State-level AI regulation in the United States is moving quickly. In the absence of a nation-wide regulation, Colorado has set one of the clearest expectations for how high-risk AI should be governed in practice. Colorado’s SB24-205 is often referred to as the Colorado AI Act and is one of the most comprehensive framework on high-risk AI systems. It establishes duties for both developers and deployers of high-risk AI systems and focuses on AI transparency and safety.
As many teams are shifting from ad hoc policy updates to a continuously maintained governance foundation, Colorado AI Act signals that AI governance should be well-documented.
Pacific AI has been consistently following laws and best practices and as such maintains a Governance Policy Suite that is updated as laws and standards evolve. Pacific AI just recently released the Q4 2025 AI Governance Policy Suite with Colorado AI Act included among other AI laws, standards and regulations. This allows organizations to use a unified set of policies and controls to formally comply with AI governing legislation. The Colorado AI Act applies on and after February 1, 2026.
What is the main purpose of the Colorado AI Act ?
The Colorado AI Act is framed around consumer protection in scenarios where high-risk AI systems make, or substantially influence, consequential decisions about individuals. The core risk focus is algorithmic discrimination. That’s said, it aims to protect individuals and groups against illegal differential treatment in such domains as education, employment, financial services, housing, health care, or legal services.
The law imposes various responsibilities on both developers and deployers of high-risk AI systems. Where high-risk AI systems interact with consumers, developers and deployers need to ensure they comply with relevant obligations, such as disclosure of AI use, risk analysis, documentation, governance and impact assessment.
Let’s dive further into more details and consider relevant practical governance terms.
High-risk AI under SB24-205 in practical terms
The new AI regulation sets new compliance obligations on developers and deployers.
Developers: entities that develop and substantially modify high-risk AI systems.
Deployers: entities that deploy these systems in Colorado.
Developer’s Responsibilitie
According to Colorado AI Act, developers of high-risk AI systems shall:
- Use reasonable care to protect consumers against algorithmic discrimination;
- Make available to a deployer a statement disclosing specified information about the high-risk system;
- Make available to a deployer information and documentation necessary to complete an impact assessment of the high-risk system;
- Disclose information about a training data, purpose, benefits and uses of the system;
- Make a publicly available statement summarizing the types of high-risk systems that the developer has developed or intentionally and substantially modified and currently makes available to a deployer or other developer and how the developer manages any known or reasonably foreseeable risks of algorithmic discrimination that may arise from the development or intentional and substantial modification of each of these high-risk systems; and
- Disclose to the Colorado Attorney General and known deployers of the high-risk system any known or reasonably foreseeable risks of algorithmic discrimination;
- Display on developer’s website or in a public use case inventory an updated disclosure of any high-risk AI systems they have developed and make available how they manage known or reasonably foreseeable risks of algorithmic discrimination.
Deployer’s Responsibilities:
Deployers of high-risk AI systems shall:
- Use reasonable care to protect consumers against algorithmic discrimination;
- Implement and keep updated a risk management policy and program to govern the deployer’s deployment of the high-risk AI system;
- Perform an impact assessment that is reevaluated at least annually and within 90 days after any substantial modification to the high-risk AI system;
- Notify Colorado Attorney General of any algorithmic discrimination within 90 days of discovery.
Documentation and evidence that tends to matter most
Colorado’s legislative materials repeatedly point toward documentation that connects risk identification, assessment, mitigation, and ongoing review. In operational terms, organizations are generally best served by maintaining a consistent evidence pack that can be updated as systems and contexts change. This usually includes an AI system register entry with a documented high-risk rationale, an impact assessment record, documentation of evaluation methods and results, a record of mitigations and residual risk acceptance, governance approvals and decision logs, and a monitoring plan with reassessment triggers.
Where required, it also includes documentation showing how consumer notices, correction mechanisms, and appeal workflows are implemented and governed.
How can recent White House AI Executive Order Impact on Colorado AI Act?
On December 11, 2025, the White House issued an Executive Order titled “Ensuring a National Policy Framework for Artificial Intelligence.”It sets a federal policy seeking a minimally burdensome national AI regulatory framework and directs federal agencies to address “onerous” state regulations that could prevent innovation. The Executive Order explicitly cites the Colorado AI Act as an example of a state law that the federal government considers overly burdensome or conflicting with its national policy goal.
With that’s said, the Colorado law would be either blocked by federal task force or state would be required to adjust the law to reduce conflict with federal priorities.
Pacific AI will closely watch how the federal pressure would impact this law.
How Pacific AI can help
Pacific AI’s Governance Policy Suite is designed to help organizations keep their governance foundation current as laws and standards evolve. For this purpose the Suite contains a recommended AI Risk Management Policy that is maped with such standards as NIST AI Risk Management Framework, ISO/IEC 42001.
The Q4 2025 release includes Colorado AI Act coverage and this Act directly names NIST AI Risk Management Framework and ISO/IEC 42001 as the guiding principles developers and deployers should follow.
For SB24-205 specifically, Pacific AI supports a governance-first approach that helps teams operationalize impact assessments, maintain audit-ready documentation, and structure risk management programs that can be executed consistently across high-risk deployments.
To review what has changed and ensure governance documentation stays up to date, download the latest Pacific AI Governance Policy Suite and consult the Q4 2025 release notes, which include the Colorado update. Organizations that want support implementing these controls in practice can also book a demo to walk through adoption and operationalization using a unified, continuously updated policy foundation.
Download the Policy Suite: https://pacific.ai/ai-policies/
Q4 2025 Release Notes: https://pacific.ai/pacific-ai-governance-policy-suite-q4-2025-release-notes/
