[0942v8653]

It seems like it'd be possible to have a separate recovery key stored by the company in addition to the regular password.

[Osiris]

That's how my employer does it but it's for less than a hundred devices so we just provide security the key after turning on FileVault.

[JonathonW]

I don't recall whether or not it's the default, but Bitlocker can do this on domain-joined machines-- they get automatically backed up into Active Directory where they can be retrieved from the computer account's properties (or there's a tool in RSAT that can find them).