When it comes to security a threat actor is often someone you invited in who exceeds their expected authorization and takes harmful action they weren't supposed to be able to do. They're still an attacker from the perspective of a security team looking to build a security model, even though they were invited into the system.
> who exceeds their expected authorization
Sorry, if you give someone full access to everything in your account don't be surprised they use it when suggested to use it.
If you don't want them to have full access to everything, don't give them full access to everything.
This is exactly what I'm advocating for: