Colorado AI Act, the working playbook through the May 2026 inflection.

What is the Colorado AI Act?

The Colorado Artificial Intelligence Act (SB 24-205, codified in C.R.S. § 6-1-1701 et seq.) was signed by Governor Polis on May 17, 2024. It is the first comprehensive US state law regulating AI used in “consequential decisions” about people’s lives. Originally scheduled to take effect February 1, 2026, the effective date was postponed by SB 25B-004 to June 30, 2026.^[CO1][CO2]

The Colorado Artificial Intelligence Act (SB 24-205), signed into law on May 17, 2024, represents the first comprehensive state-level AI regulation in the United States. While other states have passed targeted AI bills addressing specific use cases (like Illinois’ biometric privacy law or New York City’s automated employment decision tool law), Colorado’s legislation establishes broad requirements governing AI systems across multiple high-stakes domains.^[1][3]

The law is modeled conceptually on the EU AI Act but adapted to US legal frameworks. Rather than the EU’s risk-tiered classification system with prohibited uses, limited-risk categories, and extensive compliance obligations, Colorado takes a more streamlined approach: it identifies "high-risk" AI systems based on their use in consequential decisions and requires both developers and deployers to exercise "reasonable care" to prevent algorithmic discrimination.^[4]

Legislative and Litigation Timeline

The May 2026 picture is a regulatory window, not a substantive reset. Either the original duty-of-care Act takes effect on June 30 (modulated by the federal-court stay and any replacement legislation), or SB 26-189 supersedes it with a disclosure-and-recordkeeping regime effective January 1, 2027. The substantive obligations described in this guide remain the working planning baseline; the section on SB 26-189 below identifies which obligations would change if the replacement passes.

Scope and applicability

The Colorado AI Act applies to any person or entity "doing business in Colorado" that develops or deploys high-risk AI systems. This broad jurisdictional language means that organizations headquartered outside Colorado must comply if they serve Colorado residents or make AI-driven decisions affecting them.^[1]

Who Must Comply

The law establishes two distinct regulated parties with different obligations:

Important note: An organization can be both a developer and a deployer. For example, a healthcare system that builds its own clinical decision support AI and deploys it internally must comply with both sets of requirements.

What Qualifies as High-Risk

An AI system becomes "high-risk" when it is deployed to make, or is a substantial factor in making, a consequential decision. The law defines consequential decisions as those with a "material legal or similarly significant effect" on consumers in eight domains:^[4]

Notable Exemptions

The Colorado AI Act includes several important exemptions:

• Anti-fraud and security systems: AI used exclusively to detect, prevent, or investigate fraud, security incidents, or malicious activity
• Narrow procedural tasks: AI performing basic administrative functions (spell check, document formatting, data entry)
• HIPAA-regulated entities: Limited exemptions for covered entities under federal health privacy law^[5]

Key definitions

Understanding the Colorado AI Act requires familiarity with four critical terms that structure the law’s obligations:

Algorithmic Discrimination

The law defines algorithmic discrimination as any condition in which the use of an AI system results in unlawful differential treatment or impact that disfavors an individual or group on the basis of their actual or perceived:

• Age
• Color
• Disability
• Ethnicity
• Genetic information
• National origin
• Race
• Religion
• Sex (including pregnancy, childbirth, and related medical conditions)
• Sexual orientation
• Other classifications protected under Colorado or federal law^[4]

This definition is critically important because it establishes the harm the law seeks to prevent. Unlike general "bias" or "unfairness," algorithmic discrimination specifically refers to legally protected categories—tying AI governance to existing anti-discrimination law.

Consequential Decision

A consequential decision is any decision that has a material legal or similarly significant effect on the provision or denial to any consumer of:

• Education enrollment or opportunity
• Employment or employment opportunity
• Financial or lending services
• Essential government services
• Healthcare services
• Housing
• Insurance
• Legal services^[4]

The phrase "substantial factor in making" is deliberately broad. An AI system need not make the final decision autonomously to qualify as high-risk—it only needs to significantly influence the outcome. This captures AI systems where humans retain final decision authority but rely heavily on AI-generated recommendations.

