Colorado AI Act and US State AI Laws: The Complete Compliance Guide for 2026
On 17 May 2024, Colorado Governor Jared Polis signed Senate Bill 24-205, the Colorado Artificial Intelligence Act, into law, making Colorado the first US state to enact comprehensive, cross-sector legislation governing the use of artificial intelligence in high-stakes decision-making. A May 2026 amendment (signed by Governor Polis on 14 May 2026) then delayed the effective date to 1 January 2027 and substantially narrowed the law, and for any organisation that develops or deploys AI systems affecting Colorado residents, the compliance clock is already ticking.
But Colorado is not acting alone. Across the United States, a wave of state-level AI legislation is reshaping the regulatory environment. From California's frontier-model safety requirements to Illinois's restrictions on AI in video interviews, companies operating nationally now face a patchwork of overlapping, and sometimes conflicting, AI obligations that rivals the complexity European organisations confront under the EU AI Act.
This guide provides a detailed breakdown of Colorado SB 205, the broader US state AI regulatory landscape, and the practical steps to build a compliance programme that works across jurisdictions. If you operate in both the US and EU, see our global AI regulation comparison.
TL;DR, Key takeaways
- Colorado SB 24-205 is the most comprehensive US state AI law, but a May 2026 amendment delayed its effective date to 1 January 2027 and narrowed its scope. It applies to any entity that develops or deploys "high-risk AI systems" that make or substantially influence "consequential decisions" about Colorado residents.
- Eight domains are covered: employment, lending, housing, insurance, healthcare, education, government services, and legal services. If your AI system operates in any of these areas, you are in scope.
- Developers must document training data, disclose known discrimination risks, report discovered vulnerabilities to deployers and the Colorado Attorney General within 90 days, and publish a public statement about each high-risk system.
- Deployers, following the May 2026 amendment, face a narrowed set of obligations centred on automated decision-making technology (ADMT) disclosure: a pre-use notice that AI is being used, a post-adverse-outcome disclosure explaining the AI's role, and a limited set of consumer rights. The original act's duty of care, risk-management-program, and annual impact-assessment requirements were removed by the amendment.
- An affirmative defense exists for organisations that follow the NIST AI Risk Management Framework and ISO 42001 (or substantially equivalent frameworks) and maintain a process to discover and cure violations.
- Penalties reach $20,000 per violation (up to $50,000 for violations affecting individuals aged 60 or older), enforced exclusively by the Colorado Attorney General, there is no private right of action.
- Colorado is not alone. Over 700 AI-related bills were introduced across US state legislatures in the 2024-2025 sessions alone, with California, New York, Illinois, Texas, and Connecticut among the most active.
- Practical strategy: build your compliance programme to the EU AI Act as the highest common denominator, then layer Colorado-specific consumer notification and AG reporting requirements on top. Use ISO 42001 and the NIST AI RMF as your operational backbone.
The US state AI regulation landscape in 2026
No federal comprehensive AI law
Despite years of Congressional hearings and multiple draft bills, the United States still lacks a comprehensive federal AI law as of mid-2026. The Biden-era Executive Order 14110 (October 2023) established reporting requirements for frontier AI developers, but executive orders lack the force of statute, and key provisions were rescinded in early 2025.
Federal regulation of AI remains sector-specific: the FDA governs AI in medical devices, the EEOC applies Title VII to algorithmic hiring discrimination, and the FTC uses its Section 5 authority against deceptive AI practices. There is no single federal body, and no single set of rules, that applies horizontally across all AI use cases.
States filling the gap
In the absence of federal action, state legislatures have stepped in aggressively. More than 700 AI-related bills were introduced across 45 states during the 2024-2025 sessions. While many address narrow issues, deepfake election content, government procurement, a growing number impose broad, cross-sector AI governance obligations on private-sector AI developers and deployers.
