AI Governance Briefing — May 17, 2024

Executive briefing: Governor Jared Polis signed Colorado’s Consumer Protections for Artificial Intelligence Act (SB24-205) on May 17, 2024, making Colorado the first U.S. state to adopt a comprehensive cross-sector AI law. High-risk AI deployers must implement documented risk programmes that prevent algorithmic discrimination, deliver consumer notices before automated decisions, and run annual impact assessments, while developers must provide documentation and 90-day incident notifications.

Control checkpoints

• Classify high-risk workflows. Map AI that makes consequential decisions in credit, employment, insurance, health care, and public services so SB24-205 duties attach to the right owners.
• Operationalise risk management. Section 6-1-1603 requires testing and logging to prevent algorithmic discrimination; align with NIST AI RMF Govern/Map profiles and Colorado Civil Rights Division expectations.
• Deliver disclosures and appeals. Provide plain-language notices, key factor explanations, and human appeal channels before issuing AI-driven decisions.
• Schedule annual impact reviews. Fold the statute’s yearly assessment into existing model risk management cadences and board reporting.
• Wire escalation paths. Developers must notify deployers of defects within 90 days and deployers must alert the Attorney General within 30 days of confirmed discrimination—integrate telemetry, legal, and customer-care teams now.

Action plan

• Launch joint developer–deployer working groups to harmonize documentation templates, consumer notices, and remediation playbooks.
• Map SB24-205 obligations to EU AI Act Article 9 controls and ISO/IEC 42001 requirements to reuse evidence across jurisdictions.
• Update procurement and vendor contracts with Colorado-specific warranties, notification timelines, and audit rights ahead of the February 1, 2026 enforcement date.