I just noticed it is an old post after responding, but if someone is still looking for an answer, We encountered a similar situation and came up with a solution by setting up various sources for each account type and implementing appropriate filters to categorize groups and accounts.
To make this system effective, we assigned a specific attribute to the account schema to distinguish between different types of accounts for a single identity, such as admin, test, primary, and secondary accounts. Moreover, we ensured that the access profiles and entitlements had clear and descriptive names to help end-users understand their requests will grant access to the appropriate account.
Example: Primary Source 1, to aggregate / provisioning of type primary accounts and respective entitlements.
It may not be possible to solve the issue of differentiating between account types and group types without proper indicators in place on the account schema. This is because when requesting an access IDN, there is no way to determine which account needs to be provisioned for the requested access.