Colorado AI Act SB 24-205: The Complete Compliance Guide for 2026

Colorado Senate Bill 24-205, officially the "Consumer Protections for Artificial Intelligence Act," is the first comprehensive state-level AI regulation in the United States. Signed by Governor Polis and taking effect June 30, 2026, it creates binding obligations for any business that deploys or develops "high-risk AI systems" affecting Colorado consumers.

Unlike the EU AI Act, SB 24-205 was purpose-built for American businesses. It doesn't ban AI — it demands transparency, accountability, and documented risk management. The law creates a rebuttable presumption of compliance for organizations that follow recognized frameworks like the NIST AI RMF or ISO 42001.

The law applies to two categories of organizations:

• Deployers — Any business using AI systems that make or substantially influence "consequential decisions" about Colorado consumers. This includes hiring tools, lending algorithms, insurance underwriting, healthcare recommendations, and legal case management software.
• Developers — Companies that build or substantially modify AI systems used by deployers in Colorado.

If your firm uses AI-powered case management, automated document review, predictive analytics, or any tool that influences decisions about employment, housing, credit, insurance, education, or healthcare — you're a deployer under SB 24-205.

Critical detail: You don't need to be headquartered in Colorado. If your AI system touches Colorado consumers, you're subject to the law.

SB 24-205 mandates six concrete obligations for deployers:

1. Risk Management Policy — A documented, public-facing policy describing how you identify, mitigate, and monitor AI risks. This must map to NIST AI RMF or an equivalent framework.
2. Annual Impact Assessments — Yearly evaluations of each high-risk AI system, documenting its purpose, intended benefits, known risks, data inputs, outputs, and oversight mechanisms.
3. Consumer Disclosure — Clear notification to consumers when AI is being used to make or influence consequential decisions about them, including the right to appeal.
4. Incident Response — Procedures to detect, document, and respond to algorithmic discrimination incidents within 90 days.
5. Record Retention — Three years of audit trails, impact assessments, incident reports, and remediation documentation.
6. AG Notification — Discovery of algorithmic discrimination must be reported to the Colorado Attorney General within 90 days.

The Colorado Attorney General enforces SB 24-205 under the Colorado Consumer Protection Act. Penalties include:

• $20,000 per violation under CCPA enforcement
• Injunctive relief — The AG can order you to stop using non-compliant AI systems
• Reputational damage — Enforcement actions are public record
• No private right of action — Only the AG can enforce, but consumer complaints trigger investigations

The affirmative defense is your shield: organizations that can demonstrate good-faith compliance with the NIST AI RMF or ISO 42001 have a rebuttable presumption that they've met the law's requirements.

Five months remain. Here's the critical path:

• Month 1 (February) — Inventory every AI system in your organization. Identify which ones make or influence consequential decisions.
• Month 2 (March) — Draft your risk management policy mapped to NIST AI RMF. Conduct initial impact assessments for each high-risk system.
• Month 3 (April) — Implement consumer disclosure mechanisms. Set up incident detection and response procedures.
• Month 4 (May) — Run your first bias audit cycle. Document findings and remediation steps. Train staff on procedures.
• Month 5 (June) — Final review. Verify record retention systems. Test AG notification procedures. Go live before June 30.

CO-AIMS automates the majority of this roadmap — from system registration and automated bias audits to impact assessment generation and AG notification workflows.