The organisation I work for has laptops outfitted with FDE-drives, i.e. drives that encrypt data on the fly such that in the case of a stolen laptop, no data can be retrieved by removing the HDD. While this protects us against malicious outsiders, evil employees can still switch the drive to a computer that they own (and of which they control the BIOS), and enable root/administrator privileges in the OS for themselves.
In short, what would solve this problem is having (a part of) the encryption key saved in the BIOS, such that another computer would be unable to decrypt the drive. Is there a way to do this, or, how do other organisations deal with this security risk?