Developer vs. Deployer

The law creates a two-party framework with distinct obligations:

Developer requirements

Developers of high-risk AI systems must comply with five core obligations designed to ensure transparency, enable downstream risk management, and facilitate accountability. These requirements take effect June 30, 2026.^[2]

1. Duty of Reasonable Care

Developers must use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination arising from the intended and contracted uses of the high-risk AI system.^[4]

This standard is deliberately flexible—"reasonable care" is a fact-specific inquiry based on:

• The nature and severity of potential algorithmic discrimination
• The state of the art in AI development practices
• Industry-specific norms and best practices
• The feasibility and cost of risk mitigation measures

2. Documentation and Information Disclosure

Developers must make available to deployers (or other developers) documentation necessary to understand system behavior and assess discrimination risks. Required disclosures include:^[4]

This language explicitly references model cards and dataset cards—documentation formats pioneered by researchers at Google and Microsoft to standardize AI transparency. Organizations can leverage existing model card frameworks (e.g., Mitchell et al. 2019) to satisfy these requirements.

3. Public Disclosure of AI Systems

Developers must publicly disclose summaries of high-risk AI systems they offer. This creates a registry-like transparency mechanism allowing researchers, advocates, and regulators to understand the scope of high-risk AI deployment in Colorado.^[4]

4. Discrimination Risk Reporting

Developers must disclose to the Colorado Attorney General and known deployers any known or reasonably foreseeable risks of algorithmic discrimination within 90 days after discovery or receipt of a credible report.^[5]

This incident reporting obligation is analogous to data breach notification laws. It requires developers to:

• Establish internal processes for detecting discrimination risks
• Respond to external reports of bias or unfairness
• Notify downstream deployers so they can take corrective action

5. Impact Assessment Support

Developers must provide deployers with sufficient information to conduct their own impact assessments. This creates a chain of accountability: developers build systems with transparency in mind, deployers assess context-specific risks, and both parties share responsibility for preventing algorithmic discrimination.^[4]

Deployer requirements

Deployers of high-risk AI systems face more extensive obligations than developers, reflecting their direct relationship with affected consumers. Under SB 25B-004, all deployer requirements—including impact assessments and consumer disclosures—take effect on a single date:^[2][4]

• June 30, 2026: Risk management policies, reasonable care obligations, impact assessments, and consumer disclosure requirements all become enforceable

1. Duty of Reasonable Care

Like developers, deployers must use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination. For deployers, this means understanding how AI systems behave in their specific use context and implementing safeguards against biased outcomes.^[4]

2. Risk Management Policy and Program

Deployers must implement a risk management policy and program governing the deployment of high-risk AI systems. The policy must specify and incorporate:^[4]

This requirement closely mirrors the NIST AI RMF Govern function and the ISO 42001 AI management system approach. Organizations that have implemented these frameworks will find significant overlap with Colorado’s requirements.

3. Impact Assessments (Effective June 30, 2026)

Deployers must complete impact assessments for each high-risk AI system before deployment and annually thereafter. The impact assessment must document:^[4]

• Purpose, intended use cases, and deployment context
• Benefits to the deployer and consumers
• Categories of data processed
• Known or foreseeable algorithmic discrimination risks
• Measures taken to mitigate identified risks
• Metrics and processes for ongoing performance monitoring
• Post-deployment data and metrics if applicable

Impact assessments must be provided to the Colorado Attorney General upon request—they are not proactively submitted but must be available for regulatory inspection.

