What Is SB 205? The Colorado AI Act Explained in Plain English

"SB 205" refers to Senate Bill 24-205, formally titled the Consumer Protections for Artificial Intelligence Act. It was introduced in the Colorado Senate during the 2024 legislative session, passed both chambers, and was signed by Governor Jared Polis on May 17, 2024.

The bill is sometimes called "SB 205," "SB24-205," "Colorado SB 24-205," or simply "the Colorado AI Act." These all refer to the same law. It takes effect on June 30, 2026, giving organizations roughly two years from signing to full compliance.

Why does this matter? Because SB 205 is the first comprehensive, enforceable AI regulation at the state level in the United States. While the EU has the AI Act and cities like New York have narrow AI hiring laws, Colorado's legislation covers all "high-risk AI systems" across every industry — from healthcare and finance to legal services and real estate.

Related: complete SB 24-205 compliance guide · 7-step compliance checklist · what SB 24-205 means for your business

The law creates obligations for two groups: deployers (businesses that use AI systems) and developers (companies that build them). Most businesses reading this are deployers. Here are the six core requirements:

1. Risk Management Policy — You must publish a documented policy describing how you identify, mitigate, and monitor AI risks. The law explicitly references the NIST AI Risk Management Framework as a recognized standard.
2. Annual Impact Assessments — For each high-risk AI system, you need a yearly evaluation documenting its purpose, data inputs, known risks, performance metrics, and human oversight mechanisms.
3. Consumer Disclosure — Before AI makes or substantially influences a consequential decision about a Colorado consumer, you must tell them. This includes the right to appeal to a human reviewer.
4. Bias Auditing — Regular testing for algorithmic discrimination across protected classes including race, gender, age, disability, and sexual orientation.
5. Incident Response — If you discover algorithmic discrimination, you have 90 days to notify the Colorado Attorney General and affected consumers.
6. Record Retention — All compliance documentation must be retained for at least three years.

The penalty for non-compliance is up to $20,000 per violation, enforced by the Colorado Attorney General under the Colorado Consumer Protection Act.

This is the question that catches most businesses off guard. Under SB 205, a high-risk AI system is any AI that makes or "substantially influences" a consequential decision. Consequential decisions include those affecting:

• Employment — Hiring, firing, promotion, pay, performance evaluation
• Education — Admissions, financial aid, disciplinary actions
• Financial services — Lending, credit, insurance underwriting
• Healthcare — Diagnosis, treatment recommendations, coverage decisions
• Housing — Rental approvals, mortgage qualification, valuations
• Legal services — Case management decisions, client intake scoring
• Government services — Benefits eligibility, licensing, permits

The "substantially influences" qualifier is critical: even if a human makes the final decision, the AI system is high-risk if its output meaningfully shapes that decision. A hiring manager who relies on an AI-ranked candidate list is using a high-risk system, even though a human picks the final candidate.

If you use any AI-powered SaaS tool — CRM predictive scoring, automated document review, chatbot intake — there's a strong chance it qualifies. The first step toward compliance is an honest AI inventory across your entire technology stack.

SB 205 includes a provision that many businesses overlook: the affirmative defense. If you can demonstrate compliance with a nationally or internationally recognized AI risk management framework — specifically the NIST AI RMF or ISO 42001 — you have a rebuttable presumption that you've satisfied the law's requirements.

In practice, this means:

• You followed a recognized framework before an incident occurred
• You can produce documentation proving compliance (audits, assessments, policies)
• You acted in good faith to prevent algorithmic discrimination

This is why platforms like CO-AIMS map every compliance action directly to NIST AI RMF controls — it's building your affirmative defense in real time, with court-ready evidence bundles that prove you did the work.

Here's the critical timeline every affected business should know:

• May 17, 2024 — SB 205 signed into law by Governor Polis
• February 1, 2025 — Colorado AG began accepting public comments on enforcement guidance
• June 30, 2026 — Law takes effect. All deployers and developers must be in full compliance.
• July 1, 2026 onwards — AG enforcement begins. Violations carry $20,000 penalties per incident.

With roughly four months remaining until enforcement, organizations that haven't started their compliance programs need to begin immediately. The minimum viable compliance timeline is approximately 90 days for organizations with 1-10 AI systems.