The most significant of these is Colorado SB 24-205, but it sits within a rapidly evolving ecosystem that includes:
- California SB 53, safety testing and reporting for frontier AI models
- New York's RAISE Act, proposed comprehensive AI accountability
- Illinois AI Video Interview Act (AIVIRA), consent and disclosure for AI-analysed job interviews
- Connecticut SB 2, AI transparency and accountability (signed May 2024)
- Texas TRAIGA (HB 149), Responsible AI Governance Act, signed into law and effective 1 January 2026 (AG-only enforcement, 60-day cure period)
- Utah AI Policy Act (SB 149), AI governance and disclosure requirements (signed March 2024)
The patchwork compliance challenge
For organisations operating nationally, this patchwork creates a multiplied compliance burden: overlapping scopes (a single AI hiring tool may trigger Colorado SB 205, Illinois AIVIRA, and EEOC guidance simultaneously), inconsistent definitions of "high-risk" and "algorithmic discrimination," different enforcement mechanisms, and rapidly changing requirements. The practical implication: building to the strictest standard is the most efficient strategy. For most organisations, this means using the EU AI Act as the compliance ceiling and mapping state-specific requirements as local addenda.
Is your AI system high-risk?
Find out in 2 minutes, free, no signup required.
Take the free assessmentColorado SB 24-205, The most comprehensive US state AI law
Colorado SB 24-205, codified at C.R.S. § 6-1-1701 et seq., represents the most far-reaching attempt by any US state to regulate AI across sectors. Unlike narrower state laws that target specific use cases (hiring algorithms, insurance underwriting), Colorado's law applies horizontally to any AI system that makes or substantially influences "consequential decisions."
Effective date: 1 January 2027
The law was signed on 17 May 2024, but a May 2026 amendment (signed by Governor Polis on 14 May 2026) delayed the effective date to 1 January 2027 and narrowed the statute's scope, most significantly, it removed the deployer duty of care, risk-management-program, and impact-assessment requirements, refocusing the law on automated decision-making technology (ADMT) disclosure. The Colorado AG's office will publish additional rulemaking guidance before the effective date, but organisations should not wait, the statutory requirements are clear enough to act on now.
Scope: "Consequential decisions" in eight domains
SB 205 applies to "high-risk artificial intelligence systems", defined as any AI system that, when deployed, makes or is a substantial factor in making a "consequential decision" concerning a consumer. The law defines "consequential decision" as a decision that has a material legal or similarly significant effect on a consumer's access to, or the cost, terms, or availability of, services or opportunities in any of the following eight domains.
The eight consequential decision domains
The breadth of these domains means that most enterprise AI applications are in scope if they affect Colorado residents. An AI-powered applicant tracking system, a credit scoring model, an insurance pricing algorithm, or a clinical decision-support tool would all fall within the statute's reach.
Algorithmic discrimination defined
At the centre of SB 205 is the concept of "algorithmic discrimination", defined as any condition in which the use of an AI system results in an unlawful differential treatment or impact that disfavours an individual or group of individuals on the basis of one or more protected characteristics.
This definition is important because it explicitly ties the Colorado AI Act to existing anti-discrimination law rather than creating a novel standard. If the differential treatment would be unlawful under Title VII, the Fair Housing Act, the Equal Credit Opportunity Act, or Colorado's own Anti-Discrimination Act (C.R.S. § 24-34-301 et seq.), then it constitutes algorithmic discrimination under SB 205 as well.
For guidance on testing your AI systems for bias and discrimination, see our AI bias testing and fairness guide.
Protected characteristics covered
SB 205 covers a broad set of protected characteristics, including:
- Race, colour, ethnicity, and national origin
- Sex, gender identity, and sexual orientation
- Religion and creed
- Disability (physical and mental)
- Age (with enhanced penalties for harm to individuals aged 60+)
- Veteran status
- Familial status
- Genetic information
This list is substantially broader than what some federal anti-discrimination statutes cover in any single domain and aligns closely with the protected characteristics recognised under the EU AI Act's provisions on high-risk systems.
Developer obligations under Colorado SB 205
SB 205 distinguishes between "developers" (entities that design, code, or substantially modify an AI system) and "deployers" (entities that use an AI system to make or inform consequential decisions). This mirrors the provider/deployer distinction in the EU AI Act, though the specific obligations differ.
Developers of high-risk AI systems bear four primary categories of obligation under SB 205.
1. Documentation and disclosure to deployers
Developers must provide deployers with reasonably sufficient documentation to enable the deployer to understand and comply with its own obligations. This documentation must include:
- A general description of the types of high-risk AI systems the developer makes available and the known beneficial uses and foreseeable risks of those systems.
