In the normal (non-RunAs) use of an augmentSecurityContext script, the script has the opportunity to recover from the case when the subject identified by the auth module is not found in the system. For example, "amadmin" is not a real user anywhere in the IDM ecosystem; normally this would cause any request which specifies amadmin as the authenticationId to fail. In this case, however, the augmentSecurityContext script can detect this user and take special action to account for it, allowing the request to recover.
When augmentSecurityContext scripts are executed in the RunAs context, they have no such opportunity to recover - there is a hard failure before they execute. This makes accounting for the amadmin user impossible.