The Colorado AI Act was the first comprehensive AI law passed by a US state. Other states are following its template, which makes Colorado the de-facto blueprint for what US state AI regulation looks like.
If your AI system makes or substantially influences consequential decisions about Colorado residents, you are likely in scope. This article walks through what the Act actually requires, high-risk AI system classification, algorithmic impact assessment obligations, consumer rights, and the enforcement posture of the Colorado Attorney General.
What counts as a high-risk AI system under the Act
The Act applies to high-risk AI systems, defined as AI systems that make, or are a substantial factor in making, consequential decisions. Consequential decisions are those that have a material legal, financial, or similarly significant effect on a consumer in eight defined domains:
● Employment or employment opportunity
● Education and educational opportunity
● Financial or lending services
● Essential government services
● Health care services
● Housing
● Insurance
● Legal services
If an AI system is a substantial factor in any of these decisions affecting Colorado residents, it is in scope, regardless of where the developer or deployer is headquartered.
The developer-versus-deployer distinction
The Act creates two roles with different obligations. A developer is the entity that creates, designs, or substantially modifies a high-risk AI system. A deployer is the entity that uses a high-risk AI system to make consequential decisions.
Most US enterprises are deployers, they buy or license AI systems from foundation model vendors, applied AI vendors, or specialized providers, and deploy them to make decisions about their customers, employees, or other affected parties. Some enterprises are also developers, building their own AI systems or substantially modifying purchased systems.
Both roles have obligations under the Act. Deployers cannot offload compliance to developers, and developers cannot offload compliance to deployers. The Act assumes both will exercise reasonable care within their respective scopes.
Core compliance obligations for deployers
Deployers of high-risk AI systems must do the following:
● Implement a risk management policy and program covering the use of high-risk AI
● Complete an annual algorithmic impact assessment (AIA) for each high-risk AI system
● Provide consumer notice before or at the time of use of a high-risk AI system
● Provide consumers with the right to correct inaccurate personal information used by the AI
● Provide consumers with the right to appeal an adverse consequential decision to a human reviewer
● Report incidents of algorithmic discrimination to the Colorado Attorney General
The algorithmic impact assessment in practice
The AIA is the operational heart of the Act for deployers. It must document, the AI system's purpose and context, the data used, the potential risks of algorithmic discrimination, the measures taken to mitigate risks, the steps the deployer takes to monitor performance, and the consumer notice and rights mechanisms.
Operationally, the AIA is similar in spirit to a privacy impact assessment under CCPA/GDPR, but specifically scoped to algorithmic risk. Enterprises that already run mature PIAs can extend the same operating model to AIAs, same governance, similar artifacts, different focus.
Consumer rights operationalization
Three consumer rights need infrastructure to fulfill at scale:
Right to notice
Affected consumers must be informed that a high-risk AI system is being or has been used to make a consequential decision about them. The notice must be clear and accessible. Bury-in-terms-of-service notice is unlikely to satisfy the standard.
Right to correct
Consumers can request correction of inaccurate personal information the AI used. The request must be honored within a reasonable timeframe, with documented response.
Right to appeal
Adverse consequential decisions can be appealed to a human reviewer who has authority to overturn the AI decision. The appeal process must be accessible and the human reviewer must be genuinely empowered, not a rubber stamp.
Algorithmic discrimination reporting
If a deployer discovers that their high-risk AI system has caused algorithmic discrimination, they must report it to the Colorado Attorney General within a defined timeline. The reporting obligation is significant, it requires an internal detection capability (without which discoveries cannot happen) and a triage process to assess reportable findings.
The Attorney General has primary enforcement authority. Penalties are structured per violation. The Attorney General's office has signaled active intent to enforce, including through cooperation with other state attorneys general on multi-state algorithmic discrimination matters.
Common implementation pitfalls
● Assuming the Act only applies to AI systems built in Colorado, it applies based on the location of affected consumers, not the developer or deployer
● Treating AIAs as one-time documents, they must be updated when the AI system or its use materially changes
● Designing consumer notice that is technically present but operationally invisible, buried in terms of service or shown only after the decision is made
● Building an appeal process where the human reviewer doesn't actually have authority to overturn the AI
● No internal detection capability for algorithmic discrimination, meaning the reporting obligation can't trigger because nothing is being detected
The shift to make
Stop treating the Colorado AI Act as a Colorado-only problem to be addressed if and when a Colorado customer raises it.
Start treating it as the template for what most US state AI regulation will look like in 2026-2027. Building Colorado-compliant operations, AIAs, consumer notice, correction and appeal rights, discrimination reporting, produces a governance baseline that scales naturally to other states adopting similar frameworks.
Enterprises that build this baseline early gain a structural advantage. As Texas, Virginia, Connecticut, Utah, Tennessee, and others operationalize their own AI laws, the operational machinery is already in place. Adapting to each new state becomes a question of mapping requirements to existing capabilities, not building net new compliance programs from scratch.
