ActiveColorado, USA

Colorado Artificial Intelligence Act Compliance Guide

Colorado's comprehensive AI consumer protection law — what high-risk AI system developers and deployers must do, and how to build a compliant governance program.

Overview

The Colorado Artificial Intelligence Act (Colorado AI Act, SB 24-205) is one of the most comprehensive state AI laws in the United States, alongside the Texas TRAIGA Act. Signed into law in May 2024 and effective February 1, 2026, the Colorado AI Act imposes consumer protection requirements on developers and deployers of 'high-risk artificial intelligence systems' — AI systems that make or substantially assist in consequential decisions affecting Coloradans. The Colorado AI Act's approach closely mirrors the EU AI Act's risk-based framework and includes algorithmic impact assessments, annual disclosure statements, and consumer notification obligations.

Who must comply?

The Colorado AI Act applies to: (1) developers — companies that create high-risk AI systems and license them to deployers; and (2) deployers — companies that use high-risk AI systems to make or substantially assist in consequential decisions affecting Colorado consumers. Consequential decisions include significant decisions in education, employment, financial lending and insurance, healthcare, housing, legal services, and voting. Both developers and deployers have specific but different obligations under the law.

Quick Facts

Framework
Colorado Artificial Intelligence Act
Jurisdiction
Colorado, USA
Status
Active
Penalties
Violations are enforced by the Colorado Attorney General. Civil penalties can reach $20,000 per violation. There is no private right of action — consumers cannot sue directly under the Colorado AI Act.

Get compliant with TRAIGA platform

Start free — first AI system inventoried in under 10 minutes. No credit card required.

Get Started

Related Resources

Key obligations under Colorado AI Act

What your organization must actually do to comply — broken down by obligation category.

Algorithmic Impact Assessment

Developers must conduct algorithmic impact assessments before making a high-risk AI system available. Assessments must evaluate the system's risks, potential for algorithmic discrimination, and effectiveness. Deployers must conduct annual impact assessments. Both must make summaries publicly available.

Annual Disclosure Statement

Developers must publish an annual statement disclosing how high-risk AI systems are developed, evaluated, and risk-managed. Deployers must publish a disclosure statement identifying the high-risk AI systems they deploy and describing their governance practices.

Consumer Notification

Deployers must notify consumers before using a high-risk AI system to make or substantially assist in a consequential decision about them. Notice must be in plain language, provided before the decision, and include information about the decision, the AI's role, and how to request human review.

Human Review Right

Consumers have the right to request human review of any consequential decision made or substantially assisted by a high-risk AI system. Deployers must provide a process for requesting human review and must respond to such requests.

Anti-Discrimination Safeguards

Both developers and deployers must take reasonable care to protect consumers from algorithmic discrimination based on protected characteristics. This includes bias testing, monitoring, and remediation when discrimination is identified.

Risk Management Policy

Deployers must implement a risk management policy and program consistent with recognized standards (NIST AI RMF, ISO 42001, or comparable frameworks) for each high-risk AI system they deploy.

What is a 'high-risk AI system' under the Colorado AI Act?

The Colorado AI Act defines a 'high-risk artificial intelligence system' as any AI system that, when deployed, makes or is a substantial factor in making a consequential decision. Consequential decisions are significant decisions in: education (enrollment, financial aid); employment (hiring, promotion, termination, compensation); financial services (credit, insurance); healthcare (diagnosis, treatment, referrals); housing; legal services; and government services. This is a broad definition — most consumer-facing AI in these sectors is covered.

Developer vs. deployer obligations

The Colorado AI Act distinguishes between developers (who build high-risk AI systems) and deployers (who use them). Developers' primary obligations are: pre-market algorithmic impact assessment, annual disclosure statement, provision of documentation to deployers, and contractual commitments to support deployer compliance. Deployers' primary obligations are: annual impact assessments, consumer notifications, human review processes, anti-discrimination programs, risk management policies, and annual disclosure statements. Deployers are typically larger organizations with direct customer relationships.

Colorado AI Act and insurance

Colorado has a particular focus on insurance AI — the state's insurance commissioner has authority to promulgate regulations implementing the Colorado AI Act for the insurance sector, and Colorado already has an established insurance AI bias regulation (SB 21-169). Insurers using AI in underwriting, pricing, claims processing, or customer service have overlapping Colorado AI Act and insurance-specific AI obligations.

Preparing for the 2026 effective date

The Colorado AI Act is effective February 1, 2026, giving organizations approximately a year to build compliant governance programs. Given the complexity of the algorithmic impact assessment, annual disclosure, and consumer notification requirements, organizations should begin immediately — particularly the impact assessment process, which requires systematic evaluation of each high-risk AI system's risks and potential for algorithmic discrimination.

How TRAIGA platform helps

Meet Colorado AI Act requirements with TRAIGA platform

TRAIGA platform directly supports Colorado AI Act compliance: the AI system inventory satisfies the deployer's documentation obligations; the risk assessment feature supports algorithmic impact assessments; the disclosure generator can produce Colorado-compliant consumer notifications; control tracking supports anti-discrimination program documentation; and board reports satisfy annual disclosure statement requirements.

Get Started — from $79/mo Platform overview

What TRAIGA platform covers for Colorado AI Act

  • Algorithmic Impact Assessment

  • Annual Disclosure Statement

  • Consumer Notification

  • Human Review Right

  • Anti-Discrimination Safeguards

  • Risk Management Policy

Colorado AI Act — frequently asked questions

Common questions from compliance officers, legal teams, and executives evaluating Colorado AI Act compliance obligations.

When does the Colorado AI Act take effect?
The Colorado Artificial Intelligence Act is effective February 1, 2026. Organizations should begin building compliant governance programs now — the algorithmic impact assessment, annual disclosure, and consumer notification requirements each require significant preparation.
What is an 'algorithmic impact assessment'?
An algorithmic impact assessment under the Colorado AI Act is a systematic evaluation of a high-risk AI system's intended benefits, potential risks, and potential for algorithmic discrimination. Developers must complete an assessment before making a system available; deployers must complete assessments annually. Summaries of impact assessments must be publicly available. TRAIGA's risk assessment feature produces documentation directly applicable to algorithmic impact assessment requirements.
Does the Colorado AI Act apply to out-of-state companies?
Yes. The Colorado AI Act applies to deployers that use high-risk AI systems in making consequential decisions about Colorado residents — regardless of where the company is headquartered. Any company serving Colorado consumers in covered decision domains (insurance, lending, employment, healthcare, etc.) must comply with the Colorado AI Act's deployer obligations for decisions affecting Colorado residents.
How does the Colorado AI Act relate to Texas TRAIGA?
The Colorado AI Act and Texas TRAIGA Act share a similar risk-based approach and cover similar decision domains — but have different specific requirements. Both require AI system documentation, risk assessments, consumer-facing disclosures, and anti-discrimination safeguards. TRAIGA platform maps your controls to both simultaneously, so organizations operating in both states can satisfy both laws from a single governance program.

Other AI regulation guides

Texas TRAIGA

Texas, USA

EU AI Act

European Union

NIST AI RMF

United States (Federal)

ISO 42001

International

California AI

California, USA

Start your Colorado AI Act compliance program today

TRAIGA platform handles Colorado AI Act compliance documentation — plus every other major AI regulation — from a single platform. Free to start, first AI system inventoried in under 10 minutes.

Get Started View all regulations

Covers 6 AI frameworks simultaneously

Implement controls once — satisfy all regulations

Board governance reports in minutes