days until enforcement

Colorado AI Act
SB 24-205

The first comprehensive US state AI law. $20,000 per violation per consumer or transaction. Effective June 30, 2026. NIST AI RMF compliance activates the strongest safe harbor in US law.

Free Compliance Assessment Read the full compliance guide →

What the law says

Who it covers

Developers and deployers of high-risk AI systems making consequential decisions in employment, education, housing, healthcare, financial services, insurance, legal, and government sectors.

Key requirements

• Duty of care to prevent algorithmic discrimination
• Impact assessments (initial + annual)
• Risk management aligned with NIST AI RMF / ISO 42001
• Consumer notification before consequential decisions
• Public disclosure on website
• Report discrimination to AG within 90 days

When it takes effect

days until June 30, 2026

AG exclusive enforcement begins on day one. No cure period for initial violations. This is not a grace period — it's a cliff.

What happens if you don't

$20,000

per violation, per consumer or transaction

If your AI system processes 100 transactions per day, that's $2,000,000/day in potential penalty exposure. AG has exclusive enforcement authority.

The safe harbor — and how to activate it

Colorado offers the strongest AI safe harbor in US law: a rebuttable presumption of reasonable care if you demonstrate NIST AI RMF or ISO 42001 compliance.

Policies alone don't qualify

Having a PDF that describes your NIST mapping isn't enough. The safe harbor requires evidence that you actually followed the framework — not just that you documented it.

GLACIS activates the defense

GLACIS generates continuous cryptographic evidence that your NIST AI RMF-mapped controls actually executed — third-party witnessed, tamper-proof, ready for auditors and courts. This is the evidence trail that activates your affirmative defense.