Regulome
Search regulations…⌘K
For ProvidersFree Checker
The Ledger · Thursday, 14 May 2026Issue № 8All issues →

Regulome · newsroom

Compliance Guides · 8 min read

How to Prepare for the Colorado AI Act (Updated for SB 26-189)

A practical 5-step preparation guide for Colorado deployers. Updated: effective date moved to January 1, 2027 under SB 26-189.

Regulome · Regulome editors8 min read
§ CHECKLISTCOMPLIANCE GUIDESPLATE № 878HOW-TO · 2026REGULOME
Compliance GuidesPlate · Regulome

Update (May 2026): SB 26-189 moved the Colorado AI Act's effective date to January 1, 2027. The original June 30, 2026 deadline no longer applies. This guide has been updated to reflect the new timeline.

The Colorado AI Act (SB 24-205, as amended by SB 26-189) takes effect January 1, 2027. If you deploy AI systems that make consequential decisions about Colorado consumers, use the extended timeline to build a thorough compliance program. Here's a focused five-step guide.

Step 1: Determine Whether You're Covered

Not every business that uses AI is covered. The law applies to deployers of high-risk AI systems when:

  1. The AI makes or substantially contributes to a consequential decision — one that materially affects an individual's access to education, employment, credit, housing, insurance, healthcare, or legal services.
  2. The individual affected is a Colorado consumer (resident, not necessarily a citizen).

You're likely covered if you:

  • Use AI tools for hiring, promotion, or termination of employees in Colorado
  • Use automated underwriting for loans, insurance, or leases for Colorado customers
  • Deploy clinical decision support AI used with Colorado patients
  • Use AI-driven admissions tools for Colorado students

You're likely NOT covered if:

  • Your AI is purely for internal operations (not consumer-facing)
  • Your AI output is advisory only, with a human making the final consequential decision independently
  • You meet the small-business exemption (review carefully — it's narrow)

Step 2: Inventory Your High-Risk AI Systems

Walk through every AI tool your business uses. For each one, ask:

  • Does it make or substantially contribute to a consequential decision?
  • Does it affect Colorado consumers?

Document your findings in a simple spreadsheet: tool name, vendor, domain (employment / credit / etc.), whether it's high-risk, and who owns compliance for it.

Step 3: Complete Impact Assessments

For every high-risk AI system, you must complete a written impact assessment before the January 1, 2027 deadline. The assessment must document:

  • The intended purpose of the AI system
  • Known and reasonably foreseeable risks of algorithmic discrimination
  • How the system was evaluated for discriminatory outcomes
  • Training data sources and how data quality was ensured
  • How explainability and transparency are provided
  • What human oversight mechanisms are in place
  • How the business will monitor for disparate impact post-deployment

Impact assessments must be updated annually and whenever the system is materially changed.

Step 4: Set Up Consumer Notifications and Appeal Rights

Under the Colorado AI Act, when a high-risk AI system makes a consequential decision about a consumer, you must:

  • Notify the consumer that AI was used in the decision
  • Provide a plain-language explanation of how the AI influenced the decision
  • If the decision is adverse, tell the consumer which factors led to it
  • Give the consumer a way to appeal or request human review
  • Opt-out mechanisms must be available for consumers who don't want AI-assisted decisions

Prepare template language for these notifications now. Get them reviewed by counsel before deployment.

Step 5: Conduct Vendor Due Diligence

If you use third-party AI systems (from vendors), you need documentation from those vendors. Specifically:

  • Written description of the AI system's purpose and capabilities
  • Information about training data sources and validation
  • Known risks of algorithmic discrimination and how they're mitigated
  • How the vendor supports deployer compliance (documentation, API for explanations, audit trails)

Review your AI vendor contracts. Add data processing agreements and representations about AI Act compliance where missing. Some vendors are well ahead of this — others aren't.

What Happens If You Miss the Deadline?

The Colorado AG's office enforces the law. Penalties can reach $20,000 per violation. The AG must provide 60 days' notice before initiating action (cure period), so early enforcement is likely to be directed at businesses that haven't made a good-faith compliance effort.

Resources

Tagged regulations
Colorado AI ActPreparationSB 26-189January 2027
Regulome editors
The editorial desk covers AI and cyber regulation across the US, EU, and UK. Tips? editors@regulome.io
Not legal advice

This article is for informational purposes only and does not constitute legal advice. Always consult qualified counsel before making compliance decisions. Try the free compliance checker →

← Back to The Ledger

Keep the Ledger coming.

A weekly edition of new regulations, enforcement actions, and compliance deadlines — delivered every Friday. Free forever. No tracking pixels.

Subscribe free →

Read by 4,000+ compliance teams · Cancel any time