Hi Friend,
IAP will NAT the user traffic in one of the following scenario,
1. when you choose VLAN assignement as "Virtual Controller Managed"
2. When you create VPN with the controller and choose DHCP server mode as Local.
When you choose " Virtual Controller Managed " option, client will get the IP either from magic VLAN subnet (172.31.98.x/23) or from the default DHCP scope defined in the IAP.
When you are using IAP VPN, Local DHCP option, client will get IP from the DHCP pool defined under Local.
IAP always NAT( Source NAT) the user traffic with it's uplink IP address.
Hope you got some more clarity on this,
Please feel free for any query on this.