The Colorado AI Act (SB 24-205): A Compliance Guide for 2026

Short answer: The Colorado Artificial Intelligence Act (SB 24-205) is the first comprehensive, risk-based US state AI law. It imposes a duty of reasonable care to protect consumers from algorithmic discrimination in "high-risk" AI systems — those that make, or are a substantial factor in, consequential decisions about things like employment, lending, housing, healthcare, insurance, education, and essential services. After a legislative delay, the Act now takes effect on June 30, 2026. It places concrete obligations on both developers and deployers of high-risk systems, including risk-management programs, impact assessments, consumer notices, and disclosures to the Colorado Attorney General. Enforcement is exclusively by the AG; there is no private right of action. This guide explains who is covered and what to do.

What the Colorado AI Act is

Signed in May 2024, Colorado's SB 24-205 — "Consumer Protections for Artificial Intelligence" — was the first US state law to regulate AI across industries on a risk basis, rather than targeting a single sector or a list of prohibited acts. Its model is closer to the EU AI Act than to Texas's intent-based TRAIGA: it regulates high-risk AI systems and imposes a duty of care to avoid discriminatory outcomes.

Effective date. The Act was originally set to take effect February 1, 2026. During a 2025 special session, the Colorado legislature delayed the effective date to June 30, 2026 and made targeted refinements. Organisations should plan to the June 30, 2026 date and watch for any further amendments before it lands.

Key definitions

• High-risk AI system. An AI system that, when deployed, makes or is a substantial factor in making a consequential decision.
• Consequential decision. A decision with a material legal or similarly significant effect on a consumer's access to, or the cost or terms of: employment or an employment opportunity; education enrolment or opportunity; financial or lending services; an essential government service; healthcare services; housing; insurance; or legal services.
• Algorithmic discrimination. Unlawful differential treatment or impact that disfavours individuals on the basis of a protected characteristic. Notably — and unlike Texas — Colorado's standard is not limited to intentional discrimination; it reaches discriminatory impact, which is why a documented risk-management process matters.
• Developer vs Deployer. A developer builds or substantially modifies a high-risk system; a deployer uses one to make consequential decisions. Many organisations are deployers (for example, an employer using an AI hiring tool).

Deployer obligations

If you use a high-risk AI system to make consequential decisions about Colorado consumers, the Act requires you to:

1. Maintain a risk-management policy and program to govern the system — explicitly contemplated to align with recognised frameworks such as the NIST AI Risk Management Framework or ISO/IEC 42001.
2. Complete impact assessments for the high-risk system, reviewed periodically and after significant modifications.
3. Notify consumers when a high-risk system is used to make a consequential decision about them, describe the system's purpose, and — where a decision is adverse — provide an explanation and an opportunity to correct data and to appeal for human review.
4. Publish a public statement summarising the high-risk systems you deploy and how you manage discrimination risk.
5. Disclose to the Colorado Attorney General any discovered algorithmic discrimination, within a set timeframe.

Developer obligations

If you build or substantially modify a high-risk system, you must:

1. Provide documentation to deployers sufficient for them to understand the system's intended uses, known limitations, the data used to train it at a high level, and how it was evaluated for discrimination.
2. Publish a public statement describing the types of high-risk systems you make available and how you manage known discrimination risks.
3. Disclose known risks of algorithmic discrimination to the Attorney General and to deployers.

Enforcement and penalties

• Exclusive enforcement by the Colorado Attorney General. There is no private right of action.
• Violations are treated as unfair or deceptive trade practices under Colorado law.
• The Act includes a rebuttable presumption of reasonable care for organisations that comply with its specified duties and a recognised risk-management framework — which is the practical incentive to adopt NIST AI RMF or ISO 42001 and document it.

Colorado AI Act vs Texas TRAIGA vs the EU AI Act

| Dimension | Colorado SB 24-205 | Texas TRAIGA | EU AI Act | | --- | --- | --- | --- | | Model | Risk-based duty of care | Intent-based prohibitions | Risk-based, tiered | | Effective date | June 30, 2026 | January 1, 2026 | Phased through 2026–2027 | | Discrimination standard | Impact (not just intent) | Intent required | Varies by risk tier | | Core deployer duty | Risk program, impact assessments, notices | Avoid prohibited uses | Conformity, oversight, documentation | | Enforcement | Colorado AG, no private right | Texas AG, 60-day cure | National authorities, large fines |

How to prepare for June 30, 2026

1. Inventory and classify. Identify AI systems that influence consequential decisions about Colorado consumers and flag them as high-risk.
2. Adopt a recognised framework. Stand up a risk-management program aligned to the NIST AI RMF or ISO/IEC 42001 to qualify for the reasonable-care presumption.
3. Run impact assessments. Document intended use, data, evaluation for discrimination, and mitigations — and refresh after material changes.
4. Build the consumer-notice and appeal flow. Notify affected consumers, explain adverse decisions, and provide correction and human-review paths.
5. Clarify developer–deployer roles. Get the documentation you're owed if you deploy a third-party system; produce it if you build one.
6. Don't overlook the data layer. High-risk AI systems run on consumer personal data. Detecting and minimising the sensitive data that flows into and around these systems supports your impact assessments and reduces breach exposure — the same control that helps with GDPR, HIPAA, and the rest of your program.

Frequently asked questions

When does the Colorado AI Act take effect?

June 30, 2026. The original February 1, 2026 date was pushed back by the legislature in 2025. Confirm the current date before you finalise timelines, as further amendments remain possible.

Does the Colorado AI Act apply to my business if I'm not in Colorado?

It applies to developers and deployers doing business in Colorado whose high-risk systems make consequential decisions about Colorado residents. A Colorado location is not required if you affect Colorado consumers.

Is intent required to violate the Act?

No — and this is the key contrast with Texas TRAIGA. Colorado's algorithmic-discrimination standard reaches discriminatory impact, not just intentional discrimination. That is why a documented risk-management process and impact assessments are central to compliance.

What is a "consequential decision"?

A decision with a material legal or similarly significant effect on access to, or the cost or terms of, employment, education, lending, housing, healthcare, insurance, essential government services, or legal services.

How does the Act interact with NIST AI RMF and ISO 42001?

Compliance with a recognised risk-management framework, alongside the Act's specified duties, supports a rebuttable presumption that you exercised reasonable care. Adopting NIST AI RMF or ISO/IEC 42001 is therefore the practical path to demonstrating compliance.

The bottom line

Colorado's AI Act is the most consequential US state AI law for organisations that use AI in decisions about people, and its June 30, 2026 effective date makes 2026 the year to operationalise it. The work is concrete: inventory high-risk systems, adopt a recognised risk-management framework, run impact assessments, build consumer notice-and-appeal flows, and keep the underlying personal data tightly governed. Paired with Texas TRAIGA taking effect in January, multi-state AI compliance is now a 2026 reality.

Related guides

• Texas TRAIGA: The Responsible AI Governance Act Compliance Guide (2026)
• US State AI Privacy Laws in 2026: The Landscape for AI Users
• NIST AI RMF: Governing Generative AI in 2026
• AI in Hiring 2026: EEOC, NYC LL144, the EU AI Act, and the Controls That Hold Up
• EU AI Act Compliance Checklist for Enterprise Deployers (2026)