Watchdog pushes IRS on stronger oversight of identity-proofing program
The IRS’s identity-proofing program needs stronger oversight and better transparency around its use of artificial intelligence, according to a new watchdog report.
The Government Accountability Office examined the tax agency’s use of ID.me as its sole provider of identity assurance level (IAL) 2 products and related services, finding a lack of “measurable goals and objectives for the program” that verifies taxpayers and is intended to guard against fraud and abuse.
“IRS receives performance data from the vendor but did not show it independently identified outcomes it is seeking,” the GAO said. “IRS also has not shown documented procedures to routinely evaluate credential service providers’ performance. Without stronger performance reviews, IRS is hindered in its ability to take corrective actions as needed.”
ID.me requires users to provide evidence of their identity — such as a passport or driver’s license, or biometric verification via a selfie — before accessing IRS applications. The Treasury Department contracted ID.me services for the IRS through a blanket purchase agreement (BPA) that also covers a third-party software vendor called V3Gate.
“According to IRS officials, between June 2021 and April 2025, IRS obligated $234.7 million for ID.me licenses and support services using the BPA,” the report noted. Hourly reports of fraudulent users who skirted ID.me barriers are provided to the IRS, and those reports and other fraud analytics inform the agency’s decision-making on ways to better identify and combat unauthorized access.
Beyond the GAO’s findings that IRS officials lacked documented goals or objectives for its identity-proofing program, the watchdog also revealed that officials hadn’t properly evaluated or documented outcomes of the program nor had they “documented procedures for sharing and communicating ID.me solutions’ performance data to relevant IRS officials.”
The GAO also dinged the IRS for not documenting identity-proofing services in its AI use case inventory; ID.me uses AI, including facial recognition.
“By not documenting ID.me’s use of AI in IRS’s AI inventory, IRS cannot ensure that ID.me’s identity-proofing solutions comply with agency requirements or reflect the government-wide principles for AI use,” according to the report. “Stronger oversight of IRS’s use of AI-enabled solutions would better position IRS to ensure taxpayers’ rights are protected and the technology is accurate, reliable, effective, and transparent.”
The IRS agreed with the GAO’s four recommendations covering AI compliance and better documentation of goals, evaluations and procedures of its identity-proofing programs.
“Taking action to close these gaps would help ensure IRS’s identity-proofing program is progressing toward IRS’s desired outcomes,” the GAO concluded.
A spokesperson for ID.me said in an email to FedScoop that the company agrees “fully with the GAO report that measurable goals and regular evaluation are necessary, and have provided our recommendations” to the National Institute of Standards and Technology.
“Other agencies would also benefit from metrics guidance and performance benchmarks, to make informed decisions about their authentication solutions,” the spokesperson continued. “NIST should play a central role in establishing government-wide guidelines.”
This story was updated June 13 with comments from ID.me.
