And notably doesn't answer the GPs question how to verify the organization is honest, just how they protect the organization against user fraud.

Fair - I misread. It does seem that you'd need some kind of classic processes and/or auditing to de-risk a scenario where a bad actor who has access to the necessary keys prints themselves money. Maybe there is a way to also analyze the chain state for anomaly detection.