What is Colorado SB 205?

Colorado SB 205, the Colorado Artificial Intelligence Act, is a state law effective February 1, 2026, that imposes obligations on developers and deployers of high-risk AI systems doing business in Colorado. It is the first US state AI law to require risk management programs, annual impact assessments, consumer transparency notices, adverse action explanations, and human review rights for AI-influenced consequential decisions. It is enforced by the Colorado Attorney General and provides a NIST AI RMF safe harbor for compliant deployers.

What explanation must deployers provide for adverse AI decisions?

When a high-risk AI system produces an adverse consequential decision (denial of credit, adverse employment action, denial of healthcare authorization, adverse insurance decision), the deployer must provide the consumer — upon request — the specific reasons for the adverse decision. 'Specific reasons' means the factors that influenced this consumer's outcome, not a generic description of how the AI system operates. This requires per-decision records capturing the inputs and reasoning that influenced the outcome. An adverse action notice that says 'our AI model scored you below the threshold' does not satisfy the requirement.

What does the NIST AI RMF safe harbor provide?

Section 6-1-1704 provides a rebuttable presumption of compliance for deployers who implement a risk management program consistent with NIST AI RMF, ISO 42001, or a substantially equivalent framework — and complete the required annual impact assessments and consumer rights mechanisms. A rebuttable presumption shifts the burden to the Colorado AG to prove the program was inadequate. It does not guarantee immunity from enforcement — a documented program with no operational implementation does not qualify. The safe harbor requires the framework to be genuinely implemented with functioning technical and organizational controls.

How does Colorado SB 205 compare to EU AI Act?

Colorado SB 205 and EU AI Act both use a risk-tiered approach focused on consequential decisions, but differ significantly. EU AI Act specifies detailed technical requirements — Article 12 logging with post-hoc reconstruction capability, Article 13 transparency documentation, Article 9 risk management system. Colorado SB 205 is outcome-focused — it requires risk programs and consumer rights without mandating specific technical implementations. EU AI Act has no safe harbor equivalent; SB 205 does. EU AI Act penalties go up to 6% of revenue; SB 205 uses civil penalties and injunctive relief. Both apply when the AI affects persons in their respective jurisdictions regardless of where the AI is deployed.

Does Colorado SB 205 apply to companies outside Colorado?

Yes. Colorado SB 205 applies to any developer or deployer doing business in Colorado — a standard that includes out-of-state companies whose AI systems affect Colorado consumers. A fintech company headquartered in New York that uses AI to make credit decisions for Colorado residents is a deployer in scope. An AI vendor in San Francisco whose credit scoring system is used by Colorado lenders is a developer in scope. The standard is the effect on Colorado consumers, not the location of the AI company's operations.

What records must deployers retain under Colorado SB 205?

Deployers must retain for at least three years: the annual impact assessment for each high-risk AI system, records demonstrating consumer notices were provided, records of human review requests and outcomes, records of data correction requests and outcomes, and documentation of the risk management program. These records must be available for Colorado AG examination. Three years is the SB 205 minimum; where sector-specific regulations require longer retention (HIPAA requires 6 years, ECOA requires 25 months for adverse action notices), apply the stricter requirement.

Colorado SB 205: What Developers and Deployers of High-Risk AI Systems Must Do

Q: Which AI systems are high-risk under Colorado SB 205?

An AI system is high-risk under SB 205 if it makes or substantially assists in making a consequential decision — a decision with a material, legal, or similarly significant effect on a consumer's access to education enrollment, employment, financial or lending services, essential government services, healthcare, housing, insurance, or legal services. The definition covers traditional ML, LLMs, and hybrid systems. 'Substantially assists' includes AI that generates scores or recommendations used by human decision-makers, even when a human makes the final call.

Q: What is a deployer's biggest obligation under Colorado SB 205?

The most operationally intensive obligation for deployers is the annual impact assessment — a documented evaluation of each high-risk AI system covering its purpose, known risks, risk mitigation measures, training data description, and performance metrics including accuracy and bias evaluation results. This assessment must be updated whenever the system undergoes a material change and retained for at least three years. The impact assessment is not a one-time compliance artifact — it is an ongoing operational requirement.

Colorado SB 205, the Colorado Artificial Intelligence Act, is the first US state AI law imposing substantive obligations on developers and deployers of high-risk AI systems. Effective February 1, 2026, it defines high-risk AI as systems that make or substantially assist in making consequential decisions — in employment, credit, housing, healthcare, insurance, education, essential government services, and legal services. Developers must document systems, disclose risks to deployers, and publish public statements. Deployers must implement a risk management program, complete annual impact assessments, notify consumers, provide adverse action explanations, and enable human review rights. A NIST AI RMF safe harbor is available for deployers with documented programs.

Who Colorado SB 205 Covers

Colorado SB 205 applies to any developer or deployer doing business in Colorado. Developer means any person who develops or substantially modifies a high-risk AI system and makes it commercially available — including companies that fine-tune foundation models for high-risk applications. Deployer means any person who deploys a high-risk AI system to make or substantially assist in making consequential decisions about Colorado consumers. The law has no revenue threshold or employee count exemption. Any size business using a high-risk AI system that affects Colorado residents is in scope. An entity can be both developer and deployer simultaneously.

What Counts as a High-Risk AI System Under SB 205

A high-risk AI system is one that makes or substantially assists in making a consequential decision. Consequential decisions are those with a material, legal, or similarly significant effect on a consumer's access to: education enrollment, employment, financial or lending services, essential government services, healthcare, housing, insurance, or legal services. The substantially assists threshold is significant — an AI that generates a risk score used by a human decision-maker is covered even if a human makes the final determination. The definition is technology-agnostic, covering traditional ML, LLMs, rule-based systems, and hybrid approaches.

Deployer Obligations: Risk Program and Impact Assessments

Deployers must implement and maintain a risk management program using NIST AI RMF, ISO 42001, or a substantially equivalent framework — with documented policies, procedures, and accountable roles. Annually, deployers must complete an impact assessment for each high-risk AI system documenting: the system's purpose and known risks, measures implemented to mitigate identified risks, a description of training data including sources and known limitations, and performance metrics including accuracy and bias evaluation results. Impact assessments must be updated whenever the AI system undergoes a material change — including model updates, significant prompt changes, and changes to the decision domain.

Consumer Rights: Notice, Explanation, and Human Review

Colorado SB 205 grants consumers three rights when subject to a consequential AI decision. Right to Notice: consumers must be informed that a high-risk AI system was used in making or substantially assisting in the decision — at or before the time of the decision. Right to Explanation: for adverse decisions, consumers may request the specific reasons the decision was adverse — the factors that influenced this consumer's outcome, not generic AI documentation. Right to Human Review: consumers may appeal an adverse decision and request review by a human with authority to overturn it. Right to Correction: consumers may correct inaccurate personal data that contributed to the decision and have the decision reconsidered.

The NIST AI RMF Safe Harbor

Section 6-1-1704 provides a rebuttable presumption of compliance for deployers who implement and maintain a risk management program consistent with NIST AI RMF, ISO 42001, or a substantially equivalent framework — and complete the required impact assessments and consumer rights mechanisms. The presumption shifts the burden of proof to the Colorado AG to demonstrate the program was inadequate. The safe harbor requires genuine implementation — not paper compliance. An audit would examine whether behavioral monitoring is actually running, whether impact assessment performance metrics are based on real data, and whether human review mechanisms genuinely allow overriding AI decisions.