diff --git a/infra/gcp/ensure-organization.sh b/infra/gcp/ensure-organization.sh
index f613b11e2ff..2f628ce3dd6 100755
--- a/infra/gcp/ensure-organization.sh
+++ b/infra/gcp/ensure-organization.sh
@@ -82,7 +82,25 @@ color 6 "Ensuring org-level IAM bindings exist"
     exit 0
 
     # k8s-infra-org-admins@
-    # TODO: there are more granular roles also bound, they seem redundant given
-    #       this role
+    # roles/owner has too many permissions to aggregate into a custom role,
+    # and some services (e.g. storage) add bindings based on membership in it
     ensure_org_role_binding "group:k8s-infra-gcp-org-admins@kubernetes.io" "roles/owner"
+    # everything org admins need beyond roles/owner to manage the org
+    ensure_org_role_binding "group:k8s-infra-gcp-org-admins@kubernetes.io" "$(custom_org_role_name "organization.admin")"
+    # TODO(https://github.com/kubernetes/k8s.io/issues/1659): obviated by organization.admin, remove when bindings gone
+    old_org_admin_roles=(
+        roles/billing.user
+        roles/iam.organizationRoleAdmin
+        roles/resourcemanager.organizationAdmin
+        roles/resourcemanager.projectCreator
+        roles/resourcemanager.projectDeleter
+        roles/servicemanagement.quotaAdmin
+    )
+    for role in "${old_audit_roles[@]}"; do
+        # TODO(spiffxp): remove the extra super duper paranoia once we verify
+        #                I haven't locked myself out via group membership
+        ensure_org_role_binding "user:thockin@google.com" "${role}"
+        ensure_org_role_binding "user:davanum@gmail.com" "${role}"
+        ensure_removed_org_role_binding "group:k8s-infra-gcp-org-admins@kubernetes.io" "${role}"
+    done
 ) 2>&1 | indent