Skip to main content
AI Compliance DocumentsDeadline: June 30, 2026

Colorado SB 24-205 · Enforcement begins June 30, 2026

You Just Found Out Your
Business Uses AI

If that AI makes decisions about hiring, lending, insurance, healthcare, housing, or education for Colorado residents — you need compliance documentation. That's the law.

Built from the enacted statute text on leg.colorado.gov. Not summaries. Not paraphrases. Not training data.

Get All 8 Documents — $449
Instant downloadStatute-cited30-day money-back guarantee

$20,000

per violation
C.R.S. § 6-1-112(1)(a)

$50,000

per violation, age 60+
C.R.S. § 6-1-112(1)(c)

AG Only

no private right of action
C.R.S. § 6-1-1706(6)

Deep Dive — How the Law Actually Works

Colorado SB 24-205, signed May 2024, is the first comprehensive state law governing AI. It targets any AI system that makes or substantially influences a “consequential decision” about employment, lending, housing, insurance, healthcare, education, or government services (§ 6-1-1701(3)).

The law distinguishes “developers” from “deployers.” Developers must provide documentation about training data, limitations, and discrimination risks. Deployers must implement risk management programs and conduct impact assessments. Separate responsibilities. Separate documents.

The affirmative defense (§ 6-1-1706(3)) requires two things: following NIST AI RMF or ISO/IEC 42001, and having a process to discover and cure violations. Following NIST alone is not enough.

If you discover algorithmic discrimination, a 90-day clock starts. Deployers must notify the AG. Developers must notify the AG and all known deployers.

Here's what's actually happening.

Colorado passed SB 24-205 in May 2024. It was supposed to take effect February 1, 2026. A special session bill in August 2025 pushed it to June 30, 2026. That's the deadline you're working with.

If your business deploys AI that makes or substantially influences decisions about Colorado residents in any of eight domains — employment, lending, insurance, healthcare, housing, education, government services, or legal services — you are a “deployer” under this law. That's probably why you're here.

AG Rulemaking Has Not Begun

As of March 2026, the Colorado Attorney General has not published proposed rules for SB 24-205. The pre-rulemaking input window is closed. Our templates address the statutory requirements directly — when rules are finalized, we update.

Does this apply to you?

If you answer “yes” to any of these, SB 24-205 likely covers your business. There is no revenue threshold. No employee minimum for most obligations.

Self-assessment: Does Colorado SB 24-205 apply to you?

The 50-Employee Exception

Deployers with fewer than 50 FTE who don't use their own data to train the AI system are exempt from the risk management policy, impact assessment, and public statement requirements (§ 6-1-1703(6)). But they are not exempt from consumer notification, adverse decision disclosures, or the 90-day AG reporting obligation. Partial exemption, not a free pass.

8 Documents. Every Deployer Obligation.

Each document maps to specific sections of C.R.S. § 6-1-1701 et seq. and aligns with the NIST AI Risk Management Framework.

1

Risk Management Policy

§ 6-1-1703(2)

Your risk management program — the law says it must be iterative, regularly reviewed, and consider NIST AI RMF or ISO/IEC 42001.

2

Impact Assessment

§ 6-1-1703(3)

Required at initial deployment, annually, and within 90 days of any substantial modification. Must be retained for 3+ years.

3

Consumer Notification Template

§ 6-1-1703(4)(a)

The notice you must give consumers before a high-risk AI system is used in a consequential decision. Not after. Before.

4

Consumer Disclosure Statement

§ 6-1-1704

Consumers have the right to know they're interacting with AI. This document covers that disclosure.

5

Algorithmic Discrimination Prevention Plan

§ 6-1-1703(2)(a)

Your documented approach to identifying, preventing, and mitigating discrimination across protected characteristics.

6

Human Oversight Protocol

§ 6-1-1703(4)(b)(III)

If a consumer appeals an adverse AI decision, human review is required 'if technically feasible.' This documents your process.

7

Compliance Checklist

All sections

Every deployer obligation in one place. Cross-referenced to statute sections so you can verify each requirement yourself.

8

Affirmative Defense Documentation

§ 6-1-1706(3)

The affirmative defense requires two things: following NIST AI RMF and having a process to discover and cure violations. This builds both.

The Affirmative Defense — What It Actually Requires

Under § 6-1-1706(3), if the AG brings an enforcement action, you can defend yourself by demonstrating two things:

  1. You discovered and cured any violation through user feedback, adversarial testing, or internal review
  2. You were following NIST AI RMF and ISO/IEC 42001, or an equivalent framework the AG designates

The burden is on you. Following NIST alone is not enough — you also need the discovery-and-cure process. Our Affirmative Defense Documentation template builds both.

A lot of our customers have lawyers.

