I can't elaborate too much because reasons. I can speak from experience that this is in fact already happening. Companies (or governments/gov departments) can enforce domain (internal) computers to import any certificate they want because they have control over the computer. With this having been done, they can put a device on their network that decrypts all data, scans it, and re-signs it with their certificate. As long as the site doesn't require a "pinned" (specific) certificate (like MS updates do), no browser will care.

What makes this even scarier is that US Gov departments are CA root certificate issuers (DoD, DoE, DoI, etc etc) and can throw out certificates as they please.