Colorado AI Act

What is the Colorado AI Act?

The Colorado Artificial Intelligence Act, SB 24-205, signed by Governor Jared Polis on May 17, 2024, is the first comprehensive US state law of general application addressing high-risk artificial intelligence systems. The Act establishes duties for both developers and deployers of high-risk AI to use reasonable care to protect Colorado consumers from “algorithmic discrimination,” defined in the Act as the use of an AI system that results in unlawful differential treatment or impact disfavoring protected classes.

The Act sits in the framework category between an industry-voluntary standard such as the NIST AI Risk Management Framework, and a federal regulation. It is binding state law within Colorado, enforceable by the Colorado Attorney General. It mirrors the EU AI Act’s risk-tier structure in concept (high-risk vs. general-purpose) but covers a narrower commercial-use scope and relies on documentation and consumer-notice obligations rather than market-surveillance machinery.

For law firms, the Act is most relevant when the firm itself deploys an AI system that makes consequential decisions about a Colorado consumer. Use of generative AI in legal representation is governed by the Colorado Rules of Professional Conduct, particularly the Colorado Supreme Court’s Rule Change 2026(02) confirming that AI use does not diminish RPC obligations, and by the Colorado Bar Association’s published guidance. Those obligations are independent of, and in some respects stricter than, the AI Act’s duties to consumers.

Who must comply?

The Act distinguishes two regulated roles, and a firm or vendor may be either or both.

A developer of a high-risk AI system is any person doing business in Colorado that develops or substantially modifies a high-risk AI system. Developers carry duties to provide deployers with the documentation, intended uses, known limitations, and risk assessments needed for the deployer to comply with its own duties.

A deployer of a high-risk AI system is any person doing business in Colorado that uses a high-risk AI system. Deployers carry duties of consumer notice, impact assessment, and risk management. The Act includes a small-business exemption: deployers with fewer than 50 full-time employees that do not use the deployer’s own data to train the system are exempt from certain documentation and impact-assessment duties, though not from anti-discrimination obligations.

A high-risk AI system is one that, when deployed, makes a consequential decision or is a substantial factor in making one. “Consequential decision” is defined in the Act to include decisions that affect access to or terms of education, employment, financial or lending services, essential government services, healthcare, housing, insurance, or legal services. The legal-services scope is narrow and contested; firms whose use of AI is limited to internal research, drafting, or due diligence on attorney-client matters are not deploying a high-risk AI system within the Act’s scope. Firms operating client-intake automation, settlement-prediction tools, or automated triage that materially shapes whether a consumer obtains representation or on what terms may be.

What does the Act require?

The Act imposes parallel duty stacks on developers and deployers, oriented around consumer protection.

For deployers, the core duties are: (1) implement a risk-management policy and program covering the high-risk AI system, with reasonable consideration of the NIST AI Risk Management Framework or another nationally or internationally recognized framework; (2) complete an impact assessment before deployment and at least annually thereafter; (3) notify Colorado consumers when a high-risk AI system is used to make a consequential decision about them, including a statement of the principal factors in the decision and a description of the data processed; (4) provide an opportunity for consumers to correct incorrect personal data or appeal an adverse decision; and (5) report any algorithmic discrimination discovered to the Colorado Attorney General within 90 days.

For developers, the core duties are: (1) provide deployers a statement disclosing the intended uses, known harmful or inappropriate uses, training-data summary, evaluation methods, intentional limitations, and risk-management documentation sufficient for the deployer’s impact assessment; and (2) make a public statement summarizing the types of high-risk AI systems developed and how known or reasonably foreseeable risks of algorithmic discrimination are managed.

Both developers and deployers have a duty of “reasonable care,” and a rebuttable presumption of compliance attaches to those whose conduct meets the documentation duties listed above.

When does enforcement begin?

The Act’s original effective date was February 1, 2026, by its own terms when signed in May 2024. SB 25B-004, passed during the 2025 special session, postponed Attorney General enforcement to June 30, 2026 to give the regulated community additional implementation runway and to allow for further legislative refinement. Firms doing business in Colorado that develop or deploy high-risk AI systems should treat June 30, 2026 as the operative compliance milestone.

