Colorado AI Law Compliance: A Step-by-Step Guide to SB 24-205

Everything covered businesses need to do to comply with Colorado SB 24-205 (the Colorado AI Act) — including the latest delay to June 30, 2026 and the federal court enforcement pause.

Colorado AI law compliance is the most demanding state AI regime in the US. Senate Bill 24-205 covers developers and deployers of "high-risk artificial intelligence systems." It requires impact assessments, consumer notices, and a written risk-management policy.

The law was originally set to take effect February 1, 2026. Colorado SB 25B-004 (signed August 28, 2025) pushed the effective date to June 30, 2026. On April 27, 2026, a federal court paused enforcement while lawmakers consider further amendments.

This Colorado AI law compliance guide walks through who is covered, what each role must do, and a step-by-step checklist to get ready before enforcement starts.

Current Colorado AI law effective date (June 2026)

The Colorado AI Act effective date has moved twice. The original February 1, 2026 date was pushed to June 30, 2026 by SB 25B-004. A federal court paused enforcement on April 27, 2026 while amendments are debated.

Some proposals would push the effective date to January 1, 2027. As of June 2, 2026, the law is still scheduled to take effect June 30, 2026, but enforcement is paused.

  • Original effective date — February 1, 2026 (set by the 2024 law).
  • Current scheduled date — June 30, 2026 (set by SB 25B-004).
  • Federal court — Paused enforcement on April 27, 2026.
  • Proposed alternative — January 1, 2027 under a new ADMT framework still being debated.
  • Action item — Build your compliance program to the June 30, 2026 date until the final rule is set.
Even with the delay and enforcement pause, start your Colorado AI compliance work now. Impact assessments and AI inventories take 3–6 months to build well.

Who the Colorado AI Act covers

SB 24-205 covers two roles: AI developers and AI deployers. Both roles can be one company at the same time.

The law applies only to "high-risk AI systems" — those that make or substantially influence "consequential decisions" about Colorado residents. Many ordinary AI tools are not covered.

  • Developer — A person doing business in Colorado that develops or substantially modifies an AI system.
  • Deployer — A person doing business in Colorado that uses a high-risk AI system.
  • High-risk AI — Any AI system that makes or substantially influences a "consequential decision."
  • Consequential decision — A decision that affects a Coloradan's access to or terms of education, employment, financial or lending services, government services, healthcare, housing, insurance, or legal services.
  • Exemptions — Anti-fraud systems, anti-malware, calculators, databases, and small operations under specified thresholds.

Developer duties under the Colorado AI Act

Developers must give deployers the information they need to comply. The law expects developers to make documentation, risk summaries, and impact-assessment templates available.

  • Provide a documentation statement describing the high-risk AI system, its uses, its known limitations, and its training-data sources at a high level.
  • Provide a summary of an impact assessment, including risks of algorithmic discrimination.
  • Provide a risk-management plan template that deployers can use as a starting point.
  • Disclose to the Colorado AG within 90 days of discovering that the AI has caused or is likely to cause algorithmic discrimination.
  • Update documentation when the AI is substantially modified.

Deployer duties under the Colorado AI Act

Deployer duties are the heaviest piece of SB 24-205. Most company-side compliance work falls here.

The key requirements are an impact assessment, a written risk-management policy, consumer notice, and a chance for consumers to correct data or appeal a decision.

  • Adopt and maintain a written AI risk-management policy and program.
  • Complete an impact assessment for each high-risk AI deployment and update it annually.
  • Notify consumers before the AI makes or substantially influences a consequential decision.
  • If the decision is adverse, tell the consumer what data the AI used and how to correct it.
  • Give consumers a chance to appeal an AI-driven adverse decision to a human reviewer.
  • Disclose algorithmic discrimination to the Colorado AG within 90 days of discovery.
  • Use NIST AI RMF or another recognized risk-management framework — this earns explicit safe-harbor credit.
NIST AI RMF is the easiest way to satisfy the risk-management policy requirement. Adopt it once and you cover most of Colorado, the EU AI Act, and California overlap.