- A high-level summary of the training data used to develop the system, including the types and sources of data.
- Known or reasonably foreseeable limitations of the system, including known circumstances in which the system may produce inaccurate, unreliable, or discriminatory outputs.
- A description of the types of data the system processes as inputs and the outputs it generates.
- Documentation of any evaluations conducted to assess the system's performance, including any testing for algorithmic discrimination across the protected characteristics covered by the law.
This requirement effectively mandates that developers create and maintain technical documentation analogous to what the EU AI Act requires under Annex IV, though the Colorado requirements are somewhat less prescriptive in format.
2. Disclosure of known discrimination risks
If a developer discovers, or receives a credible report, that a high-risk AI system it has developed has caused or is reasonably likely to cause algorithmic discrimination, the developer must disclose this information to:
- The Colorado Attorney General
- All known deployers of the system
This disclosure must be made within 90 days of the discovery. The 90-day clock begins when the developer has "actual knowledge" or "reasonably should have known" of the discrimination risk, a standard that incentivises proactive monitoring rather than wilful ignorance.
3. Public statement about high-risk systems
Developers must make publicly available, on their website or through other easily accessible means, a statement describing:
- The types of high-risk AI systems they have developed or intentionally and substantially modified.
- How those systems manage known or reasonably foreseeable risks of algorithmic discrimination.
This public transparency requirement goes beyond what most US laws require and is comparable to the transparency obligations under Article 50 of the EU AI Act.
Amended in May 2026. The original act established a general duty of care, requiring developers to use "reasonable care" to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination. The May 2026 amendment removed this duty-of-care requirement, narrowing the statute toward automated decision-making technology (ADMT) disclosure rather than an affirmative reasonable-care standard. Developers should still track the documentation and disclosure obligations above, which remain the operative requirements ahead of the 1 January 2027 effective date.
Deployer obligations under Colorado SB 205
Deployers, the organisations that actually use high-risk AI systems to make or substantially influence consequential decisions, originally faced the most detailed and operationally demanding set of obligations under SB 205. The May 2026 amendment substantially narrowed these obligations, refocusing the law on automated decision-making technology (ADMT) disclosure and removing the risk-management-program and annual-impact-assessment requirements that defined the original 2024 act.
What the May 2026 amendment removed. Under the original act, every deployer had to implement a risk management policy (reasonably designed to identify and mitigate algorithmic discrimination risk) and complete annual impact assessments for each high-risk system, pre-deployment, updated annually, and retained for three years. The May 2026 amendment removed both requirements, along with the deployer duty of care. Deployers no longer need to stand up a formal risk-management program or annual FRIA-style impact-assessment cycle to comply with Colorado law.
1. Pre-use ADMT notice
Following the amendment, the core surviving obligation is disclosure. Before a deployer uses automated decision-making technology in a consequential decision, it must provide the consumer with a pre-use notice that an AI system will be used to make or substantially influence the decision. This is a transparency requirement, not a substantive risk-management mandate.
2. Post-adverse-outcome disclosure and consumer rights
When a deployer uses an AI system to make or substantially influence a consequential decision that is adverse to a consumer, the deployer must, after the decision, provide:
- A statement that an AI system was used to make or substantially influence the decision.
- A description of the AI system's role in the decision, in plain language.
- Contact information for the deployer, so the consumer can request more information.
- An opportunity to correct any incorrect personal data that the AI system processed.
- An opportunity to appeal the adverse decision and obtain human review.
These post-adverse-outcome disclosures and the limited set of consumer rights (correction and appeal) are the operative consumer-facing requirements after the amendment. Deployers should build them into existing customer-facing decision workflows.
3. Attorney General reporting
If a deployer discovers that a high-risk AI system it uses has caused algorithmic discrimination, it must notify the Colorado Attorney General within 90 days of the discovery. The report must include the nature of the discrimination, the system involved, the number of consumers affected (if known), and the steps taken to mitigate the harm.
The NIST/ISO affirmative defense
One of SB 205's most notable provisions is its affirmative defense, a legal mechanism that allows developers and deployers to avoid liability if they can demonstrate that they followed recognised AI governance frameworks.
