There are 2 problems that I've found that cause this:
1) The EJBContainer discards Entity EJB instances whenever an exception is thrown -- whether the exception is an Application defined exception, or a RuntimeException. Per the EJB spec, the container is only supposed to discard the instance if the Exception is a RuntimeException.
2) Beacuse the Entity instance was discarded, the next invocation on the Entity (the same instance) forces an ejbLoad. My bean makes JDBC calls to a MySQL database, configured via mysql-service.xml. Because this is a JCA service, and JCA services are secure and transactional, the JDBC connector sets the Active Subject to the Configured Identity for the database connection -- the user that is in the "MySQLDBRealm" in the login-config.xml. Once the JDBC calls are done, the Active subject is never set back to the actual caller of the EJB.
The result of this is that when the EJB container gets around to calling my SecurityProxy, the active subject is set to the JDBC database user, and not the actual caller of the EJB method.
I will post a follow up with a proposed container fix and a workaround.