A Federal watchdog said in a new report that the Internal Revenue Services (IRS) is falling short on overseeing its identity verification vendor’s use of artificial intelligence, even as it earns high marks for protecting taxpayer data.
ID.me, the IRS’s single vendor for identity verification, helps to ensure that people are who they say they are when doing business with the IRS – usually through uploading documentation and then providing biometric evidence such as a selfie photo.
While the IRS has done well at overseeing ID.me’s user privacy protections, performed data validation checks, and had frequent communication with the vendor, the Government Accountability Office (GAO) said in a June 11 report that the IRS hasn’t set documented performance goals and hasn’t recorded the vendor’s use of AI to ensure it meets the agency’s AI policies.
GAO said that agency officials it spoke with were unaware that ID.me should be compliant with the agency’s own requirements for AI, which were updated last year to include an oversight process for contracted AI.
“By not documenting ID.me’s use of AI in IRS’s AI inventory, IRS cannot ensure that ID.me’s identity-proofing solutions comply with agency requirements or reflect the government-wide principles for AI use,” wrote GAO. “Stronger oversight of IRS’s use of AI-enabled solutions would better position IRS to ensure taxpayers’ rights are protected and the technology is accurate, reliable, effective, and transparent.”
Some of the ways ID.me uses AI include through facial recognition technology, which compares an online user’s image to photos on official documents, according to GAO.
The IRS also did not require ID.me to provide detailed information on the AI’s intended application, the data used for its development, its limitations, and performance metrics. GAO recommended that the IRS commissioner add ID.me’s AI use case to the IRS AI inventory and complete all required documentation processes.
GAO said that improved documentation also needs to extend to measurable goals and objectives in IRS oversight of ID.me, reporting that while the agency receives performance data and objectives from the vendor, that data isn’t independently verified.
Without independently established measures and goals, GAO warned that the IRS cannot determine if ID.me is meeting the agency’s needs – such as how the vendor reports fraud, which GAO said totaled $9.1 billion in costs in fiscal year 2024.
GAO recommended that the IRS establish independent metrics and regularly evaluate and document results of the identity-proofing agreement with ID.me. The IRS agreed with all recommendations.