Requirements for the defense
To invoke the affirmative defense, an organisation must prove three things:
-
Framework compliance: The organisation has adopted and complied with the NIST AI Risk Management Framework (AI RMF 1.0) and ISO/IEC 42001:2023 (the international standard for AI management systems), or frameworks that are substantially equivalent in rigour and scope.
-
Discovery and cure process: The organisation has implemented a process to discover and cure any violations of the law, including ongoing monitoring and testing for algorithmic discrimination.
-
Good faith remediation: When a violation is discovered through this process, the organisation has taken timely and reasonable corrective action to address it.
What this means in practice
The affirmative defense is not a safe harbour, it does not immunise organisations from investigation. Rather, it is a defense raised after the Attorney General has initiated an enforcement action. Organisations that invest in structured AI governance gain a defensible legal position if problems arise.
For organisations building compliance programmes from scratch, the defense provides a clear roadmap:
- Implement NIST AI RMF, map your AI systems through the four core functions: Govern, Map, Measure, and Manage. See our AI governance framework guide for step-by-step instructions.
- Certify to ISO 42001, or implement its requirements substantively, even without formal certification. Our ISO 42001 certification guide covers the process in detail.
- Establish ongoing monitoring, deploy bias testing, drift detection, and fairness auditing tools on a continuous or periodic basis. See our bias testing guide for methodologies.
- Document remediation efforts, when issues are found, document the finding, the root cause analysis, the corrective action taken, and the outcome. This paper trail is what makes the defense credible.
For organisations already pursuing EU AI Act compliance, the overlap is significant, EU harmonised standards draw heavily from ISO 42001 and align with NIST AI RMF principles. Building a single governance framework to satisfy both regimes is the recommended approach.
Penalties and enforcement
Fine structure
The Colorado Attorney General may pursue civil enforcement actions for violations of SB 205, with penalties structured as follows:
Each individual consumer affected counts as a separate violation, meaning that a single discriminatory AI system deployed at scale could generate penalty exposure in the millions of dollars.
Attorney General exclusive enforcement
Critically, SB 205 does not create a private right of action. Individual consumers cannot sue developers or deployers directly under the Colorado AI Act. Enforcement authority rests exclusively with the Colorado Attorney General, who can investigate potential violations, issue civil investigative demands, and file enforcement actions in state court.
While this means individual lawsuits are not a direct risk, an AG enforcement action carries significant reputational risk and can result in consent decrees and mandatory compliance programmes.
SME partial exemption
SB 205 includes a partial exemption for small and medium enterprises. Organisations with fewer than 50 full-time employees are exempt from certain requirements. With the May 2026 amendment having already removed the annual impact-assessment and risk-management-policy obligations across the board, the practical effect is that SMEs remain subject to the core prohibition on algorithmic discrimination and the ADMT disclosure requirements.
SME deployers must still:
- Provide consumer notification for adverse AI-influenced decisions
- Report known algorithmic discrimination to the AG within 90 days
- Refrain from using AI systems in a manner that causes unlawful discrimination
For startups and smaller companies navigating AI compliance more broadly, see our EU AI Act compliance guide for startups and SMEs for additional strategies.
Other key US state AI laws
While Colorado SB 205 is the most comprehensive, several other states have enacted or are advancing significant AI legislation that organisations must track.
California SB 53, Frontier AI safety testing and reports
California SB 53, the Transparency in Frontier Artificial Intelligence Act (TFAIA), signed into law in September 2025 and effective 1 January 2026, targets frontier AI models, large-scale models with capabilities that exceed defined compute thresholds. The law requires developers of covered models to conduct pre-deployment safety testing (including red-teaming for catastrophic risk scenarios), publish safety reports, implement kill switch mechanisms for rapid shutdown, and maintain incident reporting processes. The California Attorney General can pursue civil penalties of up to $1 million per violation. SB 53 is narrower than Colorado SB 205, it applies only to frontier model developers, not deployers, but California's influence on the tech industry means its requirements are likely to become de facto national standards.
New York RAISE Act
New York's Responsible AI Safety and Education (RAISE) Act is a proposed comprehensive AI accountability bill that would establish a state AI registry, algorithmic impact assessments before deployment, consumer notification rights similar to Colorado's, and, critically, a private right of action allowing individuals to sue directly. As of early 2026, the RAISE Act remains under committee review, but if enacted, its private right of action would make it the most plaintiff-friendly AI law in the country.
