Policy Briefing — Colorado AI Act enforcement day demands documented risk controls

Executive briefing: Colorado SB24-205 becomes enforceable on 1 February 2026, establishing the first U.S. statewide duty-of-care regime for high-risk AI. Developers and deployers must implement reasonable policies to prevent algorithmic discrimination, register risk management contacts, and deliver transparency notices to affected consumers.

Mandatory deliverables

• Risk management program. Section 6-1-1704 requires documented risk controls, governance processes, and continuous monitoring tailored to each high-risk AI system.
• Impact assessments. Section 6-1-1705(2) mandates pre-deployment impact assessments, periodic refreshes, and post-incident reviews, including descriptions of training data, evaluation metrics, and safeguards.
• Incident reporting. Section 6-1-1706(2) obliges deployers to notify the Colorado Attorney General within 90 days of discovering any algorithmic discrimination or material risk not mitigated by controls.

Program actions

• Inventory alignment. Map AI systems to the statute’s high-risk definitions, capturing purpose, decision context, and consumer impact to confirm scope.
• Assessment cadence. Embed the Colorado-specific checklist into enterprise model risk frameworks so assessments, human oversight plans, and evaluation records are review-ready.
• Transparency playbooks. Update user-facing disclosures and adverse decision notices with the elements listed in Section 6-1-1705(5), including descriptions of the AI system and consumer appeal channels.

Enablement moves

• Align SB24-205 artefacts with EU AI Act and NIST AI RMF mappings to reduce duplication across jurisdictions.
• Implement incident triage workflows that distinguish Colorado reportable events from voluntary regulator outreach in other markets.

Sources

• Colorado SB24-205 — Artificial Intelligence (enrolled)
• Colorado Attorney General — SB24-205 implementation guidance