Matryoshka dolls
A computer within a computer with access to everything and no idea what it is up to. Yes, that's a brilliant idea, especially if we can't see the code or use it for our own purposes.
Two machines here with IME, a Lenovo G710 and a Tecra M10. The former required a full strip-down and a CH341A dongley thing with an SOIC8 clip to remove this malware. The latter (well done, Toshiba) allows disabling the thing before it even starts, confirmed by intelmetool. On the Lenovo, removing all but BUP has left a dangling USB device that can no longer enumerate. I suspect this is the JTAG port oft reported but it's a pain in the arse as it spams syslog.
That said, I can live with a dead USB device hanging off of bus 3. It's infinitely preferable to hardware which does $DEITY knows what behind my back.
Yes, @x 7 it requires a driver for the control interface, yet the underlying processor and code still run regardless of driver status. If it's exposed to $SKIDDIE or $THREELETTERAGENCY you're SOL and JWF¹. Please note that AMD on anything newer than Piledriver also has something similar called PSP/Secure Processor which is pretty much the same idea - closed source crap running at ring -3.
¹ Shit out of luck and jolly well fucked.