Enterprise AI governance moves to the shop floor

AI governance inside big companies is moving from model labs to employee desktops, legal teams and human resources policies. (msn.com) On April 21, Reuters reported that Meta is installing software on U.S.-based employees’ work computers to capture mouse movements, clicks and keystrokes for AI training. The internal effort is aimed at building AI agents that can perform work tasks autonomously. (msn.com) TechCrunch, citing the Reuters report, said the tool converts staff behavior inside work software into training data, including periodic screen captures. Computerworld said the program is designed to help agents learn how to navigate software and complete office tasks. (techcrunch.com, computerworld.com) That changes what “AI governance” means inside a company. The question is no longer only which model to deploy, but which employee data can be collected, who can review it, how long it is stored and whether workers can opt out. (nist.gov, computerworld.com) The shift also lands in employment law. The European Union’s AI Act applies staged obligations to workplace AI, and employment uses such as recruitment, promotion and termination are treated as high-risk in legal analyses tracking the law’s rollout. (digital-strategy.ec.europa.eu, lewissilkin.com) In the United States, the main playbook is still internal controls rather than one national AI law. The National Institute of Standards and Technology’s AI Risk Management Framework tells companies to govern, map, measure and manage AI risks across the system lifecycle. (nist.gov) The legal exposure is widening at the same time. On April 21, Florida Attorney General James Uthmeier announced a criminal investigation into OpenAI and ChatGPT after reviewing conversation logs tied to the 2025 Florida State University shooting, and his office subpoenaed records on threat-handling and law-enforcement cooperation. (myfloridalegal.com, cbsnews.com) OpenAI said the shooting was a “tragedy” but that ChatGPT was “not responsible for this terrible crime,” and a spokesperson said the company identified the suspect’s account after the incident and shared it with law enforcement. (tallahassee.com) Those two stories point to the same operating change inside companies: AI oversight now sits with security teams watching data flows, human resources teams handling worker consent, and lawyers preparing for subpoenas, audits and incident response. (bloomberglaw.com, alston.com) The next test is whether companies can keep feeding internal AI systems with richer workplace data without turning ordinary office software into an evidence trail for regulators, courts and employees. (computerworld.com, nist.gov)