When you consider both at the same time it is cause to pause and speculate on how malware might take advantage of this built-in tool.

They can have a physical switch or tool to disable it, or sell separate chips with/without IME.

Unfortunately there isn’t really incentive for Intel to do this, unless larger companies / governments refuse to run IME-enabled chips due to security concerns.

Governments and large companies are the ones who are explicitly requesting this functionality. End users don’t give a rats ass, it’s managed computed where the money is here.

That it can be used to back door the machine is the primary use case for the audience, as that is what lets them do a remote reinstall of Bob’s broken workstation somewhere, or any number of other legit use cases.

Ironically government probably mostly doesn't care. The assumption of networked systems is that they're compromised if they have any internet connectivity. If it's really important then you air-gap it, and if it needs networking then you still isolate that network.

Governments do you use public internet VPN sometimes...via accredited boxes which handle the tunneling for them and are the one point of ingress (and have a commensurate price tag).

Government != NSA

Irrelevant. For anything classified aka serious, you start with these assumptions. If it's not classified, then it's basically about as confidential as a business process is.

Which is to say, all they want from their suppliers is "yeah, ME is safe. Also buy these tools to manage your fleet."