On May 17, 2024 Colorado Governor Polis signed the landmark Colorado AI Act (Senate Bill 24-205) into law. Colorado is now the first US state with comprehensive AI regulation, adopting a classification system like the European Union’s recent AI Act. The law will take effect February 1, 2026.
The law exempts small employers (fewer than fifty full-time employees) from some of its requirements but otherwise requires companies to take extensive measures to protect Colorado residents against harms such as algorithmic discrimination.
SB 205’s Details
SB 205 requires “developers” and “deployers” of “high-risk artificial intelligence systems” to use “reasonable care” to protect Colorado resident consumers from any known or reasonably foreseeable risks of “algorithmic discrimination.” As written, the law most likely applies to both creators of high-risk AI systems, as well as employers adopting high-risk AI technologies within their organization.
Key definitions in SB 205
- High-Risk AI System: A system that when deployed, makes, or is a substantial factor in making, a “consequential decision.”
- Consequential Decision: A decision that has “material legal or similarly significant effect” on the provision or denial to any consumer of, or the cost or terms of:
- Educational enrolment or an education opportunity;
- Employment or an employment opportunity;
- A financial or lending service;
- An essential government service;
- Health-care services;
- Housing;
- Insurance; or
- A legal service.
- Deployer: A person doing business in Colorado that deploys a high-risk AI system. This presumably includes employers (with more than 50 employees) in the state.
- Developer: A person doing business in Colorado that develops or intentionally and substantially modifies an AI system.
- Consumer: An individual who is a Colorado resident.
Classification system
SB 205 adopts similar classifications as exist under the EU AI Act, classifying entities as either a Developer or a Deployer. The role of an entity impacts the attendant obligations.
| Obligations under SB 205 | Developers | Deployers |
| Detailed documentation requirements | Required | Not required |
| Risk management policy specifying and incorporating the principles, processes and personnel that the deployer uses to identify, document and mitigate known or reasonably foreseeable risks of algorithmic discrimination | Not required | Required |
| Detailed impact assessment completed pursuant to the requirements of SB 205 | Not required | Required |
| Direct notice to the consumer in plain language | Required | Required |
| Disclosure of consequential decisions | Not required | Required |
| Reporting to the state Attorney General | Required | Required |
| Disclosure of AI systems that interact with consumers | Required | Required |
Risk Management Framework
Highlighting the importance of aligning AI governance to a standardized risk management framework, such as the NIST AI Risk Management Framework, the new law requires companies to comply with a standard risk management framework in order to assert an affirmative defense in response to an enforcement action.
Enforcement
SB 205 does not have a private right of action. The Colorado Attorney General has exclusive enforcement authority and may seek up to $20,000 per violation of the law. In the case of an enforcement action, the law creates an affirmative defense for businesses that can show they have taken steps to address any discovered violations, and that they are in compliance with a national or international risk management framework for AI.
Next Steps
We recommend that organizations that develop or deploy AI systems in Colorado:
- Review existing AI governance to confirm it conforms to a standardized risk management framework.
- Draft and implement a risk management policy and program if deploying a high-risk AI system in the organization.
- Identify AI systems they are developing or using that make consequential decisions such the AI systems are subject to SB 205 (this may include deploying AI technologies in HR decision-making like recruiting, hiring and performance management).
- Establish processes for detecting and mitigating algorithmic bias arising from their use of such AI systems.
- Prepare documentation required by SB 205 based on the role of the entity as set forth above.
The Colorado Attorney General is authorized to promulgate rules on the legislation and we will continue to monitor and report updates. We note that it is likely the law may serve as a model for other state legislatures across the US, or for states with pending regulation to move forward quickly.
Our cross-functional team of experts is available to support your organization in developing or deploying AI systems in a responsible manner. Please contact your Baker McKenzie attorney with questions.