Corporate managed machines can control the software running on the computer to do anything. I'm not sure the details, but chrome certainly can support corporate MITM. There's likely some setting you have to configure first.

The default should be to reject certificates which aren't being logged, and if you as a user or corporation have a reason to use private certificates, you just configure your computer to do that. Which fully protects against the risk of normal CAs signing fraudulent certificates.