AI at work raises privacy and security alarms

Meta is installing software on U.S. employees’ work computers to capture keystrokes, clicks and mouse movements for artificial-intelligence training. (moneycontrol.com) Reuters reported on April 21 that Meta’s new tool, called the Model Capability Initiative, will also take occasional screenshots and run across work-related apps and websites. CNBC reported the monitored sites include Google, LinkedIn and Wikipedia, based on internal documents it reviewed. (usnews.com) (cnbc.com) Meta told staff the data is meant to help train AI agents on routine computer tasks where models still struggle, including dropdown menus and keyboard shortcuts. A separate memo from Chief Technology Officer Andrew Bosworth said the company was stepping up internal data collection as part of an “AI for Work” push now branded the Agent Transformation Accelerator. (usnews.com) (moneycontrol.com) At the same time, Abnormal AI said on April 22 that 61% of business email compromise is now vendor-related, based on nearly 800,000 email attacks it observed across customer environments in the second half of 2025. The company said attackers are increasingly posing as suppliers and other trusted partners inside ordinary business workflows. (abnormal.ai 1) (abnormal.ai 2) That combination puts more pressure on the software stack companies use to hire people. Recruiting systems routinely hold names, contact details, resumes, interview notes and scheduling records, and the Federal Trade Commission says businesses that keep sensitive personal information should build safeguards around how it is collected, stored and shared. (eeoc.gov) (ftc.gov) The National Institute of Standards and Technology says privacy risk assessment is meant to analyze risks to individuals that arise from data processing, not just technical failures. Its security and privacy guidance also treats supply-chain risk management as part of system planning, which covers the vendors and tools an organization relies on. (nist.gov 1) (nist.gov 2) Meta has said the activity data gathered through the new tool will not be used for performance reviews and that safeguards exist to protect sensitive content, though the company has not publicly detailed which categories of information will be excluded. Reuters said the software is being installed on U.S.-based employee machines. (usnews.com) (moneycontrol.com) The immediate question for employers is less about one tool than about how many hands touch the data. When AI systems learn from workplace activity and attackers increasingly impersonate vendors, the ordinary trail of resumes, calendars and email threads becomes part of the security perimeter. (ftc.gov) (abnormal.ai)