I would go with the "last authentication (up to three cross-device data sources) + device profile".
When selecting the cross-device data sources, be sure to select the data source where your CRM IDs are onboarded.
By using last auth, this will target authenticated profiles in both real-time, and in a batch process every night. The device profile will target all the non-authenticated AAM UUIDs that were seen when visiting your sites.
Something to also note, is that a CRM ID needs at least one ID sync with a AAM UUID (demdex cookie) before it can be segmented. If you are only onboarding CRM IDs without any UUID sync'd to them, those CRM IDs will not be picked up for segmentation.