> through their internal CA
Nope. People will create self-signed certs and tell people to just click "accept".
They're doing it right now and they'll continue doing so. There are always scapegoats for not automating.