
About This Law
Official Name: Colorado Artificial Intelligence Act (CAIA) – Colorado SB 24-205
Originally Signed: May 17, 2024 by Governor Jared Polis
Effective Date: June 30, 2026 (delayed from February 1, 2026 following a special legislative session)
Jurisdiction: State of Colorado, USA. Applies extraterritorially to any company making consequential decisions affecting Colorado residents, regardless of where the company is based.
Type: First comprehensive state-level AI law in the United States
Applies To: Developers and deployers of high-risk AI systems used for consequential decisions affecting Colorado residents
Maximum Penalties: Up to USD 20,000 per violation per affected consumer. Violations constitute unfair trade practices under Colorado Consumer Protection Act.
Enforcement: Colorado Attorney General (exclusive enforcement, no private right of action). 60-day cure period after notice.
Safe Harbor: Documented alignment with NIST AI RMF or ISO/IEC 42001 and cure within 90 days of discovering violation.
Introduction
Your AI hiring tool just screened 500 applications. Your AI credit model just declined 200 loan requests. If any of those decisions affected Colorado residents, your company has new legal obligations starting June 30, 2026.
Colorado SB 24-205 is the United States’ first comprehensive state AI law. Despite multiple attempts to scale it back, the core requirements remain unchanged. The Colorado Attorney General has exclusive enforcement authority, with penalties reaching USD 20,000 per violation per affected consumer. For an AI system touching hundreds of applicants, that exposure compounds fast.
Read on for the complete breakdown of who this law covers, what it requires, and the practical compliance steps you need to take before June 30.
What Is the Colorado AI Act Targeting?
Algorithmic discrimination is the legal target. The CAIA defines it as unlawful differential treatment based on protected characteristics (race, age, sex, disability, religion, and others) caused by an AI system. The law exists because AI systems can produce discriminatory outcomes even when developers and deployers never intended discrimination.
The CAIA places responsibility on both the companies that build AI systems (developers) and the companies that use them to make decisions (deployers). If you buy a third-party AI tool and use it to screen job candidates, you are a deployer under Colorado law. You cannot outsource your compliance obligation to your vendor.
What Counts as High-Risk AI Under the CAIA?
An AI system is high-risk if it makes or substantially influences a consequential decision. A consequential decision is one that has a significant effect on a consumer’s access to or the cost of education, employment, financial services, essential government services, healthcare, housing, or insurance.
Examples include: resume screening and candidate ranking tools, credit scoring and loan decision systems, insurance underwriting and pricing algorithms, medical risk stratification tools, tenant screening software, and educational assessment systems. If your AI system plays a meaningful role in any of these decisions for Colorado residents, you are almost certainly in scope.
Deployers with fewer than 50 employees are exempt from the annual impact assessment requirement, unless they use their own data to train or customize the high-risk AI system. That exemption disappears the moment you do custom training work.
What the CAIA Requires of Developers and Deployers
Developers must: use reasonable care to protect consumers from algorithmic discrimination, document known foreseeable risks and intended uses, provide deployers with a statement describing those risks, conduct regular impact assessments, and disclose discovered discrimination to the Colorado Attorney General within 90 days.
Deployers must: implement a documented risk management policy and program, complete an annual impact assessment of each high-risk AI system, notify consumers before deploying a high-risk AI system to make a consequential decision about them, provide a plain-language explanation of how the system works, give consumers the right to appeal automated decisions and request human review, and report discovered discrimination to the Attorney General.
The Affirmative Defense: How to Protect Your Business
The CAIA provides a meaningful safe harbor. A developer or deployer is not liable for a violation if they have complied with a nationally or internationally recognised AI risk management framework (such as the NIST AI RMF or ISO/IEC 42001) and they discover and cure the violation within 90 days of discovery.
Aligning with the NIST AI RMF is not just good governance practice. It is a legal shield under Colorado law. Document your alignment, maintain records of your risk assessments, and implement the cure procedures before June 30.
Your 5-Step CAIA Compliance Plan
- Identify all AI systems that touch Colorado residents’ consequential decisions: Build or update your AI inventory immediately. Map every AI tool that influences hiring, lending, insurance, healthcare, housing, or education for any Colorado-based users or applicants.
- Classify each system as high-risk or not: Apply the CAIA’s two-part test to each tool. When in doubt, treat it as high-risk. Misclassification is one of the most common and costly compliance errors.
- Implement a risk management policy and program: For each high-risk system, document the risk management framework you are using, your bias testing procedures, your human oversight mechanisms, and your incident response process.
- Build your consumer notification and appeal workflows: Design the disclosures and appeals process for every consequential decision process. These need to be live before June 30, not planned.
- Complete your annual impact assessments: These must be done before the system is deployed and annually thereafter. The assessment must evaluate the system for algorithmic discrimination and document findings and mitigation measures.
Frequently Asked Questions
Does the Colorado AI Act apply to companies based outside Colorado?
Yes. The CAIA applies to any company that deploys a high-risk AI system to make consequential decisions affecting Colorado residents. A New York company using AI to screen applicants from Denver must comply, as must a San Francisco fintech approving loans for Colorado borrowers.
What are the penalties for violating the Colorado AI Act?
Violations constitute unfair trade practices under the Colorado Consumer Protection Act. The maximum penalty is USD 20,000 per violation, counted separately for each affected consumer or transaction. An AI system that discriminates against 100 consumers could generate up to USD 2 million in penalties.
Is the Colorado AI Act still subject to change?
Colorado lawmakers can make amendments during the 2026 legislative session before the June 30 effective date. However, the core framework including developer and deployer obligations and the consequential decision trigger has remained stable. Build compliance around the current text.
How does the Colorado AI Act interact with the EU AI Act?
The laws share a risk-based philosophy and overlapping concepts, but Colorado focuses specifically on algorithmic discrimination protection for Colorado residents while the EU AI Act covers a broader range of AI risks. Build a unified compliance programme that addresses the specific requirements of each.
Conclusion
The Colorado AI Act is the United States’ most demanding state-level AI law, and it takes effect on June 30, 2026. The operational requirements, including annual impact assessments, consumer notifications, appeal workflows, and 90-day disclosure obligations, all take time to implement properly.
Businesses that align with a recognised AI risk management framework now build both legal protection and operational resilience simultaneously.
June 30, 2026 is your compliance deadline. Book your free Colorado AI Act compliance review today. We will assess your AI systems, determine your high-risk exposure, and give you a step-by-step action plan you can act on immediately.

