Tool · Colorado AI Act Compliance Checker
Is your AI system high-risk under Colorado AI Act?
Five-step decision tree that classifies your AI system against Colorado AI Act SB 24-205 (effective February 1, 2026). Returns a HIGH-RISK or NOT HIGH-RISK verdict, the specific CAIA obligations that apply, sector-specific overlays (HIPAA, GLBA, FCRA, NYC LL144, etc.), and a live countdown to enforcement. Free, on-screen result.
Law firms can write the memo. The MSSP runs the controls. EFROS operates the AI Governance program — inventory, classification, vendor BAA verification, audit logging, human oversight, impact assessment, board-grade reporting — under one accountable SLA.
Step 1 · C.R.S. §6-1-1701(3)
Does your AI system make “consequential decisions” about Colorado residents?
Consequential decisions include hiring, lending, housing, insurance, education, employment, healthcare, and legal services. The decision must have a material legal or similarly significant effect on a Colorado resident’s access to that service. Jurisdiction is based on the consumer’s residence — not your headquarters.
What you get back
Classification, citations, countdown. No fluff.
HIGH-RISK or NOT HIGH-RISK verdict
Plain-English classification under CAIA §6-1-1701(3) (consequential decision) and §6-1-1701(9) (substantial factor). The two halves of the test that determine whether your system is in scope at all.
Specific CAIA obligations that apply
When high-risk: impact assessment (§6-1-1703(3)), consumer notice (§6-1-1703(4)), right-to-correct and appeal, anti-discrimination risk management policy, 90-day AG notice on algorithmic discrimination incidents, public-facing AI disclosure. Developer obligations under §6-1-1702 layer on if you build or substantially modify the system.
Sector-specific overlays that stack
Healthcare gets HIPAA + HHS-OCR Section 1557 + FDA SaMD. Financial services gets GLBA Safeguards + SR 11-7 + ECOA + NYDFS Part 500. Employment gets NYC LL144 + Illinois HB 3773 + EEOC. Insurance gets Colorado DOI 10-1-1 + NAIC model. Housing gets FHA + FCRA. Education gets FERPA + Title IX. Legal gets ABA Formal Opinion 512 + state bar opinions.
Live countdown to February 1, 2026 enforcement
Days, hours, minutes until CAIA becomes enforceable. The act passed May 2024 with an 18-month implementation window — now closing fast. Calibrates urgency against your roadmap timeline.
Who runs this
Decision-makers triaging AI exposure before February 2026.
General Counsel
Triage which AI deployments need legal review before Q1 2026. The decision tree surfaces which use cases meet the high-risk + substantial-factor threshold and which fall under transparency-only obligations.
Chief Compliance Officer
Defensible classification you can take to the board, the AG, or an enforcement action. The tool maps each obligation to its specific CAIA citation so internal counsel can verify the call.
CISO / Head of AI Governance
Determine where to start the impact assessment work, which sector overlays stack, and how the NIST AI RMF rebuttable presumption applies. Roadmap output ties to a 90-day implementation window.
Founder / COO of a multi-state operation
If you serve any Colorado residents — patients, employees, customers, applicants — and use AI to inform decisions about them, you are in scope regardless of HQ location. The tool clarifies what that means in practice.
FAQ
Questions about CAIA classification.
When does the Colorado AI Act take effect?
Colorado AI Act SB 24-205 takes effect February 1, 2026. The act was signed into law May 17, 2024, with an 18-month implementation window. The live countdown in the tool shows time remaining to enforcement.
Who is in scope — only Colorado-headquartered organizations?
No. CAIA applies based on where the consumer (patient, employee, applicant, customer) resides — not where the deployer is headquartered. A New York health system using AI on a Colorado resident's chart triggers CAIA obligations for that interaction. A multi-state employer with one Colorado-resident applicant is in scope for that hiring decision.
What counts as a 'consequential decision' under CAIA?
C.R.S. §6-1-1701(3) defines consequential decisions as those with a material legal or similarly significant effect on a consumer's access to: education, employment, financial services, government services, healthcare services, housing, insurance, legal services, or essential services. Each of these is its own high-risk category.
What does 'substantial factor' mean?
C.R.S. §6-1-1701(9) defines a substantial factor as one that materially influences a decision. In practice, if a human reviewer routinely follows the AI's recommendation, the substantial-factor threshold is typically met. If the AI surfaces information but the human decision-maker fully retains agency, you may be outside the high-risk definition — but counsel should review the specific use.
Is there a small-business exemption?
Partial. Deployers with fewer than 50 full-time employees that do not use their own data to train the high-risk AI system may qualify for an exemption from the risk management policy, impact assessment, and annual review obligations. They remain on the hook for consumer notice, right-to-correct, anti-discrimination duties, and AG incident reporting. Counsel must confirm eligibility.
What's the difference between a developer and a deployer?
Developers build or substantially modify a high-risk AI system (C.R.S. §6-1-1702). Deployers use a high-risk AI system in their business operations to make consequential decisions (C.R.S. §6-1-1703). Most US organizations are deployers using vendor models. Some larger systems with internal data science teams operate as both — a hospital running an internal sepsis model and external scribes, for example.
What's the penalty for non-compliance?
Enforcement is exclusively by the Colorado Attorney General as a deceptive trade practice. Civil penalties up to $20,000 per violation under C.R.S. §6-1-112. No private right of action. The act includes a rebuttable presumption that organizations following NIST AI Risk Management Framework or ISO/IEC 42001 acted reasonably — making framework adherence the practical compliance posture.
Is this legal advice?
No. Decision tree based on CAIA SB 24-205 text. Not legal advice. EFROS operates AI governance programs — we run the inventory, vendor BAA verification, impact assessment, monitoring, and reporting. We do not provide legal opinions on the act's application to specific facts. Consult counsel before relying on this classification for compliance decisions.
Disclaimer:Decision tree based on Colorado AI Act SB 24-205 text as enacted May 2024. Not legal advice. EFROS operates AI governance programs; we do not provide legal opinions on the act’s application to specific facts. Consult counsel before relying on this classification for compliance decisions. The act may be amended before its February 2026 effective date; refresh your assessment if material changes are enacted.
Already classified? Operationalize the program.
The $5k AI Governance audit extends the classification with M365 Graph deep-scan, AI vendor BAA verification, training-data lineage review, and an executive-ready compliance binder mapped to NIST AI RMF + ISO/IEC 42001 + CAIA. Ten-day delivery.
From classification to compliance program
EFROS AI Governance service
NIST AI RMF, Colorado AI Act, SR 11-7 operating program.
OpenFree AI Risk Score
Multi-framework classification: CAIA + NYC LL144 + CA AB 2013 + NIST AI RMF maturity.
OpenColorado AI Act (healthcare)
Sector-specific deployer obligations and clinical AI vendor BAA matrix.
OpenNIST AI RMF practical guide
Framework that satisfies CAIA's rebuttable-presumption safe harbor.
OpenState AI law tracker
9 active US state AI laws with compliance dates.
OpenAI Governance for law firms
ABA Formal Opinion 512 operationalized.
Open