Deprecate complex physical network (wired and wifi) security schemes
People used to believe that security happened at the physical network layer: stop someone from getting into your office, so they can't plug into the ethernet, so they can't hack your internal servers.
Then wifi happened, and now your network signal leaks outside your walls. WPA2-Personal (with only one password shared by everyone) isn't good enough for corporate networks, so then you have to deploy a certificate authority, RADIUS, and WPA2-Enterprise, a complex set of machinery that's hard to integrate with typical corporate identity systems and works differently with every brand of user device or wifi router.
Instead, let Tailscale move your devices off the "corporate" network and into the virtual world. Without a policy-compliant, encrypted, multi-factor authenticated Tailscale connection, nobody can reach your servers even from your office wifi network, which means your office wifi network is no longer a risk.