invited that does not have a trusted domain, then the Admins of the space will need to approve the invite before it is emailed to the invited person.
Equally, if a new user requests access to the Organization Account and their email isn't one of the trusted domains, this will need to be approved by Admins.
When inviting someone requires Approval
If a non-Admin invites someone to the Organization Account, and their email address domain is not whitelisted, or they are not provisioned in the Organization's SSO solution, all Admins of the Account will be sent an email requesting approval of the invite. Once approved, the invited user will be sent an email to join the Organization.
If an invite is sent by an Admin, the Approval process is not required.
When someone asks for Access to the Organization Account
If someone outside the Organization tries to access a board or workspace, but their email address is not in the trusted domains, the Admins of the Account will all receive an email asking them to approve (or deny) the access request.