[Edit: Hmmm. In reading through section 3.72, I now realize that the workflows defined in the IUA document do not follow the assertion frameworks proposed in RFCs 7521-7523, and my earlier comment was based on the mistaken assumption that those workflows were being followed (as used in UDAP, for example) so I have deleted the earlier comment and replaced with the following.]
In the current IUA workflows, the entity that provides the signed assertions is called the Authorization Server, but this is not the way this term is generally used in the OAuth 2.0 arena. As this actor is providing the assertions that contain the authorization metadata needed to make authorization decisions, then this actor is associated with the client and not the resource server. Other frameworks would call this the Client Token Service or Assertion Provider or something similar, but not call it the Authorization Server.
The term Authorization Server should represent the entity associated with the resource server that evaluates the assertions provided by clients to determine if an access token should be granted. Instead, the authorization token is presented directly to the resource server without a separate access token, such that the role of the Authorization Server (in the OAuth 2.0 sense) has actually been rolled into the resource server.
I see that how the IUA workflow does parallel how XUA is used in SOAP transactions, but this is not the way that FHIR/OAuth environments generally work. For example, the IUA model has not OAuth 2.0 token endpoint.