The intervening period was used by the Colorado AG to publish implementation guidance at coag.gov/ai, including FAQ-format clarifications on the developer-deployer distinction, the small-business exemption, and the consumer-notice requirements.

What does compliance documentation look like?

A compliant deployer at the June 30, 2026 enforcement-begin date should be able to produce, on request from the Attorney General or a Colorado consumer, the following artifacts:

• A written risk-management policy mapped to the NIST AI Risk Management Framework or another recognized framework, dated within the past 12 months.
• A completed impact assessment for each high-risk AI system in use, dated within the past 12 months and refreshed on material modification.
• The developer-supplied disclosure statement for each system in use.
• Consumer-notice templates demonstrating the required disclosures (factors in the decision, data processed, opportunity to correct, appeal process).
• An incident log documenting any algorithmic-discrimination finding and the AG report submitted within 90 days, if applicable.

A developer should be able to produce the public statement, the per-deployer disclosure statements distributed in the past 12 months, and the supporting documentation that informs them.

Law firms whose AI use does not trigger the Act’s “high-risk” threshold may still find this documentation set valuable: it overlaps substantially with the documentation required by the Colorado Rules of Professional Conduct under Rule Change 2026(02), and with the renewal-readiness artifacts described in ABA Formal Opinion 512.

How does this interact with Colorado state-bar guidance?

The Colorado AI Act and the Colorado Rules of Professional Conduct address overlapping but distinct domains. The AI Act protects Colorado consumers from algorithmic discrimination by entities using high-risk AI systems. The Rules of Professional Conduct govern the use of any AI system by an attorney in the course of legal representation, regardless of whether the system is “high-risk” under the Act.

Colorado Rule Change 2026(02), effective January 2026, codified that AI use does not diminish RPC obligations. Colorado has the highest-profile US attorney discipline case on AI to date, People v. Crabill (90-day suspension, November 2023), establishing that not reading or verifying AI-generated citations violates Rules 1.1 and 3.3. The Colorado Court of Appeals’ published warning in Al-Hamim v. Star Hearthstone (December 2024) reinforces the verification duty for filed work product.

Where the Act and the RPC both apply (a firm using a client-intake AI system that is also a “high-risk” deployment), the obligations stack: the firm must satisfy both the Act’s consumer-notice and impact-assessment duties and the RPC’s competence, supervision, and candor duties. Where state rules are stricter than the Act, the state rule controls. The deeper Colorado bar guidance is on the Colorado state page.

Who enforces it?

The Colorado Attorney General has exclusive enforcement authority under the Act. The Act does not create a private right of action for consumers. AG enforcement actions may be brought as deceptive trade practices under the Colorado Consumer Protection Act framework. Civil penalties up to $20,000 per violation are available; each violation is treated as a separate count.

The Colorado Department of Law’s AI implementation page at coag.gov/ai is the authoritative location for forthcoming rulemaking, FAQ updates, and enforcement priorities. Firms that develop or deploy high-risk AI systems for Colorado consumers should monitor the page through the second half of 2026.

Primary sources

• Colorado SB 24-205, Consumer Protections for Interactions with Artificial Intelligence Systems Act, signed May 17, 2024: signed bill text (PDF).
• Colorado SB 25B-004, 2025 Special Session amendments postponing AG enforcement to June 30, 2026: leg.colorado.gov/bills/sb25b-004.
• Colorado Attorney General, Artificial Intelligence implementation page: coag.gov/ai.
• People v. Crabill, 23PDJ067 (Office of the Presiding Disciplinary Judge of the Colorado Supreme Court, Nov. 22, 2023): stipulation to discipline (PDF).
• Colorado Supreme Court, Rule Change 2026(02), effective January 2026: Rule Change 2026(02) (PDF).
• Al-Hamim v. Star Hearthstone, LLC, 24CA0190 (Colo. App. Dec. 19, 2024): opinion (PDF).