Step 1 - Create a separate project - and store all hardened images in it.

Step 2 - Enforce the Org Policy - Define trusted image project.

This will ensure that ALL projects ONL Y use images from a pre-defined trusted image project.