What is the Colorado AI Act? A detailed guide to SB 205

The Colorado Artificial Intelligence Act (Colorado AI Act, SB 205) establishes comprehensive regulations for the use of high-risk AI systems, setting a precedent for other states. The Act establishes legal liability and transparency obligations for the developers and deployers of high-risk AI systems operating in Colorado. The core concepts of the Act are:

1. Accountability for AI outputs: Developers and deployers of high-risk AI systems will be held accountable for algorithmic discrimination and must use reasonable care to protect consumers from foreseeable risks.
2. AI risk management: Developers and deployers must implement detailed risk management policies and programs, including regular impact assessments to mitigate risks associated with high-risk AI systems.
3. Mandatory consumer disclosures: Businesses must clearly inform consumers when they are interacting with AI systems, especially when the AI is used to make consequential decisions.
4. Exclusive enforcement by the Attorney General: The Act is enforced by the Colorado Attorney General, with no private right of action. Compliance with NIST or ISO risk management frameworks provides an affirmative defense.
5. Proactive risk mitigation: The Act encourages proactive risk mitigation by allowing companies to defend themselves if they follow established frameworks and fix any violations.

As AI continues to integrate into various aspects of life and business, the need for comprehensive frameworks to manage its use, deployment, and implications becomes increasingly critical. AuditBoard plays a crucial role in preparing companies for this future, ensuring they’re compliant today and ready for tomorrow’s regulatory landscapes.

Colorado AI Act effective date

The Colorado AI Act was signed into law in 2024. It was originally set to go into effect on February 1st, 2026. Several efforts to amend or scale back the law have been unsuccessful, but its implementation has now been postponed until June 30, 2026.

AI Act scope

The Act's requirements apply to developers and deployers of high-risk AI systems operating in Colorado. A high-risk AI system is one that makes, or substantially factors into, consequential decisions affecting consumers in areas such as education, employment, financial services, healthcare, housing, insurance, government services, and legal services. Here are some possible examples of AI systems that make “consequential decisions”:

• Education: An AI system that determines student admissions or scholarship eligibility.
• Employment: An AI system that screens job applicants or decides promotions.
• Financial services: An AI system that evaluates credit scores or loan approvals.
• Healthcare: An AI system that aids in medical diagnoses or treatment plans.
• Housing: An AI system that influences rental applications or mortgage approvals.
• Insurance: An AI system that sets insurance premiums or assesses claims.
• Government services: An AI system used for eligibility determinations for social services.
• Legal services: An AI system that assists in legal research or case predictions.

Compliance requirements of Colorado AI Act (SB 205)

The Act imposes several compliance requirements:

1. Transparency requirements: Developers and deployers must provide clear disclosures to consumers when they interact with AI systems, especially in consequential decision-making scenarios.
2. Risk management programs: Deployers must implement and regularly review risk management policies and programs.
3. Impact assessments: Deployers must complete annual impact assessments and additional assessments within 90 days of significant modifications to the AI systems.
4. Public statements: Both developers and deployers must publish on their websites information about the high-risk AI systems they develop or use, and how they manage the risks of algorithmic discrimination.

Non-compliance penalties

Violations of the Act can result in enforcement actions by the Colorado Attorney General, including administrative fines and legal consequences for offenses committed with the assistance of AI systems. The Act also provides an affirmative defense for entities that discover and cure violations and comply with recognized AI risk management frameworks.*

*This means that The Act allows companies to defend themselves against penalties if they identify and correct any violations of the Act and adhere to established AI risk management frameworks, such as those from the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO). By promptly identifying and resolving issues and following recognized standards, companies can protect themselves from legal consequences under the Act.

How can companies ensure compliance with SB 205?

Drawing from our work in AI governance and compliance, we’ve observed how organizations are adapting to Colorado’s AI Act. Here are seven practical steps to ensure compliance:

1. Inventory models and assess risk: Compile a detailed inventory of all AI technologies in use, assess associated risks, and establish accountability for AI operations.
2. Invest in AI governance tools: Use tools that support compliance with the AI Policy Act and help manage AI effectively within regulatory requirements.
3. Automate audits and compliance checks: Implement automated systems to ensure consistent compliance with the Act, maintain transparency, and ensure accountability.
4. Consider using synthetic data to achieve objectives without compromising personal data privacy.
5. Implement mandatory disclosures: Modify interfaces to clearly disclose when consumers are interacting with AI, and train employees on how to communicate about AI use.
6. Engage in continuous learning and adaptation: Stay informed about legislative changes and industry standards, and participate in voluntary programs during the Act’s implementation period.
7. Voluntary commitment to standards: Actively participate in frameworks and commitment layouts introduced during the Act’s implementation to demonstrate leadership in AI governance.

Staying informed and engaged will be key to achieving compliance with Colorado SB 205.