Colorado AI Act Compliance Checklist: 7 Steps Before June 30

You can't comply with what you can't see. The first step is a comprehensive inventory of every AI system in your organization.

What to document for each system:

• System name and vendor
• What decisions it makes or influences
• What data it processes
• Who it affects (employees, customers, clients)
• Whether decisions are "consequential" under SB 24-205

Don't skip the tools embedded in your existing software. Salesforce Einstein, Microsoft Copilot, Zoom IQ — these all contain AI that may trigger compliance obligations.

CO-AIMS automates this with a system registry that walks you through classification for each tool.

Not every AI system requires full compliance treatment. SB 24-205 specifically targets "high-risk" systems — those making consequential decisions in employment, education, finance, healthcare, housing, legal services, or government.

Classification criteria:

• Does the system output directly determine an outcome? → High-risk
• Does it substantially influence a human decision-maker? → High-risk
• Is the affected area "consequential" under the statute? → High-risk
• Is it purely informational with no decision influence? → Lower risk

SB 24-205 requires a documented, public-facing risk management policy. This is not a checkbox exercise — it's the foundation of your affirmative defense.

Your policy must describe:

• How you identify and categorize AI risks
• Your governance structure (who owns AI compliance)
• Your monitoring and auditing approach
• How you handle incidents and discrimination findings
• Your framework alignment (NIST AI RMF recommended)

Every high-risk AI system needs an annual impact assessment. Each assessment must document:

• The system's purpose and intended benefits
• Known limitations and risks of algorithmic discrimination
• Data sources and their potential biases
• Human oversight mechanisms
• Safeguards against discriminatory outputs
• Previous incidents and remediation

Impact assessments aren't one-time documents. They must be updated annually and retained for three years.

Before or at the time an AI system interacts with a consumer, you must disclose:

• That AI is being used to make or influence the decision
• What type of decision is being made
• How the consumer can appeal or request human review
• Where to find your risk management policy

Disclosures must be "clear and conspicuous." Burying them in a 40-page terms of service won't cut it.

You need active, ongoing monitoring — not just annual check-ups. Build processes for:

• Regular bias audits — Monthly or quarterly statistical analysis of AI outputs for disparate impact across protected classes
• Incident detection — Clear triggers that identify potential algorithmic discrimination
• Response protocol — Who investigates, how you remediate, and when you notify the AG
• 90-day AG notification — Discovery of algorithmic discrimination must be reported to the Colorado Attorney General

SB 24-205 requires three years of retained records, including:

• All impact assessments
• Bias audit results and methodologies
• Incident reports and remediation documentation
• Consumer disclosure records
• Risk management policy versions
• Training records for staff involved in AI governance

This is your evidence bundle — the documentation that proves your compliance if the AG comes knocking. CO-AIMS generates court-ready evidence bundles with a single click, aggregating every audit, assessment, and disclosure into a branded PDF with full audit trail.