Colorado Artificial Intelligence Act
The Colorado AI Act is the first comprehensive US state law on high-risk AI, requiring developers and deployers to prevent algorithmic discrimination in consequential decisions. It is enforced by the state Attorney General as an unfair trade practice.
Overview
The Colorado Artificial Intelligence Act, enacted as Senate Bill 24-205 in 2024, is the first comprehensive US state law regulating high-risk artificial intelligence systems. It targets algorithmic discrimination in consequential decisions and imposes duties on both developers and deployers of covered systems. It is widely seen as a US counterpart to the risk-tiered approach of the EU AI Act.
The law defines a high-risk AI system as one that is a substantial factor in making a consequential decision, meaning a decision that materially affects access to education, employment, financial or lending services, government services, healthcare, housing, insurance, or legal services.
Who It Applies To
The Act applies to two roles. Developers are entities that develop or substantially modify a high-risk AI system. Deployers are entities that use such a system to make consequential decisions about Colorado consumers. Both small and large organizations can be covered, though certain obligations scale with size and there are limited exemptions for small deployers.
Key Requirements
Developers must use reasonable care to protect consumers from known or foreseeable risks of algorithmic discrimination, provide deployers with documentation about intended uses, known limitations, and evaluation results, and publicly summarize the systems they offer. Deployers must implement a risk-management policy and program, complete impact assessments, notify consumers when a high-risk system is used to make a consequential decision, and provide an opportunity to correct data or appeal adverse decisions. Both parties must disclose discovered algorithmic discrimination to the Colorado Attorney General.
Penalties for Non-Compliance
Violations are treated as unfair trade practices under the Colorado Consumer Protection Act, enforced exclusively by the Colorado Attorney General. There is no private right of action. The Act provides an affirmative defense for organizations that discover and cure violations and that comply with the NIST AI Risk Management Framework or another recognized risk framework.
How to Comply
Deployers should inventory consequential-decision systems, adopt a documented risk-management program aligned with the NIST AI RMF, and run regular impact assessments. Maintain consumer notices, appeal and correction workflows, and records of evaluations. Developers should prepare clear technical documentation for downstream deployers and publish required public summaries. Both should establish a process for detecting and reporting algorithmic discrimination.