A threat is the thing that could go wrong, considered before any judgement about whether it would succeed. In ISO 27000 vocabulary the definition is deliberately broad: a potential cause of an unwanted incident. In FAIR it is sharper: a threat is characterised by a community of actors with motivation, capability, and a frequency at which they attempt the relevant action. Both definitions matter because they answer different questions.
The distinction worth holding is between threat and threat actor. A threat actor is the entity (a criminal group, a privileged insider, a nation-state programme, a third-party engineer making a configuration mistake) whose action could lead to loss. A threat is the action itself, considered in the context of the asset and the loss form: data exfiltration, fraudulent payment, system unavailability, regulatory breach. A useful risk scenario binds the two, because the frequency of the action and the capability behind it both depend on who is doing it.
Threat estimates are notoriously hard to pin down, but they do not need to be precise to be useful. Industry threat-intelligence reports calibrate the orders of magnitude. Internal incident history calibrates the local rate. A three-point estimate (minimum plausible, most likely, maximum plausible) is enough to feed the FAIR factors, and the analysis becomes meaningful once the estimate is owned by people who handle the relevant systems. The Risk Investigation Agent maintains the threat catalogue alongside the risk scenarios it informs, so a change in the threat landscape flows through to the affected scenarios rather than being noted and forgotten.