Colorado AG Notification: The 90-Day Timeline for AI Discrimination Incidents
In This Article
The 90-Day Clock: When It Starts and Why It Matters
Section 6-1-1004 of Colorado SB 24-205 creates a self-reporting obligation that catches many organizations off guard: when a deployer "discovers or reasonably should have discovered" that their AI system has engaged in algorithmic discrimination, they must notify the Colorado Attorney General within 90 days.
This isn't a suggestion. Missing the 90-day deadline is itself a violation of the statute — separate from the underlying discrimination. It compounds your exposure.
The critical phrase is "discovers or reasonably should have discovered." This means the clock starts not only when you definitively confirm discrimination, but when your monitoring systems should have detected it. If your bias audit from March shows a disparate impact ratio of 0.72 for Hispanic applicants, the clock started in March — not when your compliance officer finally reviews the report in June.
This is why automated, continuous monitoring matters. Manual, infrequent audits create discovery gaps where discrimination festers undetected — and each day of delayed discovery extends your legal exposure.
Related: SB 24-205 compliance guide · AG enforcement patterns · AI bias audit guide
What Triggers the Notification Obligation
The AG notification is triggered specifically by "algorithmic discrimination" — when an AI system produces outcomes that disproportionately harm protected classes. SB 24-205 defines this as any AI-driven differential treatment or impact based on:
- Race, color, or national origin
- Sex, sexual orientation, or gender identity
- Religion
- Age (40+)
- Disability
- Any other class protected under Colorado law
Triggers vs. non-triggers:
- Trigger: Bias audit reveals disparate impact ratio of 0.72 for female applicants (below 0.80 threshold) → Notification required
- Trigger: Customer complaint investigated and found to reflect actual discriminatory output → Notification required
- Trigger: Vendor disclosure that training data contained demographic bias → Notification required if the bias produced discriminatory outcomes
- Not a trigger: Bias audit shows all groups within acceptable thresholds → No notification required (but document the clean audit)
- Not a trigger: Theoretical bias risk identified in impact assessment without evidence of actual discriminatory output → No notification required (but address in remediation)
The 90-Day Timeline: A Day-by-Day Framework
Here's how to manage the 90-day window from discovery to notification:
Days 1-7: Immediate Response
- Document the discovery: who found it, when, how, and what the initial evidence shows
- Assess severity: how many consumers may be affected? Is the discrimination ongoing?
- Consider interim measures: should the AI system be paused or modified while you investigate?
- Notify your internal compliance owner and legal counsel
Days 8-30: Investigation
- Conduct a thorough root cause analysis: is the bias in the data, model, implementation, or deployment?
- Quantify the impact: statistical analysis of affected populations and outcome distributions
- Document the full investigation with methodology and findings
- Determine whether the finding constitutes "algorithmic discrimination" under the statute
Days 31-60: Remediation
- Implement corrective measures: data corrections, model retraining, threshold adjustments, or system replacement
- Run verification audits to confirm the fix is effective
- Document every remediation step with timestamps and evidence
- Update impact assessments for affected systems
Days 61-85: Notification Preparation
- Prepare the AG notification document (see next section for required content)
- Legal review of the notification
- Finalize all supporting documentation
Days 86-90: Submission
- Submit notification to the Colorado Attorney General
- Retain proof of submission (confirmation receipt, tracking number)
- File internal records of the complete incident lifecycle
What to Include in Your AG Notification
While SB 24-205 doesn't prescribe a specific notification format, based on the statute's requirements and AG enforcement guidance, your notification should include:
- Organization identification — Company name, contact person, contact information
- System identification — Which AI system was involved, its purpose, and what consequential decisions it makes
- Discovery details — When and how the discrimination was discovered (date, method, who discovered it)
- Nature of the discrimination — Which protected class(es) were affected and how outcomes were disparate
- Scope of impact — Estimated number of affected consumers and the time period during which discrimination occurred
- Root cause — What caused the discriminatory outputs (data bias, model error, implementation issue)
- Remediation taken — What corrective measures were implemented and evidence of their effectiveness
- Ongoing monitoring — How you're preventing recurrence, including updated audit schedules and thresholds
Thoroughness matters. A comprehensive, well-documented notification demonstrates good faith. A bare-minimum filing invites deeper scrutiny.
Managing the Timeline with CO-AIMS
The 90-day clock is unforgiving, and manual tracking is risky. CO-AIMS provides built-in AG notification workflow management:
- Automatic discovery dating — When a bias audit flags a threshold violation, the discovery date is automatically recorded and the 90-day clock begins
- Deadline tracking dashboard — Visual countdown showing days remaining, with escalating alerts at 60, 30, and 14 days
- Investigation workflow — Structured templates for root cause analysis, impact quantification, and remediation planning
- Notification document generation — Pre-formatted AG notification templates populated with your incident data, audit findings, and remediation evidence
- Complete audit trail — Every step from discovery through notification is timestamped and stored in your evidence bundle
The worst-case scenario isn't discovering discrimination — it's discovering it too late or losing track of the deadline. Automated detection and deadline management eliminate both risks.
Frequently Asked Questions
When does the 90-day AG notification clock start?
The clock starts when you "discover or reasonably should have discovered" algorithmic discrimination. This means the date your bias audit detected the issue, not when someone finally reviewed the results. Automated monitoring systems that flag issues immediately establish a clear, defensible discovery date.
What happens if I miss the 90-day AG notification deadline?
Missing the 90-day deadline is itself a separate violation of SB 24-205, independent of the underlying discrimination. It demonstrates a failure in your incident response process and weakens your affirmative defense. The AG may view a missed deadline as evidence of insufficient governance.
Can I self-report before the 90-day deadline if remediation isn't complete?
Yes, and it's recommended. You can and should notify the AG even if remediation is ongoing. Include what you've done so far and your remediation timeline. Early, transparent reporting demonstrates good faith and is viewed more favorably than waiting until the last day.
Does the AG notification requirement apply to all AI systems?
The notification requirement applies to all high-risk AI systems under SB 24-205 — those that make or substantially influence consequential decisions. If a lower-risk system produces discriminatory outcomes, it may still trigger the requirement if those outcomes affect consequential decisions.
Automate Your Colorado AI Compliance
CO-AIMS handles bias audits, impact assessments, consumer disclosures, and evidence bundles — so you can focus on your business.
AI Solutionist and founder of CO-AIMS. Building compliance infrastructure for Colorado's AI Act. Helping law firms, healthcare providers, and enterprises navigate SB 24-205 with automated governance.