Human-in-the-Loop AI Documentation: What Colorado SB 24-205 Requires

When the Colorado Attorney General investigates an AI compliance issue, one of the first defenses organizations offer is: "A human reviews all AI recommendations before they become decisions." It sounds reassuring. It's also usually insufficient.

SB 24-205 doesn't just require that humans exist in the decision chain — it requires that human oversight is meaningful, documented, and effective. The distinction matters enormously:

• Rubber-stamp oversight — A human clicks "approve" on 98% of AI recommendations without meaningful review. This is automation bias, not human oversight. The AG will see through it immediately.
• Meaningful oversight — A human reviews the AI's reasoning, has the authority and information to override it, and exercises that authority when warranted. Override rates and reasoning are documented.

The law cares about whether human oversight actually prevents algorithmic discrimination, not whether a human technically touched the "approve" button. This distinction is the difference between a defensible compliance posture and a liability disguised as governance.

Related: SB 24-205 compliance guide · disclosure requirements · evidence bundle documentation

A "Human-in-the-Loop gate" (HITL gate) is a structured checkpoint where a human reviews, modifies, or overrides an AI output before it becomes a consequential decision. Effective HITL gates have five components:

1. Decision Clarity
The human reviewer must understand exactly what decision the AI is making or influencing. Vague AI outputs that the reviewer can't interpret provide no meaningful oversight. Display the AI's recommendation, the key factors that drove it, and the confidence level.

2. Override Authority
The reviewer must have clear, exercisable authority to reject, modify, or escalate the AI's recommendation. If the system architecture makes overriding impractical (too slow, too many steps, disapproval from management), oversight is illusory.

3. Information Access
Reviewers need access to the information necessary to evaluate the AI's output independently. If the only information available is the AI's recommendation itself, the human adds no independent judgment.

4. Time and Capacity
Reviewers can't meaningfully evaluate 500 AI recommendations per hour. If volume overwhelms the reviewer, oversight degrades to rubber-stamping. Document your review-to-volume ratio and ensure it allows genuine deliberation.

5. Training
Reviewers must be trained on the AI system they're overseeing — what it does, how it works, what biases to watch for, and when to override. Training records are compliance documentation.

Every HITL gate interaction should generate a compliance record. The minimum documentation for each review:

• AI output — What the system recommended or decided
• Reviewer identity — Who reviewed the output (name, role, training status)
• Review timestamp — When the review occurred
• Decision made — Approved, modified, or rejected
• Modification details — If modified, what was changed and why
• Override reasoning — If rejected, the documented rationale
• Override rate metrics — Aggregate statistics showing how often humans override the AI (a 0% override rate is a red flag)

Additionally, your impact assessment for each HITL-gated system should document:

• The HITL gate design and its five components (above)
• Review volume and capacity analysis
• Training curriculum and completion records
• Override rate trends over time
• Effectiveness analysis: has human oversight caught and corrected discriminatory outputs?

Healthcare
AI-assisted diagnosis, treatment recommendations, and patient risk stratification are consequential decisions where HITL gates are essential. Colorado's healthcare providers must document:

• Physician review of every AI diagnostic recommendation before it reaches the patient
• Clinical judgment documentation when overriding AI recommendations
• Patient safety outcomes correlated with AI-assisted vs. physician-only decisions
• Training records for clinicians on AI tool limitations and known biases

Legal Services
AI-powered case prediction, document review, and client intake scoring affect case outcomes — clearly consequential decisions. Law firms must document:

• Attorney review of AI-generated case assessments and recommendations
• How AI outputs influence (or don't influence) strategy decisions
• Client consent and disclosure when AI is used in their matter
• Malpractice risk analysis for AI-assisted decision-making

HR and Hiring
AI resume screening, candidate ranking, and performance prediction directly affect employment — a specifically enumerated consequential decision area. HR teams must document:

• Human review of every AI-generated candidate ranking before action is taken
• The information available to reviewers beyond the AI's recommendation
• Override rates by protected class to detect whether humans correct or amplify AI bias
• Training for hiring managers on AI tool limitations

Financial Services
AI credit scoring, insurance underwriting, and fraud detection affect consumers' financial lives. Institutions must document:

• Human review thresholds: which AI decisions require human review vs. which are auto-approved
• Adverse action notice procedures when AI influences a denial
• Fair lending analysis showing HITL gates effectively mitigate bias

Manual HITL documentation is a bottleneck. Every review, every override, every training record needs to be captured, timestamped, and stored. CO-AIMS automates this:

• HITL gate configuration — Define gates for each AI system: who reviews, what's required, and what gets documented
• Override rate tracking — Automatic calculation of override rates by system, reviewer, and time period. Anomalies (0% override rate, sudden spikes) trigger alerts
• Training management — Track which reviewers are trained on which AI systems, certification dates, and re-training schedules
• Capacity analysis — Monitor review volume per reviewer to detect when oversight quality may degrade
• Evidence aggregation — All HITL documentation automatically feeds into your evidence bundles for AG production

The organizations that get HITL right don't just have humans in the loop — they have documented, trained, empowered humans in the loop. And they can prove it.