Someone is making your IT team do extra work without a good understanding of their systems if they're banning tailscale or granting special network level access thinking that ip or mac address based profiling is secure.

Your network should be zero trust. That means you want to treat every host that connects as if it's on the public internet; the corollary to that is you should give your hosts access to the public internet, unrestricted, and treat your users like adults who don't need micromanaging or constant surveillance (do sane logging, ofc.)

If you need a host that's subject to continuous surveillance, design it as such and require remote access with MFA, and so on.

Give your end users as much freedom as possible, and only constrict it where necessary, or you're going to incentivize shadow IT, unintended consequences, and a whole lot of unnecessary make-work that doesn't contribute to security.

Unrestricted access forces change management, design choices, and policy to confront each user and device for the attack vector they are, and to behave accordingly.

And then a few of those users who you treated like adults who don't need surveillance make a private network among themselves and other nodes in Russia and China to exfiltrate the corporation's most sensitive intellectual property, serve as a bridge for state-sponsored bad actors to bypass your firewall, and tunnel command-and-control traffic through your "unrestricted" egress, and now your zero-trust philosophy has created a zero-accountability blind spot that your IR team discovers eighteen months later during a breach investigation.