Network segmentation

So I have recently moved into a more networking focused role and I’ve inherited an insecure system to say the least.

4 locations with 6 subnets, servers users and everything else all lumped together in each subnet with the AT&T network based firewall doing routing and Mpls between each site.

I want to bring control into our own hands and out of AT&T’s. We’ve made some good first steps and have purchased Fortigate firewalls for all 4 of our locations and have begun implementation.

My biggest questions are how much segmentation should I be looking at doing, separate vlans for servers, users, IOT devices, printers and scanners, and security cameras. Does anyone have any suggestions on any other segmentation or device groups that should be separate?

Also any security resources out there that you guys could suggest for a group on IT guys who are just good enough to be dangerous but hungry to learn?