Firstly, I have to say your security manager is wrong.This is a
Myth.
There is nothing specific in AJAX. It is just a request performed by your browser. It is just general HTTP request and should be secured as any other HTTP request, regardless its XHR nature.
If you maintain proper Authentication and Authorization on your WCF service,You won't have any security issues by using Ajax calls.
The future of the Dev world is Ajax.As an example I can say that
SPA enterprise App development.Those apps are developed solely by using Ajax (Or javascript).Check this link for more info :
Building Large Scale Apps with Angular and Breeze
Note : The JSON data must be sent over POST, not GET, which would make it difficult to include the URL in <script> tag