For bog's sake. It's easy (although costly).
Zone your network using firewalls. Wireless access appears in one zone, which does NOT have any critical servers in it. Employ a capable network engineer or two, and let them achieve a working relationship to the security people.
Control the keys using the strongest authentication all your official devices can use, preferably based on something like RADIUS. Change any PSK keys that you have to have regularly, only circulate these changed keys to people with registered devices.
Query all devices using a device checker probe (something as simple as nmap or wireshark should be able to get most devices) and track down any unauthorized devices. Scan for unauthorized wireless networks in the vicinity, and attempt to identify whether it is the coffee shop downstairs, or a rogue access-point in the building (I'm serious, it happened somewhere I worked!). Make sure that all laptops physically attached to the wired network have wireless services turned off (including 3G 'dongles' and Bluetooth). Run regular security scans on laptops to check that this is the case.
Put simple services (like printing and possibly mail access) within the DMZ. Allow devices on the DMZ controlled access the Internet and then back in to your corporate gateways exactly the same as if they were coming in from the Internet. Knock specific holes controlled by the strongest access control you have in the inward looking firewall for any apps that absolutely have to be accessed from mobile devices. Argue the case for blocking every singe one, until you have been convinced that it is necessary and appropriate controls are in place.
Review these holes regularly, and have a strong procedures to track leavers and joiners. Ban, with the strongest penalties, sharing of ID's and revealing PSK's to non-authorized users. Lock services to specific ID's using strong authentication, preferably using one-shot password devices.
Be prepared to use VPN for any really critical services, especially those containing private or critical data. Select your approved devices carefully, to make sure that they meet all the security requirements. If there are vulnerabilities known on your mobile device of choice, make sure you have appropriate AV software deployed and updated.
If you are paranoid, consider using glass coatings on the windows to control the leakage of the WiFi signal out of the building, but if you are that worried, you should probably not use wireless services at all. Work out how far your wireless networks spread outside of your controlled space, using normal devices and focused antenna as well. Show the controlling managers this, and demonstrate it as well.
And above all, if you value your business, JUST DON'T USE WIRELESS SERVICES. This should include wireless keyboards, and any future wireless USB technology. If the MD objects, put a reasoned argument that the very business itself is at risk if the network is compromised. And if you are over-ruled, either be prepared to give in, lodging an "I Told You So" letter somewhere in the business, or to resign on principal.
It is clear that the "Block everything, then allow only what's essential" principal operates here.