This isn't a normal GDPR situation where the user's data directly is being stored in a way that's accessible to the user as well.
It's you that fails to understand the GDPR: that situation is not possible. In this case, the IAB is acting as the data controller for this data. As per GDPR requirements, when they share this data (for whatever purpose) with third-party processors, they must ensure through their contracts that the processor can comply with data deletion requests coming from users through the IAB.
If they cannot comply with that, both the controller and the processor are in violation of the GDPR, the controller doubly so because the GDPR requires them to audit their chosen data processors for GDPR compliance.
It's you that fails to understand the GDPR: that situation is not possible. In this case, the IAB is acting as the data controller for this data. As per GDPR requirements, when they share this data (for whatever purpose) with third-party processors, they must ensure through their contracts that the processor can comply with data deletion requests coming from users through the IAB.
If they cannot comply with that, both the controller and the processor are in violation of the GDPR, the controller doubly so because the GDPR requires them to audit their chosen data processors for GDPR compliance.