GAO finds major gaps in IRS biometric ID verification program oversight

A new Government Accountability Office (GAO) audit found the Internal Revenue Service (IRS) has not exercised sufficient oversight of its digital identity-proofing program which is central to safeguarding taxpayer information across more than 30 online applications. Identity proofing for most IRS applications requires personally identifiable information to be collected from taxpayers and businesses to verify their identities.

At the core of GAO’s audit report is IRS’s partnership with ID.me, a private credential service provider tasked with verifying users’ identities before granting access to services that may involve sensitive data such as tax filings, payments, and refunds.

Between 2021 and 2024, taxpayers accessed IRS applications more than 150 million times, making the identity-proofing program one of the largest of its kind across federal agencies. GAO’s audit emphasized that the program’s Identity Assurance Level 2 (IAL2) – which requires biometric and documentary evidence like selfies and driver’s licenses – is a high-risk activity demanding rigorous oversight.

Despite this, however, GAO concluded that IRS lacks essential safeguards, including measurable goals, systematic evaluation processes, documented internal communication procedures, and compliance with federal requirements for AI oversight.

“IRS officials were unable to show us that they evaluated or documented the outcomes of IRS’s digital identity-proofing program, including ID.me solutions,” GAO reported.

GAO’s audit stemmed from concerns expressed by Congress and the public over the growing reach of identity-proofing programs that involve biometric data. Since 2021, ID.me has served as the IRS’s sole provider for IAL2 identity proofing, which uses facial recognition and other AI-enabled tools to verify identities.

“ID.me was selected as the single identity proofing service because it was the only one able to deliver to federal standards at the time, and ID.me remains the industry-leading provider today.  We assert that the top-performing identity proofing solutions should be available to protect Americans and taxpayer funds,” a spokesperson for ID.me told Biometric Update in an emailed comment.

“In 2021, the IRS launched its current identity-proofing program under an urgent Presidential mandate – and delivered results. ID.me rapidly integrated our secure, NIST-conformant system that, by 2022, had increased pass rates from 40 percent to over 70 percent relative to IRS’s prior, algorithm-only identity solution, while significantly reducing fraud and saving taxpayer dollars. This solution also demonstrated a 3x increase in access rates for underserved populations.

“We agree fully with the GAO report that measurable goals and regular evaluation are necessary and have provided our recommendations to NIST.  Building on our proven success with the IRS, we’re eager to identify the goals that will deliver the greatest value to the IRS and ID.me users.  Other agencies would also benefit from metrics guidance and performance benchmarks, to make informed decisions about their authentication solutions. NIST should play a central role in establishing government-wide guidelines.

“We also take the use of AI – and its abuse by adversaries – extremely seriously. ID.me leads the industry in responsible AI deployment for authentication, identity proofing, and fraud prevention solutions. We made human fallbacks and alternatives (e.g., video chat) a core part of our solution, backing up algorithms. We actively partner with agencies on AI governance and welcome clear, consistent oversight frameworks.  Per the GAO report, ID.me welcomes AI inventory and further AI oversight.

“Finally, GAO raises that the IRS has risk exposure because it operates with a single authentication solution. The GAO fails to point out that nearly every other federal agency operates with a single identity verification solution – either built by the agency itself or by GSA – and many of those solutions do not comply with guidance set forth by OMB M-19-17 or NIST 800-63. If GAO believes that the IRS should offer multiple verification and authentication options, it should apply that recommendation to other agencies and also call for standards for accountability and transparency across all verification and authentication solutions.”

GAO said the IRS has not listed ID.me’s AI technologies in its AI inventory as required by Executive Order 13960 and the Advancing American AI Act. Nor has it subjected these technologies to internal oversight under its own AI governance framework. These omissions raise questions about the transparency, accountability, and fairness of IRS’s AI-based decisions in the context of identity verification.

