You’re right - whether you use a Personal Access Token or you use OAuth to access your Asana data, you’ll only have access to that data which is accessible to the user who authenticates.
If you have an Enterprise-level subscription, you can use a Service Account token in place of the Personal Access Token and you’re all set.
Otherwise, you’ll need to make sure that the user whose Personal Access Token you use (or the user who you authenticate via OAuth) has access to the Asana data you need to access. You could do this using one of your real user accounts if you have a management-level user for whom it would be appropriate to give them access to all of your organization’s data; or you could create your own pseudo-Service Account by creating a new Asana user account that has the needed total access and is used only for API-access purposes. Of course if you do this latter option, you’ll be taking up a user slot for that pseudo-user which might cost you $$ if you’re on a paid plan, and also the pseudo-user will show in the Asana UI.
Let me know if any of the above isn’t clear or you have additional questions!