First, my condolences. You've been made responsible for solving this problem without being supported to do it properly. If the systems are being regulardly re-imaged, installing keys should be easily added to that build flow. If the responsible team isn't willing to do that, that seems hard to justify.
And you're right - by design, there's no way to pass ssh a password on the command line. So there aren't many options to automate further without installing something else, just as you've said.
Given the constraints - and assuming that you shouldn't store the password anywhere - I'd say a script that uses nested SSH (using multiple invocations of the -J flag) to reduce your hops, and having the password ready to paste in your paste buffer, would minimize your effort.
One more suggestion. You mention no Internet access, but if there are any scripts or tools that you could make internally available, you could pull them from that internal source to your target systems. Pulling a single 'bootstrap' script, and then running that script to install any other statically compiled utilities (or even certificates or SSH keys!), might be efficient. It would have to be re-done every time the systems are rebuilt, but the script could even check to see whether or not the target system has been re-imaged or not, and only install what's missing. In other words, you could automate the process of returning rebuilt systems to supportability.
Either way, good luck. If Hallmark made a card for this, I would get it for you. :D