The CIBA spec https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-02.html#rfc.section.10.1.1 currently says:
After receiving and validating a valid and authorized Token Request from the Client and when the end-user associated with the supplied auth_req_id has been authenticated and has authorized the request, the OpenID Provider returns a successful response as specified in Section 184.108.40.206 of [OpenID.Core].
After receiving and validating a valid and authorized Token Request from the Client, the Authorization Server returns a successful response that includes an ID Token and an Access Token
So as written, CIBA appears to require an access token to be returned. (I’m unsure if this is deliberate.)
Discussion with Petteri revealed they have a use case where only the id_token is required, so they don’t return an access token. It would be good to clarify if this is permitted (my main interest as usual is what checks the conformance suite should be making).