How important is NAT as a security layer?

NAT and firewalling are completely orthogonal concepts that have nothing to do with each other. Because some NAT implementations accidentally provide some firewalling, there is a persistent myth that NAT provides security. It provides no security whatsoever. None. Zero.

For example, a perfectly reasonable NAT implementation might, if it only had one client, forward all inbound TCP and UDP packets to that one client. The net effect would be precisely the same as if the client had the outside address of the NAT device.

Don't think that because most NAT devices have some firewalling built in by design or do some by accident that this means NAT itself provides any security. It is the firewalling that provides the security, not the NAT. The purpose of NAT is to make things work.

You must not assume a machine is not outside accessible just because it's behind a NAT device. It's not outside accessible if some device is specifically configured not to permit it to be accessed from the outside, whether that device does NAT or not.

Every machine having an outside address but with a stateful firewall that's properly configured, managed, and monitored is vastly superior to a cheap SoHo NAT box.

Many actual SoHo NAT boxes forward traffic to inside hosts despite no inside host having ever sent traffic to the source of the forwarded traffic. Permissive NAT does really exist.

Having just spent 7 years at a University with a /16 netblock and put everything on that netblock that wasn't specifically prohibited to be on such (PCI-DSS used to require this, until they fixed it), I have some experience with networks of this nature.

NAT is not required. All NAT does is make it a bit harder to reconnoiter a network, and forces an entity into a more-secure-by-default posture. That said, it is perfectly possible to build a secure network on public IP addresses. There were a couple of subnets that we had that were technically routeable, but nothing outside the perimeter firewall could get there.

Now for your other points:

Request the IT dept. block all incoming traffic to each wan accessible IP on whatever existing firewalls they have in place

This should be done by default. In my old University, the Student Computer Lab stations had no need to be addressable from the Internet and they weren't. The same went for the subnets that held the Student Health Center data. If a machine needed to be externally visible for some reason, there was an electronic document that had to be passed around and signed before it could be granted; even for servers in the centralized IT stack.

Keep the departments LAN completely isolated from the internet. Users must share dedicated machines for accessing email, internet, and time tracking system.

You don't have to go this far. The reason to go this far is if your fear of malware-related information-exposure is higher than the need for connectivity to network-based resources. Things are increasingly cloud/network based these days, so such air-gapped networks are getting harder and harder to maintain. If you truly do need to go to this extent, you may want to look into some of the Application Virtualization options out there, as that can limit the exposure of breaches should they occur.

As others have pointed out, NAT is not a security feature. However, it does offer some level of security as a byproduct: a side-effect of NAT is that none of the inner machine is accessible "from the outside". The same effect can be achieved by a firewall which blocks all incoming connections. This is not fine-grained, but rather effective in practice, and if NAT did not come with that "automatic" protection, a lot more existing networks would be attacked and zombified into spam relays (that's the scary point about IPv6, by the way: IPv6, when [if] widely deployed, will have a tendency of nullifying the protection effect of NAT, and one can expect an average increase of attack success).

Now having a well-configured firewall assumes that whoever configures the firewall does his job correctly, and, unfortunately, that's not a given (I do not want to presume on the abilities of your specific IT department, but the average quality of the work of IT departments around the World, especially in large organization, is less than thrilling). The alternative being to ensure that every single machine which is publicly accessible should resist all kinds of attacks related to incoming connections: close all unneeded services, make sure that the services which remain open are properly up-to-date and well configured. Fancy applying security updates on every single workstation ? And on the firmware of network-able printers ?

My advice would be to install your own filter box, through which all communications between your network and the outside world will go. That box should then filter out incoming connections; NAT and/or firewall, that's your call. NAT may be easier, especially if the IT department is "uncooperative".