diff --git a/internal/engine/engine.go b/internal/engine/engine.go
index 34905f8..1774efc 100644
--- a/internal/engine/engine.go
+++ b/internal/engine/engine.go
@@ -52,8 +52,10 @@ type CallerInfo struct {
 	IsAdmin     bool
 }
 
-// IsUser returns true if the caller is a human user with the "user" or
-// "admin" role, or a system (service) account. Guest-only humans are excluded.
+// IsUser returns true if the caller is authorized to perform user-level
+// operations. Admins, system (service) accounts, and humans with the
+// "user" role all qualify. Authenticated callers with no roles are treated
+// as service accounts (MCIAS issues service tokens with nil roles).
 func (c *CallerInfo) IsUser() bool {
 	if c.IsAdmin {
 		return true
@@ -65,6 +67,13 @@ func (c *CallerInfo) IsUser() bool {
 		if r == "user" {
 			return true
 		}
+		if r == "guest" {
+			return false
+		}
+	}
+	// Authenticated caller with no roles — service account.
+	if c.Username != "" && len(c.Roles) == 0 {
+		return true
 	}
 	return false
 }