[markmaglana]

It doesn't address the Trust On First Use (TOFU) issue.

[zdw]

A SSH Certificate Authority signing host keys handles that, but requires additional setup.

[franga2000]

A quick and dirty way to do this is by syncing the known hosts file between all your clients. Make it writable by only the IT staff in charge of provisioning new systems and have them add the pubkeys during provisioning.

[csdvrx]

Add SSHP records to your DNS entries, and use DNSSEC or, if you can't, DoH (DNS over HTTPS)