Illinois AI Video Interview Act (AIVIRA)
Illinois was an early mover with the Artificial Intelligence Video Interview Act (820 ILCS 42/), effective 1 January 2020. The law requires employers using AI to analyse video interviews to notify each applicant, explain what the AI evaluates, obtain written consent, limit video distribution to qualified reviewers, and destroy recordings within 30 days of an applicant's request. AIVIRA is narrowly focused on video interviews, but it established the template for AI consent-and-disclosure requirements that subsequent state laws have built upon.
Texas, Connecticut, and other emerging bills
Comparison table: Key US state AI laws
EU AI Act vs Colorado AI Act comparison
For organisations subject to both regimes, understanding the overlap and divergence between the EU AI Act and Colorado SB 205 is essential for building an efficient, unified compliance programme.
How to comply with both simultaneously
The good news is that an organisation compliant with the EU AI Act will already meet the majority of Colorado SB 205's requirements. The key additions for dual compliance are:
-
Consumer notification: The EU AI Act's transparency requirements (Article 50) focus on disclosure that AI is being used, but Colorado's requirements are more prescriptive, you must disclose the AI's role, provide contact information, and offer appeal and data correction rights specifically for adverse decisions.
-
AG reporting: The EU AI Act requires reporting to national competent authorities; Colorado requires separate reporting to the state Attorney General within 90 days. Build this into your incident response process as a parallel notification workflow.
-
NIST AI RMF alignment: If you are primarily using EU harmonised standards, map them to the NIST AI RMF to ensure the affirmative defense is available. Our guide on building an AI governance framework covers the crosswalk between NIST, ISO 42001, and the EU AI Act's requirements.
-
Disclosure harmonisation: Colorado no longer mandates a standalone impact assessment (removed by the May 2026 amendment), so the EU FRIA remains your governing assessment artifact. Reuse it to drive Colorado's ADMT pre-use notice and post-adverse-outcome disclosures across the eight covered domains. See our FRIA guide for the base template.
Implementation roadmap
For organisations preparing for Colorado SB 205 compliance by the 1 January 2027 effective date, the following phased roadmap provides a structured approach. Note that the May 2026 amendment removed the risk-management-policy and annual-impact-assessment obligations, so the roadmap now centres on scoping, ADMT disclosure, and consumer-facing processes.
Phase 1: Discovery and scoping (now, H1 2026)
- Inventory all AI systems that make or substantially influence decisions about Colorado residents. See our AI systems inventory guide for methodology.
- Classify each system as high-risk (consequential decision in one of the eight domains) or out of scope.
- Identify your role for each system: developer, deployer, or both.
- Map existing compliance assets, if you have EU AI Act documentation, NIST AI RMF mappings, or ISO 42001 certifications, catalog what already satisfies Colorado requirements.
Phase 2: Governance and accountable roles (H2 2026)
- Designate accountable roles, assign individuals responsible for AI governance, ADMT disclosure, AG reporting, and consumer-rights handling.
- Align to NIST AI RMF and ISO 42001 as governance best practice. Even though the amendment removed the formal risk-management-program requirement, these frameworks remain the most efficient backbone for cross-jurisdiction compliance (including the EU AI Act). See our ISO 42001 guide.
- Document your discrimination-risk posture, maintain testing and mitigation evidence as good practice, even though annual impact assessments are no longer mandated by Colorado law.
Phase 3: ADMT disclosure and testing (H2 2026)
- Build pre-use ADMT notices for systems that make or substantially influence consequential decisions about Colorado residents.
- Conduct algorithmic discrimination testing across all protected characteristics. Document methodology, results, and mitigation steps. See our bias testing guide.
- Establish ongoing monitoring schedules, define a re-testing cadence proportionate to your risk exposure.
Phase 4: Consumer-facing processes (H2 2026)
- Build post-adverse-outcome disclosure workflows into every process where AI makes or substantially influences adverse consequential decisions.
- Implement appeal and human review mechanisms, ensure that consumers can contest adverse AI-influenced decisions and have them reviewed by a human.
- Create data correction processes, consumers must be able to correct inaccurate personal data used by AI systems.
