Identity Assurance Level
Identity Assurance Level.
NIST SP 800-63A's three-level scale (IAL1, IAL2, IAL3) describing how rigorously the user's claimed real-world identity was proofed before the credential was issued.
IAL answers a different question than AAL. AAL asks "how strong is the authentication credential?"; IAL asks "how confident are we that the credential belongs to a real person matching the claimed identity?" A passkey-based AAL2 login can still be IAL1 if the user self-asserted their identity at signup — strong authentication of an unverified identity. Regulated workloads need both: AAL2+ at login and IAL2+ at enrollment.
Common questions
What's the difference between IAL, AAL, and FAL?
Does IAL2 require in-person verification?
Which CIAM workloads need IAL3?
Related terms
In the guides
HIPAA and CIAM: The Healthcare Identity Compliance Checklist for 2026
HIPAA's Security Rule constrains how CIAM handles healthcare identity. The technical safeguards, the auditor's checklist, and vendor-selection implications for 2026.
Identity Verification and Proofing (IDV/KYC): A CIAM Guide for 2026
How to prove a real person matches a claimed identity at signup — document capture, liveness, authoritative-data checks. The 2026 stack, the deepfake escalation, and where CIAM ends.