diff --git a/internal/engine/engine.go b/internal/engine/engine.go
index 3dc32c0..34905f8 100644
--- a/internal/engine/engine.go
+++ b/internal/engine/engine.go
@@ -46,16 +46,21 @@ func ValidateName(name string) error {
 
 // CallerInfo carries authentication context into engines.
 type CallerInfo struct {
-	Username string
-	Roles    []string
-	IsAdmin  bool
+	Username    string
+	AccountType string // "human" or "system"
+	Roles       []string
+	IsAdmin     bool
 }
 
-// IsUser returns true if the caller has the "user" or "admin" role (i.e. not guest-only).
+// IsUser returns true if the caller is a human user with the "user" or
+// "admin" role, or a system (service) account. Guest-only humans are excluded.
 func (c *CallerInfo) IsUser() bool {
 	if c.IsAdmin {
 		return true
 	}
+	if c.AccountType == "system" {
+		return true
+	}
 	for _, r := range c.Roles {
 		if r == "user" {
 			return true
diff --git a/internal/grpcserver/ca.go b/internal/grpcserver/ca.go
index 10a1ee8..b2f679b 100644
--- a/internal/grpcserver/ca.go
+++ b/internal/grpcserver/ca.go
@@ -65,9 +65,10 @@ func (cs *caServer) callerInfo(ctx context.Context) *engine.CallerInfo {
 		return nil
 	}
 	return &engine.CallerInfo{
-		Username: ti.Username,
-		Roles:    ti.Roles,
-		IsAdmin:  ti.IsAdmin,
+		Username:    ti.Username,
+		AccountType: ti.AccountType,
+		Roles:       ti.Roles,
+		IsAdmin:     ti.IsAdmin,
 	}
 }