Skip to main content
Not yet in effect (revised; effective Jan 1, 2027)Colorado, USA

Colorado Artificial Intelligence Act Compliance Guide

Colorado's AI law — revised by SB 189 into a narrower ADMT disclosure framework and not yet in effect — what it now covers, and how to prepare ahead of the January 1, 2027 effective date.

Overview

The Colorado Artificial Intelligence Act was originally enacted as SB 24-205 in May 2024, but it was substantially revised before it ever took effect. Senate Bill 189 (signed May 14, 2026) replaced the original impact-assessment regime with a narrower disclosure-focused framework centered on automated decision-making technology (ADMT), and moved the effective date to January 1, 2027. A federal court also paused enforcement of the earlier version in April 2026. As a result, the Colorado law is not yet in effect, and the broad annual impact-assessment and consumer-notification obligations described for the original bill are not currently active law. Organizations should treat Colorado as a monitor-and-prepare item rather than a present compliance obligation.

Who must comply?

As originally enacted (SB 24-205), the Colorado AI Act applied to (1) developers that create high-risk AI systems and (2) deployers that use them to make or substantially assist in consequential decisions affecting Colorado consumers — across education, employment, lending and insurance, healthcare, housing, legal services, and voting. SB 189 narrowed and refocused the framework around automated decision-making technology (ADMT) disclosures, and the law is not yet in effect. Confirm the current scope and your obligations with counsel before relying on these categories.

Quick Facts

Framework
Colorado Artificial Intelligence Act
Jurisdiction
Colorado, USA
Status
Not yet in effect (revised; effective Jan 1, 2027)
Penalties
Enforcement is by the Colorado Attorney General, with no private right of action. Under the original SB 24-205, violations were treated as deceptive trade practices (commonly cited at up to $20,000 per violation). Because the law was revised by SB 189, is not yet in effect, and enforcement of the earlier version was paused in April 2026, confirm the operative penalty provisions with counsel before relying on any figure.

Get compliant with Risk Meridian

Start now — first AI system inventoried in under 10 minutes. No credit card required.

Get Started

Key obligations under Colorado AI Act

What your organization must actually do to comply — broken down by obligation category.

Algorithmic Impact Assessment (revised)

As originally enacted, developers were to conduct algorithmic impact assessments before releasing a high-risk AI system, and deployers were to conduct annual assessments with public summaries. SB 189 narrowed this impact-assessment regime, and the law is not yet in effect — treat this as a possible future obligation, not a current one.

Disclosure Statements (revised)

The original bill called for developers and deployers to publish statements describing how high-risk AI systems are developed, evaluated, and governed. The revised SB 189 framework refocuses on disclosure, but the specific statements are subject to the new law and any rulemaking; nothing is in effect yet.

ADMT Consumer Disclosure

A central theme of both the original and revised law is notifying consumers, in plain language, when automated decision-making technology (ADMT) is used in a consequential decision about them. The revised SB 189 framework centers on this ADMT disclosure, effective January 1, 2027.

Human Review Right (revised)

The original bill gave consumers a right to request human review of consequential decisions made or substantially assisted by a high-risk AI system. Confirm how the revised law treats this right; it is not yet enforceable.

Anti-Discrimination Purpose

A core purpose across versions is protecting consumers from algorithmic discrimination based on protected characteristics through reasonable care, testing, and remediation. This theme carries through the revisions, but enforcement is paused and the law is not yet in effect.

Risk Management Practice

The original bill expected deployers to maintain a risk management program aligned with recognized standards (NIST AI RMF, ISO/IEC 42001, or comparable). This remains sound practice, but it is not a currently enforceable Colorado mandate.

What is a 'high-risk AI system' under the Colorado AI Act?

As originally defined under SB 24-205, a 'high-risk artificial intelligence system' was any AI system that, when deployed, makes or is a substantial factor in making a consequential decision — covering significant decisions in education, employment, financial services (credit, insurance), healthcare, housing, legal services, and government services. SB 189 revised and narrowed the framework toward automated decision-making technology (ADMT) disclosures, so the operative definitions are changing; confirm the current text before relying on this scope, as the law is not yet in effect.