“ID.me acknowledges that its identity-proofing process involves the use of artificial intelligence technologies, however, IRS has not documented these uses in its AI inventory or taken steps to comply with its own AI oversight policies,” GAO said. “Doing so would provide greater assurance that taxpayers’ rights are protected and that the technologies are accurate, reliable, effective, and transparent.”

Further compounding these issues, GAO’s audit found that although IRS collects performance metrics from ID.me via weekly reports and dashboard analytics, including true pass rates, document verification success, and user drop-off points, these data streams are not guided by clear performance objectives. Without internal benchmarks or outcome-based evaluations, IRS cannot assess whether the ID.me system aligns with its goals or taxpayer needs, GAO said.

“IRS officials cannot independently or objectively evaluate how changes made by ID.me improve performance of its solutions involving taxpayer data; instead, they are relying on ID.me’s own assessments of its solutions’ performance,” GAO said. Additionally, “according to the IRS, the contractual arrangement with ID.me does not require such a plan. Nevertheless, the inherent risk of identity proofing, the magnitude of services ID.me provides, and ID.me being IRS’s sole provider of Identity Assurance Level 2 identity-proofing solutions create a higher-risk environment for IRS management.”

Continuing, GAO said that, “Without documented procedures for sharing and communicating ID.me solutions’ performance data, relevant IRS officials cannot have assurance they are consistently receiving the data they need to make informed determinations about IRS’s identity-proofing program, potentially hindering their ability to take appropriate corrective actions.”

GAO’s audit also revealed that while IRS included 12 privacy directives in its contracts with ID.me mandating biometric data deletion within 24 to 48 hours and video session deletions within 30 days, it relies heavily on vendor attestation rather than its own audits or performance assessments to ensure compliance. IRS has conducted some inspections, such as visiting ID.me’s facilities in McLean, Virginia, but its efforts do not reflect “measurable goals and objectives for the program,” GAO said.

The contractual arrangement, executed through a Treasury-run blanket purchase agreement (BPA) with software reseller V3Gate, has allowed the IRS to quickly onboard ID.me services without developing a performance assessment plan. While this rapid acquisition met urgent legislative requirements such as establishing the Advance Child Tax Credit portal during the COVID-19 pandemic, GAO argues that it has also resulted in long-term oversight gaps. The total IRS obligation under this agreement reached $234.7 million by April.

Moreover, GAO found that the IRS does not maintain documented procedures for internally disseminating ID.me performance data to the appropriate officials. As a result, relevant IRS staff may not be consistently informed about identity-proofing performance or emerging security risks. This lack of structured internal communication could undermine the agency’s ability to respond quickly to fraud patterns or usability issues.

Stakeholder concerns are also a recurring theme, GAO found. Taxpayer advocacy groups and industry experts have expressed reservations about the use of facial recognition and biometric data in federal identity proofing, particularly the risk of privacy breaches and potential exclusion of vulnerable populations. ID.me has countered that its technologies reduce fraud and can be deployed responsibly.

The IRS’s dependence on a single provider for all IAL2 applications amplifies the risk, GAO believes. As the agency looks toward the expiration and renewal of the Treasury BPA in August, GAO recommended that the IRS take this opportunity to revamp its program governance structure. The IRS must develop and document performance goals, evaluate program outcomes, establish internal communication protocols, and ensure AI compliance to bolster public trust and system resilience.

The IRS agreed with all four of GAO’s recommendations.

GAO concluded that strengthening these areas is critical to maintaining the integrity of the U.S. tax system, especially as the IRS continues to digitize services and increasingly depends on automated tools for taxpayer interactions. With digital identity becoming a foundational layer for accessing federal services, the success of this program has broader implications for federal digital trust, fraud mitigation, and civil liberties.

This post was updated to include a response from ID.me at 3:44pm Eastern on June 13, 2025.

Article Topics

biometrics  |  GAO (Government Accountability Office)  |  IAL2  |  ID.me  |  identity proofing  |  IRS  |  selfie biometrics  |  U.S. Government