4. Consumer Disclosures (Effective June 30, 2026)

Deployers must provide clear and conspicuous notice to consumers when a high-risk AI system is used to make or substantially inform a consequential decision about them. The notice must include:^[4]

5. Management and Oversight

Deployers must designate personnel responsible for implementing the risk management program and must ensure appropriate oversight of high-risk AI system deployment. This includes executive accountability—leadership must be informed of AI-related risks and mitigation efforts.^[4]

Consumer rights

The Colorado AI Act establishes three core rights for consumers affected by high-risk AI systems. These rights take effect June 30, 2026 and create enforceable obligations for deployers.^[2][4]

Right to Meaningful Explanation

Consumers have the right to receive a statement disclosing:

• The principal reason(s) for the consequential decision
• How the AI system influenced or determined the outcome
• What data was most significant in the decision

This explanation must be provided in plain language—not technical jargon. For example, a job applicant rejected by an AI screening tool has the right to understand which factors (e.g., employment gaps, keyword matching, assessment scores) most influenced the rejection.

Right to Correct Data

Consumers may request correction of personal data used by the AI system if they believe it is inaccurate. The deployer must:

• Provide a mechanism for consumers to submit correction requests
• Investigate disputed data
• Correct verified inaccuracies and reprocess the decision if appropriate
• Document the correction and any resulting changes to the outcome

Right to Appeal

Consumers have the right to appeal adverse consequential decisions. The deployer must:

• Establish an appeals process
• Allow consumers to submit additional information
• Conduct human review of appealed decisions
• Provide a written response explaining the appeal outcome^[4]

Importantly, the "human review" requirement means a deployer cannot automatically defer to the AI system’s original output during appeals. A qualified human must substantively evaluate the appeal and exercise independent judgment.

Opt-Out Rights Under Colorado Privacy Act

The Colorado AI Act integrates with the existing Colorado Privacy Act (CPA). Consumers have the right to opt out of the processing of personal data for profiling in furtherance of decisions that produce legal or similarly significant effects—which encompasses high-risk AI systems.^[6]

Enforcement and penalties

The Colorado AI Act grants the Attorney General exclusive enforcement authority. There is no private right of action—only the AG can bring enforcement actions for violations.^[1]

Enforcement Mechanisms

Violations of the Colorado AI Act are treated as deceptive trade practices under the Colorado Consumer Protection Act. This classification subjects violators to:

• Civil penalties up to $20,000 per violation
• Injunctive relief requiring cessation of unlawful practices
• Corrective advertising or public disclosure
• Restitution to affected consumers in some cases^[1]

The "per violation" structure means penalties can accumulate rapidly. If a deployer fails to provide required disclosures to 1,000 Colorado consumers, each instance could constitute a separate violation—creating potential exposure of $20 million.

60-Day Cure Period

The law includes an important affirmative defense for organizations that discover and cure violations before enforcement. If a developer or deployer:^[5]

• Discovers a violation through internal testing, feedback, or review
• Cures the violation within 60 days of discovery
• Provides the Attorney General with a statement describing the violation and cure

Then they have an affirmative defense against enforcement actions for that violation. This "self-reporting plus cure" mechanism incentivizes proactive compliance monitoring and rewards good-faith remediation efforts.

Framework Compliance Safe Harbor

Organizations that comply with a nationally or internationally recognized AI risk management framework designated by the Colorado Attorney General benefit from a rebuttable presumption of reasonable care. Frameworks explicitly mentioned include:^[3]

• NIST AI Risk Management Framework
• ISO/IEC 42001

This creates a powerful compliance pathway: implement NIST AI RMF or pursue ISO 42001 certification, document your implementation, and establish a rebuttable presumption that you exercised reasonable care to prevent algorithmic discrimination.

Rulemaking Authority

The Attorney General has authority to issue rules implementing the Colorado AI Act. Expected guidance includes:

• Clarification of "substantial modification" and other definitional questions
• Specification of recognized risk management frameworks
• Guidance on impact assessment content and format
• Consumer disclosure best practices^[1]

Comparison to the EU AI Act

The Colorado AI Act is often described as "US-style EU AI Act regulation," but meaningful differences exist. Here’s a comparative analysis:

Key Similarities

• Risk-based approach: Both focus regulatory intensity on high-stakes AI applications
• Impact assessments: Both require systematic evaluation before deployment
• Transparency obligations: Both mandate disclosure to affected individuals
• Documentation requirements: Both emphasize technical documentation (model cards, dataset cards)

