IAL and AAL are the two assurance dials defined in NIST SP 800-63, the U.S. government's digital identity guidelines. Identity Assurance Level (IAL) grades how thoroughly a person's real-world identity was proven when their account was created — ranging from self-asserted identity with no checking, up to verified government documents combined with a biometric match. Authenticator Assurance Level (AAL) grades how strong each individual login is — from a single password, up to phishing-resistant hardware factors. They are independent: you can have a weakly-proofed identity logging in with a strong factor, or the reverse.
The value of this vocabulary is precision. Instead of arguing about whether identity verification is "strong enough" using adjectives, a team can specify an exact target — "IAL2, AAL2" — that maps to defined controls. In telemedicine you set those targets by role and by what a session exposes. A prescribing clinician needs high assurance on both dials; electronic prescribing of controlled substances (EPCS) effectively demands IAL2/AAL2-class identity proofing and authentication. A patient joining a low-risk consult can be given friction proportionate to the risk, not the maximum.
For a product team, the practical implication is to design enrollment and login as tiered flows rather than one-size-fits-all, and to record which assurance level each account actually met. The common pitfall is conflating the two dials — assuming that because a clinician logs in with MFA (a high AAL) their underlying identity was rigorously proofed (a high IAL), when in fact identity proofing may have been skipped at signup. EPCS and high-trust integrations care about both, so verify and document each independently.
