· ai regulation · 4 min read
Colorado's AI Act Is the Most Consequential State Law You're Not Thinking About
SB 24-205 drops February 1, 2026. If you build or deploy AI that makes consequential decisions affecting Colorado residents, you have compliance obligations that start now — not then.
Photo by Tingey Injury Law Firm on Unsplash
Colorado just did something most states haven’t managed to do: pass a comprehensive AI regulation that actually has teeth and a clear enforcement mechanism. The Colorado Artificial Intelligence Act — Senate Bill 24-205 — goes into effect February 1, 2026. That sounds like plenty of runway. It isn’t.
If your company builds AI systems or deploys them to make decisions that affect Colorado residents, you need to understand this law before your engineering team ships another model update.
What the Law Actually Covers
The Colorado AI Act targets what it calls “high-risk artificial intelligence systems” — defined as AI that makes or is a substantial factor in a “consequential decision.” Consequential decisions include determinations about employment, education enrollment, financial services, healthcare, housing, insurance, and legal services.
So: hiring algorithms, loan underwriting models, insurance risk scoring, tenant screening tools, college admissions systems. If your AI touches any of those categories and affects Colorado residents, you’re in scope.
The law creates two distinct obligation tracks: one for developers and one for deployers. This distinction matters enormously.
Developer Obligations
If you build a high-risk AI system, you have to provide deployers with documentation covering:
- The system’s intended uses and foreseeable outputs
- Known limitations and known risks of algorithmic discrimination
- The performance metrics you used during development
- Instructions for how a deployer can conduct their own impact assessment
- A summary of the data used to train the model
This is essentially a model card requirement with legal force. You’re not just publishing it for good vibes on Hugging Face — you’re creating a document that a downstream deployer will use to satisfy their own compliance obligations, and that the Colorado AG could subpoena if something goes wrong.
If you’re building foundation models or general-purpose AI that others fine-tune and deploy, your documentation obligations are harder to satisfy because “intended use” is genuinely ambiguous. That’s a problem the law doesn’t resolve cleanly.
Deployer Obligations
If you’re the entity actually using a high-risk AI system to make consequential decisions, Colorado expects you to:
1. Conduct annual impact assessments. These have to evaluate the risk of algorithmic discrimination — meaning differential outcomes by race, color, ethnicity, sex, religion, age, national origin, or disability status. You document your methodology, your findings, and what you did about them.
2. Implement a risk management policy. Not a one-page document your GC signs off on — an actual ongoing program.
3. Disclose to consumers. When a consequential decision is made using a high-risk AI system, the consumer has to be told. They also have to be told how to appeal.
4. Provide a meaningful appeal pathway. “Meaningful” here means a human has to be able to review it. You can’t just let the model re-run.
The civil penalty for violations is up to $20,000 per violation. There’s a 60-day cure period — if the AG notifies you of a violation, you get two months to fix it before the penalties kick in, as long as you haven’t committed the same violation in the past two years. That cure period is your safety valve, and it’s not guaranteed.
What Compliance Actually Looks Like
Here’s the practical picture for a mid-sized startup that uses an AI hiring screening tool:
You need to know whether your vendor qualifies as a “developer” under Colorado’s definition and whether they’ve provided you the required documentation. If they haven’t, you have a problem — because the deployer obligations land on you even if your vendor built the model.
You then need to run a bias audit on the outputs of that tool against protected class data for Colorado applicants — or contract with someone who can do it credibly. You need to write and maintain a risk management policy. You need to update your rejection notices to disclose that AI was used in the decision and explain how to appeal.
None of this is technically impossible. It’s just work that most companies aren’t currently doing.
The Open Questions
The law has ambiguities that courts and regulators will eventually resolve. The definition of “consequential decision” is written broadly enough that companies will litigate where the edges are. “Substantial factor” is not defined with precision — if your AI generates a score that a human then reviews, does that make the AI a substantial factor? Possibly.
The Colorado AG has enforcement authority and no track record yet on how aggressively they’ll use it. That uncertainty cuts both ways — you could get lucky, or you could be the case that sets the standard.
The law that Colorado passed here is imperfect, like every first-generation regulatory framework. But it’s the most operationally serious state AI regulation in the country right now. Build your compliance program before the effective date, not after the first enforcement action.
Knowledge to the people.
You can find the original text of Colorado SB 24-205 as amended.