Colorado’s Original AI Act Was Replaced: What SB 24-205 Would Have Required

Historical update: Colorado’s SB 24-205, the original Colorado Artificial Intelligence Act, did not take effect as written. On May 14, 2026, Colorado signed SB 26-189, which repealed and replaced the original high-risk AI framework before the June 30, 2026 effective date arrived.

This article is now an archive of what SB 24-205 would have required: the duty of reasonable care, annual impact assessments, consumer notices, public statements, AG disclosures, and the NIST AI RMF affirmative-defense structure. For current Colorado planning, use the newer Colorado SB 26-189 ADMT rewrite and the U.S. State AI Laws guide.

What SB 24-205 Would Have Required

SB 24-205 would have regulated high-risk artificial intelligence systems used in consequential decisions about Colorado consumers. That framing is narrower than "any AI used in Colorado" and broader than "AI in hiring." It cuts across eight regulated domains and splits obligations between the companies that build AI ("developers") and the companies that use AI to make decisions ("deployers").

It was not a frontier-model law. It was not a transparency-only law. It did not prohibit specific use cases. It would have imposed governance, documentation, and consumer-notice obligations on any organization using AI in ways that affect access to the things that matter most — housing, credit, employment, insurance, healthcare, education, essential government services, and legal services.

SB 24-205 was modeled in part on the EU AI Act, but it was written to function in the U.S. legal system. Instead of conformity assessments and notified bodies, it uses a duty of reasonable care standard enforceable by the Colorado Attorney General.

Who Counts as a "Deployer"

Under the original law, a deployer was any entity that uses a high-risk AI system to make, or as a substantial factor in making, a consequential decision about a Colorado consumer.

Three things are worth flagging about that definition.

• ●The key question is not where the system was built. It is where the decision is made and who is affected. An out-of-state company using a high-risk AI system on Colorado consumers is covered.
• ●"Substantial factor" does real work. You don’t have to be fully automating a decision. If the AI system is a meaningful input to the decision — even with a human in the loop — you are likely a deployer.
• ●The consumer has to be a Colorado resident. Colorado cannot regulate consumers in other states. But if you serve Colorado consumers at all, SB 24-205 reaches the decisions you make about them.

What Counts as a "High-Risk AI System"

An AI system would have been high-risk under SB 24-205 when it is deployed to make, or is a substantial factor in making, a consequential decision in one of eight domains.

• ●Education enrollment or education opportunities — admissions, scholarships, placement decisions.
• ●Employment or employment opportunities — hiring, promotion, termination, task assignment.
• ●Financial and lending services — credit decisions, loan terms, account closures.
• ●Essential government services — benefits eligibility, public-benefit determinations.
• ●Healthcare services — coverage decisions, care recommendations, provider matching.
• ●Housing — rental applications, tenant screening, housing availability and terms.
• ●Insurance — underwriting, claims decisions, rate-setting.
• ●Legal services — AI systems that deliver legal information or decisions affecting legal outcomes.

The Central Obligation: Duty of Reasonable Care

At the heart of SB 24-205 was a duty of reasonable care: a deployer of a high-risk AI system would have had to use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination.

The statute is clear about what "reasonable care" looks like. A deployer demonstrates it by doing the following.

• ●Implementing a risk management policy and program governing the deployment of the high-risk AI system.
• ●Completing an annual impact assessment.
• ●Providing consumer disclosures when a high-risk system is used in a consequential decision.
• ●Offering consumers an opportunity to appeal an adverse decision, with human review if technically feasible.
• ●Publishing a public statement summarizing the types of high-risk systems deployed and how risks of discrimination are managed.
• ●Disclosing discovered instances of algorithmic discrimination to the Colorado Attorney General within 90 days.

Risk Management Policy and Program

Every deployer would have needed to implement a risk management policy and program. SB 24-205 would not have dictated the exact shape of that program, but it explicitly referenced the NIST AI Risk Management Framework as a benchmark — and a safe harbor.

Organizations that built their AI governance program around NIST AI RMF would have gotten affirmative-defense protection against SB 24-205 enforcement actions, provided they were substantially complying. This is one of the most consequential design choices in the law: it effectively makes NIST AI RMF the default U.S. baseline for AI governance programs, because Colorado rewards adopters.

At a minimum, a SB 24-205 risk management program would have covered who is responsible for AI governance, what AI systems fall within scope, how risks are identified and measured, what mitigations are in place, how the program is reviewed and updated, and how issues are documented and escalated.

Annual Impact Assessments

Deployers would have needed to complete an impact assessment before deploying a high-risk AI system and would have needed to update it annually. Impact assessments would have needed to be retained for at least three years after the final deployment of the system.

At minimum an impact assessment would have needed to cover the following elements. This is a distilled list based on the statute and common-sense practice.

• ●The purpose of the high-risk AI system and the nature of the consequential decision it supports.
• ●The categories of data used as inputs and outputs.
• ●Known or reasonably foreseeable risks of algorithmic discrimination, and the measures in place to mitigate those risks.
• ●An evaluation of the system’s performance, including accuracy relevant to the decision being made.
• ●Post-deployment monitoring procedures.
• ●Documentation supplied by the developer, and the deployer’s independent review of that documentation.

Consumer Disclosures

Before (or at the time of) deploying a high-risk AI system to make or substantially assist in a consequential decision about a consumer, the deployer would have needed to notify the consumer. That notice would have needed to include specific elements.

