Skip to main content
ENFORCEMENT IN 137 DAYS — JUNE 30, 2026

Colorado AI ActCompliance Service

SB24-205 creates the most comprehensive state-level AI regulation in the U.S. — covering 8 consequential decision categories, with dual obligations for developers and deployers, annual impact assessments, and penalties up to $20,000 per violation.

We build your compliance documentation — impact assessments, risk management policies, consumer notices, evidence bundles, and public disclosures — so you're ready before enforcement begins.

8
Decision Categories
Employment to Legal
14
Statutory Rules
Mapped & Tracked
$20K
Per Violation
CRS § 6-1-1706
60
Day Cure Period
First Offense Only
Check Your Requirements (Free) See Pricing
Deterministic Engines SHA-256 Evidence Cryptographic Audit Trail Statute-Mapped Docs
FREE TOOL

Does the Colorado AI Act Apply to You?

Answer 3 questions to find out your classification, obligations, and risk level under SB24-205.

Do you do business in Colorado or serve Colorado residents?

The law applies to any organization whose AI affects Colorado residents, regardless of location.

8 Categories of Consequential Decisions

If your AI makes or substantially assists in decisions in any of these areas, it is classified as “high-risk” under SB24-205. Source: CRS § 6-1-1701(3).

Employment

Hiring, promotions, termination, compensation

Education

Admissions, financial aid, grading

Financial

Loans, credit, mortgages, interest rates

Healthcare

Treatment access, coverage, diagnosis

Housing

Rental screening, tenant checks, leases

Insurance

Coverage, pricing, claims, risk scoring

Government

Benefits, licenses, permits, services

Legal

Legal aid, case predictions, bail

AI systems that do not make consequential decisions — such as spell-checkers, spam filters, and general chatbots — are generally not high-risk. Source: CRS § 6-1-1701(9)(b).

Why Start Now — Not in 2026

The June 30, 2026 deadline is statutory and immovable. Compliance preparation takes months, not weeks.

Vendor Documentation Takes Weeks

Requesting model cards and performance metrics from AI vendors is a 4-8 week process. Most vendors have never been asked for this.

Start vendor requests now

Impact Assessments Require Data

Annual impact assessments require internal data collection — system inventories, decision logs, demographic analysis.

Begin data collection now

Safe Harbor = Day-One Defense

Following NIST AI RMF or ISO 42001 before enforcement creates an affirmative defense from day one. Source: CRS § 6-1-1706(3).

Establish framework alignment now

60-Day Cure Period Advantage

First-time violations get a 60-day fix window with no penalty. But only if you have a compliance program in place.

Build your safety net now

Policy Drafting Is Iterative

Risk management policies, consumer notice templates, and public disclosures require multiple review cycles with stakeholders.

Start drafting now

Costs Rise Near Deadlines

Every compliance deadline sees a surge in demand and pricing. Organizations that start early get better service and lower costs.

Lock in current pricing

What the Law Requires

SB24-205 creates separate obligations for developers and deployers. Most organizations are deployers. Many are both.

Deployer Obligations

Organizations that use AI for decisions

  • 1
    Reasonable Care§ 6-1-1703(1)

    Exercise reasonable care to prevent algorithmic discrimination in your use case

  • 2
    Risk Management Policy§ 6-1-1703(2)

    Implement a written risk management policy and program for AI systems

  • 3
    Annual Impact Assessment§ 6-1-1703(3)

    Complete impact assessment before deployment and annually thereafter

  • 4
    Consumer Pre-Decision Notice§ 6-1-1703(4)(a)

    Notify consumers before AI makes or assists in consequential decisions

  • 5
    Adverse Decision Notice§ 6-1-1703(4)(b)

    Explain reasons when AI contributes to adverse decisions, offer appeal

  • 6
    Public Website Disclosure§ 6-1-1703(5)

    Publish types of high-risk AI used and discrimination risk management

Developer Obligations

Organizations that build or modify AI

  • 1
    Reasonable Care§ 6-1-1702(1)

    Protect consumers from known or foreseeable risks of algorithmic discrimination

  • 2
    Deployer Documentation§ 6-1-1702(2)

    Provide clear documentation including use cases, limitations, and risk information

  • 3
    Impact Assessment Materials§ 6-1-1702(3)

    Provide model cards, dataset cards, and materials for deployer impact assessments

  • 4
    Public Website Disclosure§ 6-1-1702(4)

    Publish types of high-risk AI developed and discrimination risk management

  • 5
    AG Notification§ 6-1-1702(5)

    Report algorithmic discrimination to AG and deployers within 90 days

Small Business Exemption

Deployers with <50 employees who don't train AI with their own data are exempt from DEPLOY-2, DEPLOY-3, and DEPLOY-6. Must still comply with DEPLOY-1, DEPLOY-4, and DEPLOY-5. Source: CRS § 6-1-1703(6).

NYC Local Law 144 vs Colorado AI Act

Already compliant with NYC? Colorado is broader, deeper, and structurally different.

