diff --git a/.github/workflows/tf_apply_production.yml b/.github/workflows/tf_apply_production.yml
index c8bf4819..3a9329b8 100644
--- a/.github/workflows/tf_apply_production.yml
+++ b/.github/workflows/tf_apply_production.yml
@@ -13,6 +13,7 @@ env:
   TERRAGRUNT_VERSION: 0.38.4
   TF_VAR_api_auth_token: ${{ secrets.PRODUCTION_API_AUTH_TOKEN }}
   TF_VAR_aws_org_id: ${{ secrets.AWS_ORG_ID }}
+  TF_VAR_aws_org_id_old: ${{ secrets.AWS_ORG_ID_OLD }}
   TF_VAR_rds_password: ${{ secrets.PRODUCTION_RDS_PASSWORD }}
   TF_VAR_slack_webhook_url: ${{ secrets.SCAN_FILES_PROD_OPS_WEBHOOK }}
   AWS_REGION: ca-central-1
diff --git a/.github/workflows/tf_apply_staging.yml b/.github/workflows/tf_apply_staging.yml
index 0b4df840..608595e7 100644
--- a/.github/workflows/tf_apply_staging.yml
+++ b/.github/workflows/tf_apply_staging.yml
@@ -14,6 +14,7 @@ env:
   TERRAGRUNT_VERSION: 0.38.4
   TF_VAR_api_auth_token: ${{ secrets.STAGING_API_AUTH_TOKEN }}
   TF_VAR_aws_org_id: ${{ secrets.AWS_ORG_ID }}
+  TF_VAR_aws_org_id_old: ${{ secrets.AWS_ORG_ID_OLD }}
   TF_VAR_rds_password: ${{ secrets.STAGING_RDS_PASSWORD }}
   TF_VAR_slack_webhook_url: ${{ secrets.SCAN_FILES_STAGING_OPS_WEBHOOK }}
   AWS_REGION: ca-central-1
diff --git a/.github/workflows/tf_plan_production.yml b/.github/workflows/tf_plan_production.yml
index 41a39f66..b8aa38f6 100644
--- a/.github/workflows/tf_plan_production.yml
+++ b/.github/workflows/tf_plan_production.yml
@@ -14,6 +14,7 @@ env:
   CONFTEST_VERSION: 0.27.0
   TF_VAR_api_auth_token: ${{ secrets.PRODUCTION_API_AUTH_TOKEN }}
   TF_VAR_aws_org_id: ${{ secrets.AWS_ORG_ID }}
+  TF_VAR_aws_org_id_old: ${{ secrets.AWS_ORG_ID_OLD }}
   TF_VAR_rds_password: ${{ secrets.PRODUCTION_RDS_PASSWORD }}
   TF_VAR_slack_webhook_url: ${{ secrets.SCAN_FILES_PROD_OPS_WEBHOOK }}
 
diff --git a/.github/workflows/tf_plan_staging.yml b/.github/workflows/tf_plan_staging.yml
index f3d188dd..8d6a0507 100644
--- a/.github/workflows/tf_plan_staging.yml
+++ b/.github/workflows/tf_plan_staging.yml
@@ -15,6 +15,7 @@ env:
   CONFTEST_VERSION: 0.27.0
   TF_VAR_api_auth_token: ${{ secrets.STAGING_API_AUTH_TOKEN }}
   TF_VAR_aws_org_id: ${{ secrets.AWS_ORG_ID }}
+  TF_VAR_aws_org_id_old: ${{ secrets.AWS_ORG_ID_OLD }}
   TF_VAR_rds_password: ${{ secrets.STAGING_RDS_PASSWORD }}
   TF_VAR_slack_webhook_url: ${{ secrets.SCAN_FILES_STAGING_OPS_WEBHOOK }}
 
diff --git a/terragrunt/aws/api/iam.tf b/terragrunt/aws/api/iam.tf
index 6490f112..2b510083 100644
--- a/terragrunt/aws/api/iam.tf
+++ b/terragrunt/aws/api/iam.tf
@@ -152,8 +152,8 @@ data "aws_iam_policy_document" "api_assume_cross_account" {
       "arn:aws:iam::*:role/ScanFilesGetObjects"
     ]
     condition {
-      test     = "StringEquals"
-      values   = [var.aws_org_id]
+      test     = "ForAnyValue:StringEquals"
+      values   = [var.aws_org_id, var.aws_org_id_old]
       variable = "aws:PrincipalOrgID"
     }
   }
diff --git a/terragrunt/aws/s3_scan_object/lambda.tf b/terragrunt/aws/s3_scan_object/lambda.tf
index 3b4c7c51..405be6f4 100644
--- a/terragrunt/aws/s3_scan_object/lambda.tf
+++ b/terragrunt/aws/s3_scan_object/lambda.tf
@@ -48,8 +48,8 @@ data "aws_iam_policy_document" "assume_cross_account" {
       "arn:aws:iam::*:role/ScanFilesGetObjects"
     ]
     condition {
-      test     = "StringEquals"
-      values   = [var.aws_org_id]
+      test     = "ForAnyValue:StringEquals"
+      values   = [var.aws_org_id, var.aws_org_id_old]
       variable = "aws:PrincipalOrgID"
     }
   }
@@ -62,3 +62,11 @@ resource "aws_lambda_permission" "s3_scan_object_org_account_execute" {
   principal        = "*"
   principal_org_id = var.aws_org_id
 }
+
+resource "aws_lambda_permission" "s3_scan_object_old_org_account_execute" {
+  statement_id     = "AllowExecutionFromOldOrgAccounts"
+  action           = "lambda:InvokeFunction"
+  function_name    = module.s3_scan_object.function_name
+  principal        = "*"
+  principal_org_id = var.aws_org_id_old
+}
diff --git a/terragrunt/env/common/common_variables.tf b/terragrunt/env/common/common_variables.tf
index 027362ab..2a7fb001 100644
--- a/terragrunt/env/common/common_variables.tf
+++ b/terragrunt/env/common/common_variables.tf
@@ -9,6 +9,12 @@ variable "aws_org_id" {
   sensitive   = true
 }
 
+variable "aws_org_id_old" {
+  description = "(Required) The old AWS org account ID.  Used to limit which roles the API can assume and will be removed once all accounts are migrated."
+  type        = string
+  sensitive   = true
+}
+
 variable "cbs_satellite_bucket_name" {
   description = "(Required) Name of the Cloud Based Sensor S3 satellite bucket"
   type        = string