Phase 5: Reporting and documentation (ongoing from 1 January 2027)
- Establish AG reporting procedures, define the internal process for identifying reportable incidents and filing with the Colorado AG within 90 days.
- Publish public statements (developers) about high-risk AI systems and discrimination risk management.
- Maintain disclosure and remediation records, keep evidence of ADMT notices, consumer-rights handling, and any corrective action taken.
Quick-start: Assess your AI risk exposure
Not sure whether your AI systems fall within the scope of Colorado SB 205 or the EU AI Act? Use our free AI Act risk classification tool to evaluate your systems in under five minutes and get an initial compliance roadmap.
Frequently asked questions
Does Colorado SB 205 apply to my company if we're not based in Colorado?
Yes, if your AI system makes or substantially influences consequential decisions about Colorado residents. Like many consumer protection statutes, SB 205 applies based on the location of the affected consumer, not the location of the company. If you deploy an AI-powered hiring tool that evaluates applications from Colorado residents, you are a deployer subject to SB 205, regardless of whether your company is headquartered in California, New York, or anywhere else.
How does "algorithmic discrimination" differ from traditional employment discrimination?
The legal standard is the same, the discrimination must be unlawful under existing anti-discrimination law. What SB 205 adds is a disclosure-and-transparency framework: developers and deployers must surface and disclose the use of AI in consequential decisions. Since the May 2026 amendment, the operative duties are ADMT disclosure (pre-use notice and post-adverse-outcome disclosure), limited consumer rights, and 90-day AG reporting, a lighter-touch regime than the original act's impact-assessment cycle.
Can I satisfy Colorado requirements by complying with the EU AI Act?
Substantially, yes, but not entirely. EU AI Act compliance covers most governance, documentation, and risk management requirements, and since the May 2026 amendment narrowed Colorado's law to ADMT disclosure, the gap is smaller than it once was. The Colorado-specific additions to layer on are: the ADMT disclosure format (pre-use notice plus a post-adverse-outcome disclosure with appeal and data-correction rights) and the 90-day AG reporting obligation. Build these on top of your EU programme. See our EU AI Act compliance checklist for the base framework.
What qualifies as an "adverse" consequential decision?
SB 205 does not provide an exhaustive definition, but the legislative intent is clear: an adverse decision is one that negatively affects the consumer, a denied loan, a rejected job candidacy, a higher insurance premium, or a denied benefits claim. When in doubt, err on the side of notification, the cost of providing notice is minimal compared to the enforcement risk of failing to do so.
Do open-source AI developers have obligations under SB 205?
Potentially, yes. SB 205's developer obligations apply to entities that "design, code, or substantially modify" high-risk AI systems. If an open-source developer creates a model specifically intended for consequential decisions, such as a credit scoring model, the developer obligations apply. However, a developer of a general-purpose open-source model not specifically designed for consequential decisions is less likely to be in scope. The distinction turns on intended use and foreseeability.
How does Colorado SB 205 interact with federal AI regulation?
SB 205 explicitly provides that it does not preempt or limit any federal law. Federal agencies retain full enforcement authority in their respective domains, meaning a single AI system could simultaneously be subject to Colorado SB 205, federal sector-specific regulations, and other state laws. This reinforces the case for building a unified AI governance framework that satisfies the strictest applicable standard.
Next steps
The Colorado AI Act represents a watershed moment in US AI regulation, the first comprehensive, cross-sector state law that imposes detailed governance, transparency, and anti-discrimination obligations on both AI developers and deployers. Although the May 2026 amendment delayed the effective date to 1 January 2027 and narrowed the law to ADMT disclosure, organisations should act now to:
- Audit your AI systems against the eight consequential decision domains.
- Build or extend your AI governance framework around NIST AI RMF and ISO 42001.
- Conduct bias testing and document the results.
- Implement consumer notification and appeal processes for adverse AI-influenced decisions.
- Establish AG reporting workflows for discovered discrimination.
The organisations that prepare early will not only avoid enforcement risk, they will build the governance muscle needed to navigate the expanding patchwork of US state AI laws and the EU AI Act.
Ready to assess your compliance posture? Start with our free AI Act risk assessment tool or explore our EU AI Act compliance checklist.
This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for advice specific to your circumstances. For a global perspective, see our AI Regulation Compared: EU, US, UK, China guide.