AspectNYC LL144Colorado SB24-205
ScopeEmployment decisions only (AEDTs)8 consequential decision categories
Who Must ComplyEmployers + employment agenciesDevelopers AND Deployers (dual obligations)
Third-Party AuditRequired (independent auditor)Not required — internal assessment allowed
Impact AssessmentNot requiredRequired annually + before deployment
Risk Management PolicyNot requiredRequired for all deployers
Consumer NoticeRequired (10 days before use)Required (before consequential decision)
Appeal RightsNot specified45-day response requirement
Safe HarborNoneNIST AI RMF / ISO 42001 = affirmative defense
Cure PeriodNone60 days for first offense
EnforcementNYC DCWPColorado Attorney General (exclusive)
Penalty$500-$1,500/violation/dayUp to $20,000 per violation
Private LawsuitsPossible under other lawsNo private right of action under this law
Small Biz ExemptionNone<50 employees (conditional)

Already have NYC compliance? Your bias testing methodology and evidence architecture transfer directly. See our NYC service.

AFFIRMATIVE DEFENSE

The Safe Harbor Advantage

CRS § 6-1-1706(3) creates a powerful affirmative defense: follow a recognized AI risk framework, actively look for problems, and fix what you find — and you have a legal defense against AG enforcement.

This is a rebuttable presumption of “reasonable care” — not immunity. But it must be established before enforcement begins.

Establish Your Safe Harbor

NIST AI Risk Management Framework

AG-recognized

Comprehensive AI risk governance framework from NIST

ISO/IEC 42001

AG-recognized

International standard for AI management systems

Other AG-Designated Frameworks

Future

Additional frameworks may be designated by the AG

Important: Safe harbor requires: (1) follow a recognized framework, (2) discover violations through internal review or testing, and (3) cure the violation. All three must be documented.

What We Prepare For You

Every deliverable mapped to a specific statutory requirement. Colorado-specific, citation-backed documentation.

Deployer

Impact Assessment Framework

Pre-structured template covering all 6 required content areas: purpose, discrimination analysis, data description, performance metrics, transparency measures, and post-deployment monitoring.

CRS § 6-1-1703(3)(b)
Deployer

Risk Management Policy Draft

Written policy template with governance structure, risk identification processes, mitigation measures, training requirements, and review schedule.

CRS § 6-1-1703(2)
Deployer

Consumer Notice Templates

Pre-decision and adverse decision notice templates. AI disclosure language, appeal rights, data correction rights, contact information.

CRS § 6-1-1703(4)
Both

Public Website Statement

Draft public disclosure listing high-risk AI systems, discrimination risk management practices, and data collection descriptions.

CRS § 6-1-1702(4) / § 6-1-1703(5)
Both

Discrimination Testing Protocol

Algorithmic discrimination testing methodology using deterministic engines. Disparate impact testing, intersectional analysis, and remediation criteria.

CRS § 6-1-1702(1) / § 6-1-1703(1)
Both

SHA-256 Evidence Bundle

Cryptographically verifiable evidence package. Every document hashed and timestamped. Designed for AG review.

CRS § 6-1-1703(3)
Deployer

AI System Inventory Template

Structured inventory with purpose, vendor, deployment date, risk classification, and last assessment date.

CRS § 6-1-1703(2)
Deployer

Appeal Process Framework

Consumer appeal process template with 45-day response workflow, human review procedures, escalation paths.

CRS § 6-1-1704(2)
Both

Incident Response Playbook

AG notification workflow for discovered discrimination. 90-day timeline, investigation checklist, remediation documentation.

CRS § 6-1-1702(5) / § 6-1-1703(7)

Preview Our Work

See the quality of our compliance documentation before you engage. Real sample artifacts — not mockups.

View All Sample Reports

The HAIEC Difference

Compliance documentation generated by deterministic engines — not AI. Every output is reproducible, verifiable, and auditable.

Deterministic Engines

Rule-based analysis produces identical outputs for identical inputs. No probabilistic AI making compliance judgments.

Cryptographic Evidence

Every artifact is SHA-256 hashed and timestamped. Evidence bundles are tamper-evident and independently verifiable.

Statute-Mapped Documentation

Every deliverable traces to a specific CRS section. No generic templates. Every claim backed by a statutory citation.

Multi-Framework Reusability

Evidence collected for Colorado feeds into SOC 2, ISO 42001, and other frameworks. One engagement, multiple benefits.

Full Transparency

Fixed pricing. No hourly billing surprises. No hidden fees. Sample reports published publicly.

Annual Review Framework

Your compliance package includes a structured annual review framework for year-over-year maintenance.

Compare Your Options

Three paths to compliance. Only one gives you statute-mapped documentation with cryptographic evidence.

FeatureDo NothingLaw FirmHAIEC
Impact Assessment TemplatesGenericColorado-specific, pre-filled
Risk Management Policy DraftBillable hoursTemplate + framework
Consumer Notice TemplatesLegal review onlyPre-built, customizable
Algorithmic Discrimination TestingDeterministic engines
SHA-256 Evidence BundlesCryptographic audit trail
NIST/ISO Framework AlignmentAdvisory onlyMapped to safe harbor
Public Website Statement DraftBillable hoursIncluded
Annual Review FrameworkRetainer requiredBuilt-in scheduling
Developer Documentation KitModel cards + data sheets
Transparent Fixed PricingN/A$300-$600/hrFrom $12,500
Target TimelineN/A6-12 weeks14 business days

14-Day Target Timeline

From intake to handoff in 14 business days. Timeline may vary based on organization complexity.

Day 1-2

Intake & Classification

Review your AI systems, classify developer/deployer roles, identify high-risk categories, assess exemption eligibility. Scoping document within 48 hours.

Day 3-5

Documentation Framework

Draft risk management policy, impact assessment framework, and consumer notice templates. All documents mapped to specific CRS sections.

Day 6-8

Discrimination Testing Protocol

Design algorithmic discrimination testing methodology, configure statistical tests, prepare monitoring dashboards.

Day 9-11

Evidence Architecture

Build SHA-256 evidence bundles, public website statement drafts, and AG-ready documentation packages.

Day 12-14

Review & Handoff

Executive briefing on compliance posture. Walk through every deliverable. Annual review framework and monitoring guidance.

Exemptions & Special Cases

Not everyone is covered. The law includes specific exemptions that could reduce your compliance burden.

Small Business (<50 Employees)

Partial Exemption

Exempt from risk management policy, impact assessments, and public disclosures if you don't train AI with your own data. Must still provide consumer notices.

CRS § 6-1-1703(6)

Insurance Companies

Full Exemption

Colorado-regulated insurers already subject to CRS § 10-3-1104.9 are fully exempt.

CRS § 6-1-1705(7)

Banks & Credit Unions

Conditional Exemption

Federally-examined financial institutions can use federal AI guidance instead, if it meets or exceeds Colorado requirements.

CRS § 6-1-1705(8)

FDA/FAA Approved Systems

Full Exemption

AI systems approved or certified by federal agencies are exempt. Federal oversight is deemed sufficient.

CRS § 6-1-1705(5)(a)

Federal Contractors

Partial Exemption

AI work under federal contracts is exempt. Exception: employment and housing decisions are still covered.

CRS § 6-1-1705(5)(c)

Non-Consequential AI

Full Exemption

Spell-checkers, spam filters, calculators, firewalls, and general chatbots with anti-discrimination policies are not high-risk.

CRS § 6-1-1701(9)(b)

Transparent Pricing

Fixed pricing. No hourly billing. No scope creep. You know exactly what you get.

Deployer Package

For organizations that use AI for decisions

$12,500one-time
  • Risk management policy draft
  • Impact assessment framework
  • Consumer notice templates (pre + adverse)
  • Public website statement draft
  • Discrimination testing protocol
  • Appeal process framework
  • AI system inventory template
  • SHA-256 evidence bundle
  • Annual review framework
  • Executive briefing (60 min)
Book Consultation
Most Comprehensive

Combined Package

Developer + Deployer (both roles)

$18,500one-time

Save $9,500 vs separate packages

  • Everything in Deployer Package
  • Everything in Developer Package
  • Cross-role obligation mapping
  • Unified evidence architecture
  • Combined public disclosure draft
  • Priority 10-day target timeline
  • Two executive briefings (60 min each)
  • Quarterly check-in for first year
Book Consultation

Developer Package

For organizations that build or modify AI

$15,500one-time
  • Reasonable care framework
  • Deployer documentation kit
  • Model card templates
  • Dataset documentation templates
  • Public website statement draft
  • Discrimination testing protocol
  • AG notification playbook
  • SHA-256 evidence bundle
  • Annual review framework
  • Executive briefing (60 min)
Book Consultation

Enterprise: Multi-system organizations and ongoing compliance — book a consultation for custom scoping.

Important Legal Disclaimer

HAIEC provides compliance documentation frameworks and evidence generation tools. We are not attorneys and do not provide legal advice. The Colorado AI Act (SB24-205) is enforced exclusively by the Colorado Attorney General. Our service prepares documentation for review by your legal counsel. All final compliance decisions should be made in consultation with qualified legal professionals. Penalty figures cited from CRS § 6-1-1706(2) and § 6-1-105(1)(hhhh).

Frequently Asked Questions

Ready to Prepare Your Colorado AI Compliance?

June 30, 2026 is 137 days away. Vendor documentation, impact assessments, and policy drafting take months. Start now.

We respond within 1 business day. No spam.

Statute-Mapped SHA-256 Evidence Deterministic Engines

This service does not constitute legal advice. HAIEC is not a law firm. The Colorado AI Act (SB24-205) is enforced by the Colorado Attorney General. Consult qualified legal counsel for compliance decisions. All statutory citations reference Colorado Revised Statutes as of 2025.