Re: You're Doing Corporate WiFi Wrong
Any sane company has at least two wifi systems: one for user's own phones / visitors / IoT crap / etc, and a 2nd (or more) that is more locked down and only for approved corporate devices that need to access internal systems.
Most corporates would use controller based WAPs solutions from companies like Cisco, Aruba etc that support multiple SSID and security deployments with AP groups and have a profiling tool that can send a RADIUS CoA to the controller when a rogue device is detected. Even SMB's have products that are affordable while being able to support different security requirements. Ubiquiti Unify, Foritnet or Draytek WAPs with their own firewall products give controller like experience as well as being able to firewall traffic.
Have a SSID for your corporate devices using EAP-TLS for security. Mobile devices should be provisioned by an MDM so they get the correct certificates to use. If you can't afford a MDM or don't have the staff to deploy an internal CA infrastructure then use a PEAP secured SSID and firewall it. Mobile devices could be firewalled off and on a separate SSID depending on your use case.
Another SSID for guest access that is on separate VLAN & firewalled off with P2P disabled. Use a PSK or Captive Portal for security. I prefer Captive Portal so you can see who's connected to the guest WiFi. Any IoT crap gets it's own SSID, VLAN and firewalled off & P2P disabled again. If you have to use a PSK with these devices, only IT & application support get to know the PSK and you'd restrict the devices access to the bare minimum for them to work on the firewall so you don't any free loaders on this SSID.
Security is hard and you need to spend some money but a competent network admin should be able to deploy a reasonably secure WiFi solution no problem at all.
Probably more a case of the line manager insisting on you doing WiFi security right (from the point of view of his convenience).
IT staff shouldn't report to a line manager for security related items. If the manager has a problem they can take it up with who's responsible for IT security or my boss. As IT staff I'll happily work with the line manager to be able to accommodate his requirements but only in a secure fashion and I'll be completely up front about it. If it's a rush I'll do my best to help them out as quick as I can but if I need extra hardware then he's going to have to wait. If my boss tells me to cut corners for a deployment, I'll do it but then my boss most likely wouldn't ask anyway because at the end of the day it'll be his name on a incident report if something happens and that's the last thing he wants.