• ●That the deployer has deployed a high-risk AI system to make, or be a substantial factor in making, a consequential decision.
• ●A statement disclosing the purpose of the AI system and the nature of the consequential decision.
• ●Contact information for the deployer so the consumer can follow up.
• ●A plain-language description of the AI system — readable by a consumer, not just a technical audience.

Appeal Rights and Human Review

When a high-risk AI system contributes to an adverse consequential decision (denial, unfavorable terms, revocation), the deployer would have needed to provide the consumer with an opportunity to appeal. The appeal would have needed to include human review where technically feasible.

This is one of the most operationally demanding parts of SB 24-205. To implement appeal rights at scale, an organization typically needs a documented process for receiving appeals, a trained human reviewer who can override or adjust the AI-assisted decision, audit-trail records tying each decision (and each appeal outcome) back to the underlying AI system, and the ability to issue corrected outcomes and notices.

Public Statement

Every deployer would have needed to publish a public statement (usually on its website) summarizing three things.

• ●The types of high-risk AI systems the deployer currently deploys.
• ●How the deployer manages known or reasonably foreseeable risks of algorithmic discrimination for each of those systems.
• ●The nature, source, and extent of the information the deployer collects and uses.

Disclosure to the Colorado Attorney General

If a deployer discovers that a high-risk AI system has caused algorithmic discrimination, the deployer would have needed to disclose that fact to the Colorado Attorney General within 90 days of discovery. That would have been a hard deadline, not a best-effort window.

Two practical implications. First, deployers would have needed an internal process for identifying and escalating algorithmic-discrimination findings — because the 90 days would have run from discovery, not from resolution. Second, the disclosure requirement creates a structural preference for finding and fixing problems internally, because the alternative is a self-reported disclosure to the AG that is likely to become an enforcement-action lead.

What Developers Owe Deployers

SB 24-205 also would have imposed obligations on the developers that build high-risk AI systems or substantially modify them. These obligations are structured as disclosure duties to deployers, so deployers have the information they need to do their own risk management.

• ●Documentation describing the intended uses, limitations, and known or reasonably foreseeable risks of the system.
• ●Information about the types of data used to train the system and the steps taken to mitigate algorithmic discrimination.
• ●The methodology used to evaluate the system for performance and discrimination risk.
• ●Known risks that cannot be, or have not been, mitigated.
• ●Updates and corrections when the developer identifies new risks after deployment.

Enforcement and the Affirmative Defense

SB 24-205 would have been enforced exclusively by the Colorado Attorney General. Violations would have been treated as unfair trade practices under Colorado’s Consumer Protection Act. There is no private right of action.

Both developers and deployers would have had an affirmative defense if they discover a violation through their own testing, feedback, or internal review processes and cure the violation. Substantial compliance with a recognized AI risk management framework — NIST AI RMF is explicitly named — supports the affirmative defense.

This is important design: the law was not trying to catch companies that are actively trying to comply. It was trying to catch companies that are not. Documentation of good-faith compliance effort would have been the first and best defense.

Federal Preemption in the Background

SB 24-205 sat in the same federal-state crosscurrent as Colorado’s sister state laws (California TFAIA, Texas TRAIGA). The December 11, 2025 executive order "Ensuring a National Policy Framework for AI" explicitly targeted state AI laws for preemption, and the DOJ AI Litigation Task Force (established January 9, 2026) was tasked with challenging them.

The federal pressure became concrete in April 2026 when the Justice Department intervened in xAI's lawsuit challenging SB 24-205. Colorado then replaced the original law with SB 26-189 before the June 30 effective date. That replacement did not eliminate state AI regulation, but it did move Colorado away from the broad duty-of-care and impact-assessment framework this article originally covered.

For deeper coverage, see The Federal Push to Preempt State AI Laws and Colorado Rewrote Its AI Act.

What Work Still Carries Forward

The original SB 24-205 checklist is no longer the current Colorado compliance plan. But much of the work still carries forward into SB 26-189 and other state AI rules because it produces the evidence organizations need to explain automated decisions.

• ●Keep the AI inventory. You still need to know which tools influence employment, lending, housing, insurance, healthcare, education, or public-benefit decisions.
• ●Keep vendor diligence. SB 26-189 still depends on developer documentation about intended uses, training-data categories, known limitations, appropriate use, human review, and material updates.
• ●Reframe impact assessments as decision records. The old annual impact-assessment duty is gone, but documenting scope, data, model limitations, bias testing, human review, and outcomes remains useful evidence.
• ●Keep consumer-facing notice work. The new law still expects clear notices and plain-language descriptions after adverse outcomes involving covered ADMT.
• ●Keep human-review workflows. A real reviewer with authority to reconsider an AI-influenced adverse outcome is still central to Colorado compliance.
• ●Retain records. SB 26-189 expects records that show how covered ADMT was used and how notices, data correction, and human review worked.

What Replaced It

SB 26-189 replaced the old high-risk AI system model with a covered-ADMT model. The new law starts January 1, 2027 and focuses on automated decision-making technology that processes personal data and materially influences consequential decisions.

• ●Scope changed. The trigger is now covered ADMT that materially influences covered consequential decisions, not the broader high-risk AI system framing.
• ●Obligations changed. The new law emphasizes developer documentation, consumer notice, adverse-outcome explanations, data access and correction, meaningful human review, reconsideration, and record retention.
• ●Enforcement remains public. The Colorado Attorney General enforces through the Colorado Consumer Protection Act; the law does not create a new private right of action.

Related Regulations

Sources & References