Colorado Attorney General AI Enforcement: What Happens If You're Not Compliant

The Colorado Attorney General's office doesn't need to wait for a formal complaint. Enforcement can be triggered by:

• Consumer complaints — Any Colorado consumer can file a complaint about suspected algorithmic discrimination
• Self-reported incidents — Deployers who discover discrimination must notify the AG within 90 days, which triggers a review
• Proactive investigation — The AG's office can initiate investigations based on market surveillance, media reports, or industry tips
• Audit findings — Third-party audits or whistleblower reports that surface discrimination

The AG has publicly stated that "consequential decisions" in legal services, healthcare, and financial services will be priority enforcement areas in 2026.

Once an investigation begins, the AG's office will typically:

1. Issue a Civil Investigative Demand (CID) — This is a formal request for documents including your AI inventory, impact assessments, bias audit results, and consumer disclosures
2. Review your documentation — They're looking for evidence of the six core requirements. Missing documents are themselves violations.
3. Test your systems — The AG can request access to system outputs and methodologies to independently verify your bias monitoring claims
4. Assess your response — How quickly and thoroughly you remediate identified issues matters. Good-faith effort counts.

This is where documentation is everything. If you can produce three years of impact assessments, regular bias audits, and a NIST-aligned risk management policy, you're in a fundamentally different position than an organization scrambling to create records after receiving a CID.

SB 24-205 is enforced under the Colorado Consumer Protection Act (CCPA), which provides:

• Up to $20,000 per violation — Each affected consumer can be a separate violation
• Injunctive relief — Court orders to stop using non-compliant systems
• Consent decrees — Negotiated compliance agreements with ongoing monitoring
• Public enforcement actions — All actions are public record, creating reputational damage

Consider the math: if an AI hiring tool discriminates against 100 applicants, that's potentially $2 million in exposure. A lending algorithm affecting 500 loan applicants? $10 million.

The law explicitly provides a rebuttable presumption of compliance for organizations that demonstrate alignment with recognized AI governance frameworks. In practice, this means:

• Map your practices to NIST AI RMF or ISO 42001
• Maintain current impact assessments for every high-risk system
• Run regular bias audits with documented methodologies
• Keep three years of records in an accessible, organized format
• Have a functioning incident response process that actually gets used

CO-AIMS builds this evidence automatically. Every bias audit, impact assessment, and disclosure is timestamped and stored. When the AG asks for documentation, you generate an evidence bundle — a court-ready PDF with every record organized by system, date, and compliance category.