Key Differences

• Flexibility vs. prescription: Colorado’s "reasonable care" standard is more flexible than the EU’s detailed technical requirements
• Penalty severity: EU penalties are orders of magnitude higher, creating stronger deterrent effects
• Prohibited uses: EU AI Act bans certain applications (social scoring, real-time biometric identification); Colorado does not
• Extraterritoriality: EU AI Act has broader extraterritorial reach covering any AI system used in the EU market^[7]

For healthcare vendors

Healthcare AI teams have specific statutory hooks under the Colorado AI Act. An AI system is more likely to be high-risk when it makes, or is a substantial factor in making, consequential decisions about:

• Access to healthcare services
• Cost or terms of healthcare services
• Coverage or prior-authorization workflows that materially affect access or cost

Whether a given clinical workflow qualifies turns on the facts. The closer the system is to access, cost, coverage, or other consequential decisions, the stronger the case for treating it as high-risk. Vendors building or substantially modifying these systems act as developers; health systems and payers using them to make consequential decisions act as deployers. Many organizations will be both.

The algorithmic-discrimination focus lands heavily on healthcare. In practice, teams address that risk through testing and review designed to surface materially different outcomes across groups, documenting mitigation steps and governance decisions, and monitoring for discriminatory patterns post-deployment. The documentation isn’t the compliance artifact — the evidence that testing occurred and results were reviewed is.

For background on how EU AI Act, Colorado, and California rules overlap for healthcare teams, see our EU AI Act guide and HIPAA-compliant AI guide.

Compliance roadmap

The May 2026 picture leaves two viable scenarios: SB 24-205 enforceable on June 30 (subject to the federal-court stay) or SB 26-189 superseding it on January 1, 2027. The roadmap below is sequenced for the earlier date and is durable against the later one — every artifact survives the pivot to a disclosure-and-recordkeeping regime. The principle is the same either way: prioritize evidence generation over documentation theater.

GLACIS Framework

Colorado AI Act Compliance Sprint

1

Inventory & Risk Classification (Weeks 1-3)

Catalog all AI systems used in your organization. Classify each system against the eight high-risk domains. Prioritize systems making consequential decisions in employment, housing, credit, or healthcare. Document whether your organization acts as developer, deployer, or both for each system.

2

Framework Adoption (Weeks 4-8)

Adopt NIST AI RMF or pursue ISO 42001 certification to establish the rebuttable presumption of reasonable care. Map your current practices to framework requirements. Identify gaps in governance structure, testing processes, and documentation.

3

Bias Testing & Evidence Generation (Weeks 9-14)

Implement algorithmic fairness testing for high-risk systems. Test for disparate impact across protected characteristics (race, gender, age, disability). Generate verifiable evidence of testing—not just internal reports but cryptographic attestations that testing occurred and results were reviewed. This addresses the core compliance question: can you prove you tested for discrimination?

4

Documentation & Impact Assessments (Weeks 15-20)

Complete impact assessments for each high-risk system. Create model cards and dataset cards if you’re a developer. Draft risk management policies specifying principles, processes, personnel, and mitigation measures. Prepare consumer disclosure templates.

5

Operational Readiness (Weeks 21-24)

Train personnel on new AI governance requirements. Implement consumer disclosure mechanisms (e.g., website notices, application disclosures). Establish appeals and data correction processes. Create internal reporting workflows for discrimination risk discovery.

6

Continuous Monitoring (Post-June 2026)

Deploy production monitoring for algorithmic discrimination indicators. Conduct annual impact assessment updates. Review and update risk management policies as AI systems evolve. Monitor Attorney General guidance for implementation clarifications.

Critical insight: The April 2026 enforcement stay and the May 1 introduction of SB 26-189 don’t reset the work — they reset the deadline. Algorithmic fairness testing and the runtime evidence layer take months to implement well, and every artifact in this roadmap is durable across both statutes. Surface-level “bias checks” and policy-PDF compliance won’t withstand AG scrutiny or enterprise procurement reviews under either regime.

Role-Specific Action Items

Frequently asked questions

References