Assuming the IdentityReference property refers only to Active Directory object, use Get-ADObject to retrieve the object and use either objectClass or objectCategory to determine what they are. You may want to use both, though. There are objects in the AD (like a computer account) that have an objectClass of "User" and an objectCategory of "Computer". If you need that level of distinction, it'd probably be better to report them both to avoid surprises.
If, on the other hand, you have LOCAL users in the ACL then if you fail to find the object in the AD you have to use Get-LocalUser and Get-LocalGroup in addition to Get-ADObject to report the type.