Hael
Sign inRequest a demo
US State AI Laws · Colorado

Colorado AI Act requirements and compliance guide

Updated 30 June 2026 · 7 min read
Key takeaway
The Colorado AI Act's requirements centre on a duty of reasonable care to protect people from algorithmic discrimination, supported by concrete obligations that differ between developers and deployers of high-risk AI systems. In practice, meeting the law means governing your high-risk AI systematically: documenting them, assessing their impact, being transparent about their use, and managing the risk of discriminatory outcomes.
  • The law's heart is a duty of reasonable care against algorithmic discrimination in high-risk AI.
  • Developers must equip deployers with information; deployers carry risk management, impact assessment, and transparency duties.
  • Demonstrating compliance is fundamentally about documentation and evidence of responsible governance.
  • The requirements overlap with the EU AI Act and NIST, so govern once and map Colorado's specifics onto that foundation.
  • Current as of June 2026. This is general information, not legal advice.

The overarching duty

The heart of the law is a duty of reasonable care to avoid algorithmic discrimination in high-risk AI systems. This is the principle the specific obligations support. Demonstrating reasonable care means being able to show that you identified the risk of discrimination and took appropriate steps to manage it, which is fundamentally an evidence-and-governance exercise.

Developer obligations

Developers, those who build or substantially modify high-risk systems, are generally expected to provide deployers with the information they need to use the system responsibly and to meet their own duties. This includes documentation about the system's purpose, known limitations, and the steps taken to address discrimination risk. The developer's role is to equip the deployer with the truth about the system.

Deployer obligations

Deployers, those who use high-risk systems to make consequential decisions, generally carry the more operational duties, which can include:

  • Risk management: Implementing a programme to manage the risks of the high-risk system, including discrimination risk.
  • Impact assessment: Assessing the impact of the high-risk system, including its potential for discriminatory outcomes.
  • Transparency: Informing consumers when a high-risk AI system is used to make a consequential decision about them, and providing certain information and, in some cases, rights to explanation or appeal.
  • Notification: Reporting discrimination that is discovered, as required.

Demonstrating compliance

Across both roles, the common thread is documentation and evidence. To show reasonable care, you need records: of how systems were assessed, what risks were identified, what controls were applied, and what disclosures were made. A claim of responsible AI without evidence is weak; the law effectively rewards organisations that can prove their governance.

Doing this efficiently

Because the Colorado requirements overlap substantially with the EU AI Act and with frameworks like the NIST AI RMF, the efficient approach is to govern your high-risk AI once, to a standard that satisfies the common ground, then map Colorado's specific duties onto that foundation. Building a separate compliance effort for each law duplicates work, since the underlying facts about each system are the same. Capturing those facts once, per system, and generating the required impact assessments, disclosures, and records from them, is the practical way to meet Colorado's requirements without reinventing your governance for every jurisdiction.

A note on the evolving text

The detailed requirements and timing of the Colorado AI Act have been subject to legislative attention and change. Treat the specifics here as the broad shape rather than a fixed final text, and confirm the current detailed obligations and effective dates against official Colorado sources before relying on them.

Key terms

Reasonable care
The duty to take appropriate steps to identify and manage discrimination risk.
Risk management programme
An ongoing process to identify, assess, and mitigate AI risks.
Impact assessment
A structured evaluation of how an AI system affects people, including discrimination risk.
Transparency
Informing consumers when AI is used to make consequential decisions about them.

References

Related guides

Keep reading on US State AI Laws.

Free check

See where you stand on US State AI Laws, free.

Answer a few questions and get an indicative view of what US State AI Laws expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
US State AI Laws · indicative readiness
HAEL FREE TOOL
Applicability
Applies to your AI use
What's expected
Risk classification · governance · documentation · oversight
Where you stand
Banded result · pointed to the gaps that matter most
Result
On-screen, free · optional PDF
Pre-scoped to US State AI Laws~ 5 MIN