Developer vs. deployer obligations (under the original bill)

The original SB 24-205 distinguished between developers (who build high-risk AI systems) and deployers (who use them), assigning developers pre-market impact assessments and documentation duties, and deployers annual impact assessments, consumer notifications, human-review processes, anti-discrimination programs, and risk-management policies. SB 189 narrowed this division of duties toward an ADMT disclosure model. Because the law is not yet in effect and was substantially revised, treat the original developer/deployer obligations as background rather than current requirements.

Colorado AI Act and insurance

Colorado has a particular focus on insurance AI. Separate from the Colorado AI Act, Colorado already has an established and currently effective insurance AI bias regulation (SB 21-169), administered by the state insurance commissioner. Insurers using AI in underwriting, pricing, claims, or customer service should attend to those insurance-specific rules today, and monitor the revised Colorado AI Act (effective January 1, 2027) as it develops.

Preparing for the January 1, 2027 effective date

The revised Colorado AI Act (SB 189) is scheduled to take effect January 1, 2027, and enforcement of the earlier version was paused by a federal court in April 2026. Nothing is in force today, so there is no immediate compliance deadline — but maintaining a current AI inventory and documenting how automated decision-making technology is used will help you prepare for the ADMT disclosure framework once final requirements (and any rulemaking) are settled.

How Risk Meridian helps

Meet Colorado AI Act requirements with Risk Meridian

Risk Meridian can help you prepare for the revised Colorado AI Act: the AI system inventory and risk-assessment features help you document how automated decision-making technology is used, the disclosure tooling can support future ADMT consumer disclosures, and control tracking helps document anti-discrimination practices. Because the law is not yet in effect, treat this as preparation rather than present compliance.

What Risk Meridian covers for Colorado AI Act

  • Algorithmic Impact Assessment (revised)

  • Disclosure Statements (revised)

  • ADMT Consumer Disclosure

  • Human Review Right (revised)

  • Anti-Discrimination Purpose

  • Risk Management Practice

Colorado AI Act — frequently asked questions

Common questions from compliance officers, legal teams, and executives evaluating Colorado AI Act compliance obligations.

When does the Colorado AI Act take effect?
It is not yet in effect. The original SB 24-205 was substantially revised by SB 189 (signed May 14, 2026), which moved the effective date to January 1, 2027 and refocused the law on automated decision-making technology (ADMT) disclosures. A federal court also paused enforcement of the earlier version in April 2026. Monitor developments and any rulemaking; there is no current Colorado compliance deadline.
What is an 'algorithmic impact assessment'?
Under the original SB 24-205, an algorithmic impact assessment was a systematic evaluation of a high-risk AI system's intended benefits, potential risks, and potential for algorithmic discrimination, which developers and deployers would document and summarize. SB 189 narrowed this regime and the law is not yet in effect, so it is not a current Colorado requirement. Regardless, Risk Meridian's risk-assessment feature produces the kind of documentation that supports impact-assessment-style reviews if and when they apply.
Does the Colorado AI Act apply to out-of-state companies?
As originally drafted, the Colorado AI Act reached companies making covered decisions about Colorado residents regardless of where the company is headquartered. The revised SB 189 framework is expected to apply on a similar resident-focused basis once effective on January 1, 2027, but the precise scope is changing — confirm with counsel whether and how it will apply to your organization before relying on it.
How does the Colorado AI Act relate to Texas TRAIGA?
They are different in both substance and status. Enacted TRAIGA is an intent-based prohibition statute that is in force in Texas; the Colorado AI Act is a disclosure/ADMT framework that was revised by SB 189 and is not yet in effect (January 1, 2027). They do not impose the same obligations. Risk Meridian helps you maintain one governance record you can draw on for each as their requirements settle.

Start your Colorado AI Act compliance program today

Risk Meridian handles Colorado AI Act compliance documentation — plus every other major AI regulation — from a single platform. Start now, first AI system inventoried in under 10 minutes.

Covers 6 AI frameworks simultaneously

Document once — reuse across multiple frameworks

Board governance reports in minutes