I don’t see any is_admin conditional statement which is why you should include it in your snippet so we can properly assess what you are attempting to do outside of the obvious question.
Either way a nonce should be mandatory. That function that receives and processes your AJAX request/response should also verify your nonce to ensure the request is a valid and secure request – even IF the request is originating from the back-end, it still could be insecure or an attempt to exploit the system.
Also look at: