If your company uses AI in Colorado, you may need an impact assessment by June 30, 2026.

Most companies don't have one yet. Here's what the Act actually requires.

The Colorado AI Act treats non-compliance as a deceptive trade practice. Penalties can reach $20,000 per violation.

But the penalty isn't the only risk. Companies that can't show they've assessed their AI systems lose deals to companies that can. Procurement teams are already asking for this documentation. If you don't have it, you're not in the running.

And if something does go wrong with an AI system at a company that never wrote a risk management policy, it tends to go worse for them than for the ones who did the work.

What the Act Requires

If your company uses a covered high-risk AI system, the Act generally requires:

  1. A written risk management policy and program.
  2. An impact assessment for each high-risk AI system.
  3. Records supporting each assessment.
  4. An annual review of each system.
  5. Consumer-facing notices at deployment time.
  6. A public website disclosure statement.
  7. An incident and discrimination response process.

The full compliance package covers all seven. You get the inventory, the assessments, the notices, the response plan, and the review schedule, all ready to implement.

74

days until deployer obligations take effect

Not sure if your AI systems are covered?

Start My Assessment

Common Questions

What counts as a high-risk AI system under this Act?

Generally, one that makes or is a substantial factor in making a "consequential decision" in areas like employment, financial services, healthcare, housing, insurance, education, government services, or legal services. The details matter. This isn't a substitute for reading the statute or talking to a lawyer.

What are the penalties?

The Act treats violations as deceptive trade practices. Civil penalties can reach $20,000 per violation. Not having a risk management policy when something goes wrong makes things harder to defend.

What do I actually get?

AI system inventory and scoping memo. Written risk management policy. Per-system impact assessments. Testing records. Annual review memo. Change-management process. Consumer and adverse-decision notice templates. Public AI disclosure statement. Record retention file. Incident escalation and AG-notice procedure.

When does this take effect?

The Act was signed May 2024. Most deployer obligations take effect June 30, 2026. That's less than a year from now.

Can't my lawyer handle this?

They can. Most charge $10,000–$25,000 for equivalent scope and take longer. We focus on this specific compliance area and get into the technical weeds, which is why we'll be able to tell you what is actually possible with your technology stack. If your lawyer wants to review what we produce, that's a $500 legal review, not a $15,000 project.