Primary Research · State Profile · CO
Colorado is the first US state to enact a comprehensive AI consumer protection law that imposes binding obligations on both developers and deployers of high-risk AI systems. The Colorado Artificial Intelligence Act (SB 24-205), signed by Governor Jared Polis in May 2024, takes effect February 1, 2026 and establishes a deployer-developer accountability model that other states are watching closely. Unlike sector-specific federal frameworks, the Colorado AI Act covers any AI system that makes or substantially influences consequential decisions about Colorado consumers in employment, education, financial services, healthcare, housing, insurance, legal services, or government services — a scope that captures the great majority of enterprise AI deployments touching Colorado residents.
Colorado's regulatory posture in 2026 is the leading indicator for the rest of the country. The Act explicitly references the NIST AI Risk Management Framework as one acceptable governance anchor, which means organizations that have already operationalized NIST AI RMF inherit a defensible compliance starting position. Enforcement sits with the Colorado Attorney General under the Colorado Consumer Protection Act — there is no private right of action — and a rebuttable presumption of reasonable care applies to deployers who follow the Act's risk-management requirements. The AG retains broad authority to investigate algorithmic discrimination, and the 90-day disclosure window for discovered discrimination creates a hard operational clock that most organizations are not yet ready to meet.
Key provisions
Risk management policy aligned to NIST AI RMF or ISO/IEC 42001; annual impact assessments per high-risk system; pre-decision and adverse-decision consumer notices; right to opt out or request human review where feasible; annual public summary of high-risk systems; 90-day AG notification of discovered algorithmic discrimination.
Industry coalitions and the Governor's task force have signaled material amendments before the Act takes effect — likely narrowing the deployer definition, clarifying the impact-assessment cadence, and refining what counts as 'substantial influence' on a consequential decision. Plan compliance against the enacted text, but watch the legislative calendar through January 2026.
Sector-specific frameworks layer on top of state AI laws and frequently impose stricter or earlier-binding obligations. These are the sectors most exposed in Colorado.
Healthcare
Section 1557 nondiscrimination overlay applies on top of the Act when AI influences clinical decisions or coverage determinations for Colorado patients.
Employment
EEOC algorithmic discrimination guidance and ADA accommodations overlay employment-AI obligations. Colorado deployers should integrate the Act's pre-use notice with existing federal hiring-AI documentation.
Financial services
SR 11-7 model risk management is the practical anchor for banks; insurance carriers fall under Colorado Division of Insurance Regulation 10-1-1 (the 2023 AI insurance rule that pre-dates the Act).
Insurance
Colorado already had the country's first state insurance AI rule (Reg 10-1-1, 2023). The Act layers on top, not in place of, that rule.
Practical operational checklist for organizations subject to Colorado AI laws. Items are ordered by typical sequence of implementation, not by importance — most steps depend on the inventory work in the first item.
Inventory must include both developer-built and third-party AI; vendor systems used for consequential decisions count even if you didn't build them.
The Act presumes compliance for deployers who can document adherence to a recognized framework. NIST AI RMF is the faster path for most US organizations.
Templates must cover purpose, data sources, performance metrics, demonstrated and reasonably foreseeable risks, mitigation measures, and monitoring approach.
The Act requires specific language and channels. Treat this as a UX engineering project, not just a policy update.
Required on the deployer's website. Plan for legal review of the public-facing language before February 2026.
Once a deployer 'discovers' algorithmic discrimination, the AG notification clock starts. Define 'discovery' internally and align with incident response.
Developers must provide deployers with sufficient information to complete impact assessments. Most existing vendor contracts do not contain this clause — amend now.
EFROS operates the AI governance program against the Colorado AI Act for clients running high-risk systems that touch Colorado consumers — NIST AI RMF as the operating anchor, vendor BAA matrices for AI subprocessors, impact-assessment workflows, and the consumer notice + 90-day AG disclosure runbook. We are US-anchored and do not retrofit EU AI Act frameworks onto US deployments.
Disclaimer: this profile is a research dataset, not legal advice. Compliance determinations for Colorado businesses require analysis of specific facts and should be made in consultation with qualified legal counsel licensed in Colorado.
Reference this resource with attribution under CC-BY-4.0. Copy any of the formats below for academic papers, blog posts, AI citations, or vendor evidence packages.
Efros, S. (2026, May). Colorado AI Law Tracker — 2026. EFROS. https://efros.com/research/state-ai-law-tracker/colorado/
Efros, Stefan. "Colorado AI Law Tracker — 2026." EFROS, May 2026, https://efros.com/research/state-ai-law-tracker/colorado/.
Efros, Stefan. 2026. "Colorado AI Law Tracker — 2026." EFROS. https://efros.com/research/state-ai-law-tracker/colorado/.
S. Efros, "Colorado AI Law Tracker — 2026," EFROS, May 2026. [Online]. Available: https://efros.com/research/state-ai-law-tracker/colorado/
@misc{efros2026coloradoailawtra,
author = {Stefan Efros},
title = {Colorado AI Law Tracker — 2026},
year = {2026},
month = {May},
publisher = {EFROS},
url = {https://efros.com/research/state-ai-law-tracker/colorado/},
note = {Accessed: May 2026}
}https://efros.com/research/state-ai-law-tracker/colorado/
Site-wide citation metadata is also published as a CITATION.cff file at /CITATION.cff for citation-management tools and academic indexers.
All tracked US state AI laws in a single citation-ready dataset.
Open20 AI vendors scored on 12 US AI governance axes — including state-law overlays.
OpenFederal framework that anchors most state AI law deployer obligations.
OpenOperating program that implements multi-state AI law compliance.
Open5-minute classification across Colorado AI Act, NYC LL144, CA AB 2013, and NIST AI RMF.
Open