They don't buy these templates instead of legal counsel. They buy them so their attorney isn't starting from a blank page at $400 an hour.

Law firm

$5,000–$25,000

Weeks of back-and-forth

AI Compliance Documents

$449

Instant download, customize today

Get Your Compliance Package — $449

Three situations the base package doesn't cover.

If any of these apply, add the kit during checkout.

Appeal & Correction Kit

$99

A consumer got an adverse decision and wants to appeal or correct their data. You need an intake form, a correction process, and an outcome letter. This kit has all three.

AG Reporting Kit

$129

You discovered algorithmic discrimination. You have 90 days to notify the Attorney General (§ 6-1-1703(7)). Discovery form, notification letter, corrective action plan.

Dev-Deploy Exchange Kit

$109

Developers must provide deployers with documentation about training data, known risks, and limitations (§ 6-1-1702(2)). This standardizes that exchange with checklists and gap analysis.

Questions we hear a lot.

I have no idea if our tools use AI.
That's the most common thing we hear. If a tool screens, scores, ranks, recommends, or personalizes — there's likely AI involved. Hiring platforms (ATS tools with resume screening), CRM systems, marketing personalization, and customer service chatbots all commonly use AI. Start with your free assessment.
We're not in Colorado. Does this still apply?
If your AI system makes consequential decisions about Colorado residents, yes. The law covers the consumer's location, not yours. A New York company using AI to screen job applicants in Colorado is a deployer under SB 24-205.
What's the difference between a developer and a deployer?
A developer builds the AI system (§ 6-1-1701(7)). A deployer uses it (§ 6-1-1701(6)). If you bought hiring software that uses AI, you're the deployer. The company that built the software is the developer. Both have obligations, but they're different obligations. This package covers deployer obligations.
Are these documents legal advice?
No. We are not a law firm. These are compliance templates built from the enacted statute text — a defensible starting point, not a substitute for legal counsel. A lot of our customers hand these to their attorney for review. That saves their attorney hours of drafting time at $400 an hour.
What happens when the AG publishes rules?
We update. As of March 2026, formal rulemaking has not begun (§ 6-1-1707 authorizes rulemaking but no proposed rules have been published). Our templates address the statutory requirements directly. When rules are finalized, we'll update the documents and notify customers.

30-Day Money-Back Guarantee

If the documents don't meet your compliance needs, email us within 30 days for a full refund.

Statute-sourced

Built from the enacted text on leg.colorado.gov

NIST-aligned

Risk management mapped to NIST AI RMF

Attorney-ready

Hand directly to legal counsel for review

Did You Know? — Quick Facts About SB 24-205

The federal Executive Order on AI (EO 14110) was rescinded January 20, 2025 — making state laws like SB 24-205 the primary AI governance framework in the U.S.

Source: NIST

NIST's AI RMF has 12 published crosswalks mapping it to standards from the EU, Japan, Korea, Singapore, and ISO — Colorado's affirmative defense shares DNA with EU-level AI regulation.

Source: NIST AI Resource Center

The AG has exclusive enforcement authority — there is no private right of action. Consumers cannot sue you directly under this law.

Source: C.R.S. § 6-1-1706(6)

Insurers and fraternal benefit societies are fully exempt if already subject to Colorado's existing algorithm and predictive model laws (§ 10-3-1104.9).

Source: C.R.S. § 6-1-1705(7)

Banks, credit unions, and affiliates are exempt if examined by a state or federal prudential regulator under published AI guidance.

Source: C.R.S. § 6-1-1705(8)

Violations are treated as deceptive trade practices under the Colorado Consumer Protection Act — existing penalty structures apply, not a bespoke fine schedule.

Source: C.R.S. § 6-1-1706(2)

Even the Colorado Attorney General's own website still lists the original February 1, 2026 effective date. SB 25B-004 delayed it to June 30, 2026, but the AG hasn't updated their page.

Source: Colorado AG / SB 25B-004

NIST AI RMF 1.0 is currently being revised — meaning the framework underpinning the affirmative defense is itself a moving target.

Source: NIST AI Resource Center

Sources

  1. Colorado SB 24-205 — Bill Page, Colorado General Assembly
  2. SB 24-205 Enrolled Bill (Signed Act) — PDF
  3. SB 25B-004 — Effective Date Delay (2025 Extraordinary Session)
  4. Colorado Attorney General — AI Rulemaking Page
  5. NIST AI RMF Crosswalks — AI Resource Center
  6. NIST — Executive Order on AI (Rescission Notice)

June 30, 2026

Don't wait for a complaint.

8 documents. Mapped to the statute. Aligned to NIST AI RMF. Instant download. 30-day guarantee. $449.

Get Your Compliance Package Now

These documents are compliance templates, not legal advice. We recommend attorney review for your specific situation.