Colorado — Colorado AI Act tracker

What the Colorado AI Act actually does

The Colorado AI Act is the first US state statute to impose horizontal, sector-agnostic duties on developers and deployers of AI systems used in consequential decisions. It borrows structure from the EU AI Act but is narrower in two important ways: it applies only to high-risk systems (defined by consequential-decision use, not by Annex III category), and it enforces only through the Colorado Attorney General with no private right of action.

The statute's core concepts:

• High-risk artificial intelligence system — an AI system that, when deployed, makes or is a substantial factor in making a consequential decision. Narrow carve-outs exist for anti-fraud, cybersecurity, and certain generative AI uses.
• Consequential decision — a decision that has a material legal or similarly significant effect on access to, or the cost or terms of, one of the listed domains: education enrollment or opportunity, employment or employment opportunity, a financial or lending service, an essential government service, healthcare services, housing, insurance, or a legal service.
• Algorithmic discrimination — unlawful differential treatment or disparate impact on a protected class basis, as informed by existing federal and state civil rights law.
• Developer — a person doing business in Colorado that develops or intentionally and substantially modifies a high-risk AI system.
• Deployer — a person doing business in Colorado that uses a high-risk AI system to make a consequential decision.

The Act's design choice is important: consequential-decision use, not technical category, triggers coverage. A model trained for credit underwriting is only covered when actually deployed to make lending decisions for Colorado consumers. A general-purpose model is not itself in scope unless and until a deployer puts it to a consequential-decision use.

Developer duties under SB 24-205

A developer of a high-risk AI system doing business in Colorado must, on and after 30 June 2026:

1. Use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination arising from the intended and contracted uses of the system.
2. Provide a statement disclosing the types of high-risk AI systems the developer has developed or substantially modified, and how the developer manages known or reasonably foreseeable risks of algorithmic discrimination.
3. Make technical documentation available to deployers — including a general description of the system, its intended uses and benefits, reasonably foreseeable uses, and harmful or inappropriate uses; the type of data used to train the system and the limitations of the data; the purpose of the system, intended outputs, and how the outputs should be interpreted and used; measures taken to mitigate risks of algorithmic discrimination; and how the system should be used, not be used, and monitored when used to make a consequential decision.
4. Notify the Colorado Attorney General and known deployers within 90 days of discovering that the developer's system has caused, or is reasonably likely to have caused, algorithmic discrimination.
5. Publish a public statement summarising the types of high-risk systems the developer has developed or substantially modified that are currently available to deployers.

Reasonable-care compliance is evidenced by following a recognised AI risk management framework (the statute explicitly references the NIST AI RMF and ISO/IEC 42001 as examples). Developers who document their adherence to such a framework qualify for a rebuttable presumption of reasonable care.

Deployer duties under SB 24-205

A deployer of a high-risk AI system doing business in Colorado must, on and after 30 June 2026:

1. Implement a risk management policy and program to govern the deployer's use of the high-risk system. The policy must be reasonable considering the deployer's size and complexity and the nature of the system's use. Adherence to a recognised risk management framework (NIST AI RMF, ISO/IEC 42001) is again evidence of reasonableness.
2. Complete an impact assessment before deploying the system, and annually thereafter, and within 90 days of any intentional and substantial modification. The assessment must cover the purpose and intended use, the categories of data used, the benefits, the known or reasonably foreseeable risks of algorithmic discrimination, the steps taken to mitigate those risks, and the post-deployment monitoring and safeguards.
3. Notify consumers before a high-risk AI system is used to make a consequential decision about them, and provide a statement of the purpose of the system, the nature of the decision, and the deployer's contact information.
4. Provide an adverse-decision notice where a consequential decision is adverse to the consumer, including the principal reasons for the decision, an opportunity to correct incorrect personal data, and an opportunity to appeal for human review.
5. Publish a website disclosure summarising the types of high-risk AI systems the deployer currently deploys, how the deployer manages known or reasonably foreseeable risks of algorithmic discrimination, and the nature and source of information collected and used.
6. Notify the Colorado Attorney General within 90 days of discovering algorithmic discrimination caused by the deployed system.

Small deployers (those with fewer than 50 employees who do not use their own data to train the system) have a narrower set of obligations.

What Colorado developers and deployers should do today

The 30 June 2026 effective date gives organisations a short runway. The practical sequence:

1. Map your Colorado exposure. If your system is used — or is contracted to be used — to make consequential decisions affecting Colorado consumers, you are in scope regardless of where you are headquartered. Enumerate each such deployment path.
2. Adopt a recognised AI risk management framework. NIST AI RMF 1.0 and ISO/IEC 42001:2023 are explicitly referenced by the statute. Pick one and document your implementation. This is how you earn the rebuttable presumption of reasonable care.
3. Produce developer technical documentation for every high-risk system. Regula's regula docs and regula conform commands generate Annex IV-style scaffolds that cover most of the Colorado disclosure categories — training data description, intended use, foreseeable misuse, mitigation measures, monitoring. The EU template goes further than Colorado requires, which is fine.
4. Run the Article 14 oversight trace. Colorado's consumer adverse-decision notice requires an opportunity to appeal for human review. Regula's regula oversight command traces AI model outputs through call chains cross-file and flags where a human review gate is absent. This is the exact control Colorado expects.
5. Stand up a deployer impact assessment process. The initial assessment must be complete before deployment on 30 June 2026. Annual thereafter. Regula's regula gap and regula evidence-pack commands provide inputs that map onto the statute's assessment categories.
6. Monitor the Colorado Attorney General's rulemaking. The AG is empowered to issue implementing regulations. As of 2026-04-08 no final rules have been published. This page will update when they are.

Where Regula fits for Colorado teams

Regula was built primarily against the EU AI Act, but the Colorado AI Act's developer and deployer categories map cleanly onto work Regula already does. Practical starting commands:

pipx install regula-ai

regula discover .              # AI systems present in the project
regula check .                 # Risk indicators across all frameworks
regula gap --project .         # Gap assessment (reuses Art 9-15 structure)
regula oversight .              # Cross-file human-review gate detection
regula docs .                  # Technical documentation scaffold
regula conform .               # Evidence pack — maps to deployer impact assessment
regula sbom --ai-bom .         # AI Bill of Materials (CycloneDX 1.7)

The NIST AI RMF mapping that gets you the Colorado rebuttable presumption is already shipped in Regula's references/framework_crosswalk.yaml. A single regula check run reports findings against the EU AI Act, NIST AI RMF, ISO/IEC 42001, OWASP LLM Top 10, and the other frameworks Regula supports.

What Regula does not do for Colorado: issue your consumer notices, track your deployer impact assessment history, or act as a compliance certificate. The statute is enforced by the Colorado AG against real organisations — Regula helps you produce the evidence, not the legal conclusion.

What we are tracking for the Colorado page

This page will be updated as the Colorado landscape moves. Specifically we are watching for:

1. Colorado Attorney General implementing rules under SB 24-205. The AG is empowered to issue regulations defining documentation formats, notice content, and risk management framework criteria. No final rules as of 2026-04-08.
2. Further legislative amendments. SB 25B-004 was intended to be one of multiple corrective bills. Further amendment is expected before the 30 June 2026 effective date.
3. Enforcement signals — the first AG complaint, consent decree, or public enforcement action under the Act.
4. Other US state statutes following Colorado's lead. Texas (TRAIGA), California (SB 53 successors), and Connecticut have active AI legislation. We will add state pages where statutes are enacted.

If you spot something we have missed, please open an issue.

Frequently asked questions

Sources