IRS data platform has problems with access controls, watchdog says
An enterprise data platform deployed by the IRS to strengthen taxpayer services and enforcement has access issues that could expose sensitive information to unauthorized users, a new watchdog report found.
According to the Treasury Inspector General for Tax Administration, the IRS hasn’t adequately monitored privileged accounts to the cloud-based system. Launched in April 2022, the platform — which the IRS spent roughly $178.4 million on from fiscal 2023 through fiscal 2025 — securely stores taxpayer account, case and operational data.
TIGTA discovered problems with how the tax agency employs the Privileged User Management Access System. IRS requires the use of PUMAS, which provides audit trails intended to ensure that top levels of security are followed for “all administrative actions that require elevated privileges.”
But despite those rules, the IRS hasn’t fully integrated the data platform with PUMAS, per the report, a failing that TIGTA said “may lead to exploitation of security safeguards leading to unauthorized access and critical system compromise.”
The watchdog’s identification of the PUMAS problem isn’t the first time the issue has been raised; in January 2024, the platform management team flagged that PUMAS couldn’t “be integrated with the platform to manage, control, and monitor all activities associated with these privileged user accounts,” the report stated.
A Plan of Action and Milestones (POA&M) was then created, but TIGTA said the IRS hasn’t moved to fix the issue because the tax agency and the Department of the Treasury’s Workplace Community Cloud have different active directory environments — meaning PUMAS doesn’t have the right permissions to manage users and accounts outside the IRS network. The data platform is hosted on the Treasury cloud platform.
The Treasury IG also couldn’t find any evidence that account activity on the IRS’s data platform was being monitored. The platform team told TIGTA that privileged user accounts on the Treasury cloud are watched by the Treasury Shared Services Security Operations Center.
“However, the IRS was unable to provide us with any evidence that these monitoring activities occurred,” the report said. “Further, we identified one privileged user account without approved access that logged into the platform. This unauthorized login occurred because of an administrative error in the manual approval process.”
The watchdog delivered four recommendations to the IRS, starting with a directive to the agency’s chief information officer to work with Treasury on integrating the platform with PUMAS. TIGTA also recommended that the IRS CIO coordinate with the department on infrastructure issues between different networks, make sure that notifications on user access are timely, and pursue a corrective action plan to address automated sign-offs for user accounts. The IRS agreed with all four recommendations.
