Algorithmic Impact Assessments: The Foundation of Colorado AI Compliance

An algorithmic impact assessment (AIA) is a structured evaluation of an AI system's potential effects on individuals and communities. Under Colorado SB 24-205, deployers must conduct annual impact assessments for every high-risk AI system — and retain them for three years.

Think of it as an environmental impact statement for AI: before and during deployment, you document the system's purpose, risks, mitigations, and ongoing monitoring approach. The goal is informed governance, not just compliance theater.

Each impact assessment must include:

• System Description — What the system does, what inputs it uses, what outputs it produces, and what decisions it influences
• Purpose & Benefits — The intended use case and expected benefits to the organization and consumers
• Risk of Algorithmic Discrimination — Known and potential risks that the system could produce discriminatory outcomes across protected classes
• Data Assessment — Sources of training and operational data, known biases in the data, and steps taken to mitigate data-driven discrimination
• Human Oversight — How humans are involved in the decision process, what overrides exist, and what training oversight personnel receive
• Safeguards — Technical and procedural measures to prevent or detect discriminatory outputs
• Prior Incidents — Any previously identified instances of algorithmic discrimination and the remediation taken
• Monitoring Plan — How the system will be monitored on an ongoing basis for bias and discrimination

SB 24-205 requires assessments in three situations:

1. Before deployment — Any new high-risk AI system must be assessed before it goes live
2. Annually — Every high-risk system needs an updated assessment at least once per year
3. Material change — When a system is significantly modified (new data sources, changed decision logic, expanded use case), a new assessment is required

The annual cycle is a minimum. Best practice is to reassess whenever bias audits reveal concerning trends, when vendor updates change system behavior, or when the affected population changes.

An impact assessment is only as strong as its documentation. Key principles:

• Be specific, not generic — "The system may produce biased outputs" is useless. "The system's training data underrepresents Hispanic applicants by 15%, which may produce lower approval rates for this group" is defensible.
• Show your work — Reference the bias audit data that informed your risk analysis. Link to the specific audit results that validate or challenge each risk.
• Document trade-offs — If you identified a risk and chose to accept it, explain why. Risk acceptance with documented reasoning is defensible; undocumented risk ignorance is not.
• Include stakeholder input — Did you consult affected communities? Did you survey users? Stakeholder engagement strengthens the assessment significantly.

CO-AIMS generates impact assessments automatically from your system registry data and bias audit results. Each assessment is pre-populated with system details, current audit findings, and incident history — you review and supplement rather than writing from scratch.