Enforcement, penalties, and the AG's rulemaking authority

The Colorado Attorney General has exclusive enforcement authority. There is no private right of action.

The AG can issue rules on impact-assessment content, recordkeeping, and risk-management programs. Rulemaking is ongoing as of June 2026.

  • Enforcement by the Colorado AG only. No private lawsuits.
  • Violations treated as unfair trade practices under Colorado law.
  • Civil penalties under the Colorado Consumer Protection Act.
  • Rebuttable presumption of compliance if the deployer follows NIST AI RMF.
  • AG has authority to issue rules — watch coag.gov for new rulemakings throughout 2026.
  • Federal court enforcement pause as of April 27, 2026 — keep watching the docket for updates.

Colorado AI law compliance checklist

Below is the order of operations Layer3 uses to get clients ready for SB 24-205. Most teams need 3–6 months to do this well.

  • 1) Build an AI inventory — every system, who owns it, and what Colorado data it touches.
  • 2) Classify each system — is it "high-risk" under SB 24-205? Document the call.
  • 3) Adopt NIST AI RMF 1.0 as your written risk-management framework.
  • 4) Draft a one-page AI use policy covering disclosure, prohibited uses, and human review.
  • 5) Build an impact assessment template — use the NIST AI RMF Generative AI Profile as a base.
  • 6) Run an impact assessment for each high-risk system before the effective date.
  • 7) Update consumer-facing flows — add AI notice before consequential decisions.
  • 8) Stand up an adverse-action notice and an appeal-to-human path.
  • 9) Build a vendor due-diligence checklist — request developer documentation under SB 24-205.
  • 10) Set up a discovery-to-AG-notification workflow with a 90-day clock.
  • 11) Train your team — engineering, product, legal, and HR each have a role.
  • 12) Re-check the docket and the Colorado AG website monthly through June 2026.

How Layer3 helps with Colorado AI law compliance

Layer3 builds Colorado AI compliance programs that match real risk. We start with an AI inventory and a high-risk classification pass. From there we build the impact assessments, policies, and consumer notices needed to satisfy the AG.

We work alongside your legal team. Layer3 is not a law firm — but we know what the law requires, and we build the operational pieces so your lawyers can sign off quickly.

Frequently Asked Questions

  • The Colorado AI Act (SB 24-205) is currently scheduled to take effect June 30, 2026. The original date was February 1, 2026, but SB 25B-004 (signed August 28, 2025) pushed it back. A federal court paused enforcement on April 27, 2026 while lawmakers consider further amendments — but the effective date is still on the books.
  • Two roles: AI developers and AI deployers, both as defined in SB 24-205. Coverage is limited to "high-risk AI systems" — those that make or substantially influence "consequential decisions" about Coloradans in education, employment, lending, government services, healthcare, housing, insurance, or legal services.
  • An impact assessment is a written document describing how the AI system is used, who it affects, the risks of algorithmic discrimination, and how those risks are mitigated. Deployers must complete one for each high-risk AI deployment and update it annually. NIST AI RMF and its Generative AI Profile are the most common templates.
  • Yes. The law creates a rebuttable presumption of compliance for organizations that follow a recognized AI risk-management framework — most notably NIST AI RMF. That is why most companies adopt NIST AI RMF as their Colorado baseline.
  • The Colorado Attorney General has exclusive enforcement authority. There is no private right of action. Violations are treated as unfair trade practices under the Colorado Consumer Protection Act, with civil penalties under that statute.
  • On April 27, 2026, a federal court paused enforcement of Colorado SB 24-205 while litigation and amendments are debated. The pause does not change the law's text or the June 30, 2026 effective date — but the AG cannot enforce it until the pause is lifted. Build your compliance program anyway.
  • Yes, if you do business in Colorado. SB 24-205 applies to any developer or deployer "doing business in Colorado" that meets the law's definitions. Out-of-state companies serving Colorado residents are typically covered.

Get your Colorado SB 24-205 compliance plan

Layer3 Labs helps Colorado-facing businesses get ready for SB 24-205 — AI inventory, high-risk classification, NIST AI RMF adoption, impact assessments, and consumer-notice rollouts.

Book a free Colorado AI compliance call