Typically it's a local account admin. Doesn't have to be an administrator, it could be a normal user. But then your Bladelogic executed task may not be able to do anything. by the time the execution gets to the target system, Bladelogic should have restricted access enough that it's ok that whatever is running runs w/ admin privs even if the originating user would not be granted full admin rights on the box.
Automation principal will allow you to map to domain users instead of local accounts, but the same admin/normal issue applies. And it's role based, so right, any Bladelogic user in that role will run jobs as that user in the automation principal.
Thanks again for your quick confirmation Bill.
I'll leave the question unanswered until the morning just in case any other people want to add their experiences.