Colorado AI Act requirements and compliance guide
- The law's heart is a duty of reasonable care against algorithmic discrimination in high-risk AI.
- Developers must equip deployers with information; deployers carry risk management, impact assessment, and transparency duties.
- Demonstrating compliance is fundamentally about documentation and evidence of responsible governance.
- The requirements overlap with the EU AI Act and NIST, so govern once and map Colorado's specifics onto that foundation.
- Current as of June 2026. This is general information, not legal advice.
The overarching duty
The heart of the law is a duty of reasonable care to avoid algorithmic discrimination in high-risk AI systems. This is the principle the specific obligations support. Demonstrating reasonable care means being able to show that you identified the risk of discrimination and took appropriate steps to manage it, which is fundamentally an evidence-and-governance exercise.
Developer obligations
Developers, those who build or substantially modify high-risk systems, are generally expected to provide deployers with the information they need to use the system responsibly and to meet their own duties. This includes documentation about the system's purpose, known limitations, and the steps taken to address discrimination risk. The developer's role is to equip the deployer with the truth about the system.
Deployer obligations
Deployers, those who use high-risk systems to make consequential decisions, generally carry the more operational duties, which can include:
- Risk management: Implementing a programme to manage the risks of the high-risk system, including discrimination risk.
- Impact assessment: Assessing the impact of the high-risk system, including its potential for discriminatory outcomes.
- Transparency: Informing consumers when a high-risk AI system is used to make a consequential decision about them, and providing certain information and, in some cases, rights to explanation or appeal.
- Notification: Reporting discrimination that is discovered, as required.
Demonstrating compliance
Across both roles, the common thread is documentation and evidence. To show reasonable care, you need records: of how systems were assessed, what risks were identified, what controls were applied, and what disclosures were made. A claim of responsible AI without evidence is weak; the law effectively rewards organisations that can prove their governance.
Doing this efficiently
Because the Colorado requirements overlap substantially with the EU AI Act and with frameworks like the NIST AI RMF, the efficient approach is to govern your high-risk AI once, to a standard that satisfies the common ground, then map Colorado's specific duties onto that foundation. Building a separate compliance effort for each law duplicates work, since the underlying facts about each system are the same. Capturing those facts once, per system, and generating the required impact assessments, disclosures, and records from them, is the practical way to meet Colorado's requirements without reinventing your governance for every jurisdiction.
A note on the evolving text
The detailed requirements and timing of the Colorado AI Act have been subject to legislative attention and change. Treat the specifics here as the broad shape rather than a fixed final text, and confirm the current detailed obligations and effective dates against official Colorado sources before relying on them.
Key terms
- Reasonable care
- The duty to take appropriate steps to identify and manage discrimination risk.
- Risk management programme
- An ongoing process to identify, assess, and mitigate AI risks.
- Impact assessment
- A structured evaluation of how an AI system affects people, including discrimination risk.
- Transparency
- Informing consumers when AI is used to make consequential decisions about them.