A “principal” is somewhat of an overloaded term representing an “identity”.
The Control Plane Platform supports 4 principal types.
A user represents a distinct human being. This principal type is associated with an email. A user is a member of one or more orgs. An authorized principal can invite users (by providing their email address) to an org.
An identity is short for workload identity. It is a reusable (can be leveraged by multiple workloads) named principal that is only used by workloads. An identity encapsulates a set of Cloud Access rules. Cloud Access rules define least privilege policies governing access to resources in the org's configured cloud accounts. In addition to Cloud Access rules, an identity also defines a set of Network Resources.
To allow a user or group access to perform actions within the console, an administrator would create a policy that bounds the user or group to the resource and the necessary permissions.
To allow a workload the ability to access secured resources within Control Plane (e.g., a secret used as an environment variable), an identity is created that is a member of a policy with the required binding.