To answer my own question, according to EJB 2.1 section 188.8.131.52, which applies to EJB3 as far as I understood
Note that getCallerPrincipal returns the principal that represents the caller of the
enterprise bean, not the principal that corresponds to the run-as security identity for the bean,
Currently JBoss returns RunAs identity, which looks like a bug.
Both are fixed in CVS. I'll do another EJB 3 release once JBoss 4.0.1 goes out to make it official.
When do you plan to do another preview? I have couple of small changes to Entity Beans implementation and want to make them available too.