Colorado AI Act Set to Enter Force This Summer

In 2024, Colorado passed a landmark AI law. However, the governor and legislature got cold feet. Fearing the impacts on business and AI innovation, the law was put on hold until June 30, 2026. This delay was intended to allow time for revisions and amendments to ease burdens on AI companies. In the time since, there has been no political consensus on how to amend the AI Act. Absent action from Colorado’s government, the original bill will enter force this summer, a recent Clark Hill memo reminds us of the requirements:

• “AI Risk Assessments – Prior to starting use of AI and on an annual basis thereafter (and after any substantial changes to the program), business using AI must conduct an impact risk assessment which must include: (1) the purpose of the AI use, the actual intended use of the AI technology, the deployment context, and the benefits of the AI system, (2) an analysis of any known or reasonable foreseeable risks of discrimination through the use of the AI technology, the nature of those risks, and mitigation steps taken, (3) a description of the data used to make decisions and the output data of the AI system, (4) the testing done to prevent discrimination and monitor system use, (5) how the business is meeting transparency requirements with respect to the use of the AI technology, and (6) how the business is monitoring and overseeing the deployment of the AI for any issues.
• Consumer Disclosures – The business must disclose on its website the types of high-risk AI systems (i.e., systems making consequential decisions) it is using, how it is mitigating known and foreseeable risks, and, in detail, the nature, source, and extent of the information collected and used by the business with its AI systems.
• Risk Management Programs – deployers of AI technology must implement a risk management policy and program to govern their deployment of the AI technology. The policy must (1) specify the principles, processes, and personnel used to identify and mitigate discrimination in the use of the AI, (2) be an ongoing process that is reviewed and updated regularly, (3) be reasonable, considering factors such as how the program compares to established programs like NIST’s Artificial Intelligence Risk Management Framework or the size and complexity of the business. Of note, one policy or program can cover multiple uses of AI technology where applicable.
• Vendor Agreements – business must make sure that vendors that are supplying AI technology or assisting in the use of the businesses’ AI systems are providing the necessary information for the business to conduct its risk assessments and reporting obligations and working to prevent discrimination.
• Staff Training – businesses must train staff on consumer rights, the requirements of the CO AI Act and how it impacts the operation of the business and its use of the AI systems.
• Process Documentation – the business must document all of its efforts to monitor, evaluate, mitigate, and manage the risks associated with its use of AI systems to make consequential decisions.”

We’ll be tracking any proposed amendments to the Colorado AI Act. For the moment, companies would be wise to start preparing for compliance with the law as written.