The Model Capability Initiative, a Meta program to train AI on US employees' laptop activity, stored its data in internal database tables that were broadly readable by default inside the company.
Meta's employee-tracking program, launched to feed corporate behavior data into AI model training, left keystrokes, screen content, and private conversations visible across roughly 45,000 internal database tables. The reason is that the data warehouse holding that information was never reconfigured to treat it as something sensitive.
The exposure, detailed in an internal security notice seen by WIRED and corroborated by three current Meta employees, sits at the intersection of two structural choices Meta made in 2025: a controversial program to collect US employees' laptop activity as AI training data, and a data-warehouse architecture whose access controls were inherited from the pre-AI era.
The program, internally known as the Model Capability Initiative, began capturing keystrokes, mouseclicks, screen content, full prompts, and transcriptions from Meta employees' corporate laptops in April 2025. According to the notice, the data was loaded into roughly 45,000 hive tables (the warehouse's standard storage format) and was accessible to Meta employees who should not have been able to see it. The notice warned that exposed records could include private conversations, people-and-performance data, and the content of prompts sent to internal AI tools.
Meta spokesperson Tracy Clayton confirmed the company is investigating and said the program was "designed with privacy safeguards." He added that Meta has "no indication at this time that any data was improperly accessed by Meta employees." WIRED notes the incident is marked as closed internally; the company's public posture is that the matter is still under review. Those are not the same thing.
The architectural failure the notice describes is not a phishing attack or external breach. It is a control-plane failure inside Meta's own data lake. When AI training substrate was deposited into the same warehouse that holds ordinary operational analytics, it inherited the warehouse's default access posture. Hive tables in Meta's environment are, by default, broadly readable across teams working on the same platform. No re-segmentation was applied to the new sensitivity tier.
That gap is what turned a controversial program into an exposure. The Model Capability Initiative was already drawing pushback. A 1,600-signature employee petition circulated the prior month. Internal-forum posts from engineers argued that the program's privacy review had not engaged with the data-warehouse risk profile. Chief technology officer Andrew Bosworth's response, in an internal post seen by WIRED, was that the program's implementation "fell short" of the standards set out in its own privacy review.
The collision is the story. The privacy review did not catch the failure mode employees had been warning about, because the review treated the program as a data-collection policy question rather than an architecture and access-control question. The 45,000-table exposure is what that omission looks like in production.
It is also an industry question rather than a Meta-specific one. As frontier AI labs run out of public training data, the cheapest next pool is internal behavioral streams: corporate laptops, customer support transcripts, search logs, and on-device activity. Those pools already live inside enterprise data warehouses, and the warehouses were not designed to host a new sensitivity class. Meta's exposure is a visible instance of a structural pattern any large company pulling internal telemetry into AI training will eventually have to confront.
For now, the practical question is narrower. Meta has not said how long the 45,000 tables were visible, how many employees had access, or whether any of that access was logged at a granularity that would let the company prove its "no indication" line. The 1,600-signature petition is on the record. The CTO's "fell short" acknowledgement is on the record. The exposure's full scope is not.