FRAMEWORK

Colorado AI Act

The first US state to impose comprehensive obligations on high-risk AI. Originally SB 24-205, now reshaped by SB 26-189 — effective January 2027, focused on preventing algorithmic discrimination in consequential decisions.

Book a demo See coverage

Coverage updated2 min ago

Coverage · Colorado AI Act

Framework coverage

82%

Coverage

5 core duties

Obligations mapped

+4% wk

Files on record

Live · synced 2 min ago · 7-day trend

Recent activity

Annex IV v4Approved

FRIA v2Approved

Monitoring plan v1Draft

THE OBLIGATION

Comprehensive duties on high-risk AI in consequential decisions.

Colorado's AI Act governs developers and deployers of high-risk AI — systems that are a substantial factor in consequential decisions in employment, housing, finance, healthcare, education, legal and government services. The duty centres on preventing algorithmic discrimination.

Deployers must run impact assessments, maintain a risk-management programme aligned to a recognised framework like NIST AI RMF or ISO 42001, disclose use to consumers, and report discovered discrimination to the Attorney General. The law was reshaped by SB 26-189 in 2026; the obligations below reflect the current direction.

At a glance

Applies toDevelopers and deployers of high-risk AI affecting Colorado residents

Your likely roleDeveloper and/or Deployer

Key deadlineEffective 1 January 2027 (per SB 26-189)

Penalty exposureEnforced by the Colorado Attorney General; violations treated as unfair trade practices

ARTEFACTS

The files this framework actually requires.

Colorado names impact assessments and a risk programme. Hael generates them and keeps them current.

Files · Evidence pack

PDFImpact Assessmentv3updated 2 min agoApproved

PDFRisk Management Programmev2updated 14 MayApproved

PDFAlgorithmic Discrimination Reviewv2updated 11 MayApproved

PDFConsumer Disclosure Noticev1updated 04 MayDraft

PDFSystem Inventoryv2updated 02 MayApproved

GRC tools tell you these are missing. Hael generates them — from each system's real configuration.

THE DIFFERENCE

A checklist tells you what's missing. Hael puts it on record.

A checklist flags a missing impact assessment. Hael generates it — aligned to the NIST or ISO programme Colorado recognises.

Typical GRC tool

Impact Assessmentupload required

Risk Management Programmeupload required

Algorithmic Discrimination Reviewupload required

Consumer Disclosure Noticeupload required

System Inventoryupload required

Tracks the gap. You still author every document.

Hael

Impact Assessmentv3Generated 2 min agoview

Risk Management Programmev2Generated · Approvedview

Algorithmic Discrimination Reviewv2Generated · Approvedview

Consumer Disclosure Noticev1Generated · Draftview

System Inventoryv2Generated · Approvedview

Generated from each system's real configuration, versioned, and kept current as it changes.

HOW HAEL WORKS

Discover, classify, produce — for Colorado AI Act.

01DISCOVER

Find the systems in Colorado AI Act scope, including embedded third-party AI.

Inventory · 14 systems

Credit scoring enginehigh

HR screening bothigh

Salesforce Einsteinlimited

02CLASSIFY

Assess each against Colorado AI Act's risk tiers and obligations.

Risk tier

Prohib.HighLimitedMin.

Role: ProviderArt. 9 · 11 · 14

03PRODUCE

Generate the Colorado AI Act records, versioned and current.

Generated files

Annex IV v4Approved

FRIA v2Approved

Monitoring v1Draft

COVERAGE

Every obligation, mapped to the control that satisfies it.

Rows are the framework's clauses.

Columns are the controls and files that satisfy them.

Cells update as the underlying configuration changes.

Explore the platform

Coverage Map

Obligation → Control

4 obligations · 4 controls

82%

covered

Impact Assmt

Risk Prog.

Review

Disclosure

Impact assessment

✓

—

Risk programme

✓

—

Discrimination review

—

✓

•

—

Consumer disclosure

—

•

Impact assessment

Impact Assmt

v3 · sealed

Approvedopen file →

MAPPING

Clause by clause.

Obligation
What it requires
Hael control / file
Status

Pre-deployment & annual impact assessmentImpact assessment for high-risk AIImpact AssessmentApproved

Risk-management programmeAligned to NIST AI RMF or ISO/IEC 42001Risk Management ProgrammeApproved

Annual algorithmic-discrimination reviewReview of disparate impactAlgorithmic Discrimination ReviewIn progress

Consumer notice for consequential decisionsPlain-language pre-use noticeConsumer Disclosure NoticeDraft

REUSE

Author once. Satisfy many.

Colorado explicitly recognises NIST AI RMF and ISO/IEC 42001 as the basis for its required risk programme — so the work you do for those frameworks directly satisfies Colorado, and overlaps the EU AI Act.

→ shared evidenceNIST AI RMFISO/IEC 42001EU AI Act

Trust & Security

SOC 2 Type IIISO/IEC 27001EU & US data residencySSO / SCIMEncryption in transit & at restAudit logging

On record before January 2027, not scrambling after.

Colorado's high-risk AI duties take effect January 1, 2027. Hael produces the impact assessments and risk programme the law requires.

Book a demo Explore the platform