Colorado’s AI Act takes effect June 30, 2026 — unless the legislature rewrites it first. A working group reached consensus on a repeal-and-replace plan on March 17. But the original law is still on the books. This is the technical guide to what compliance actually looks like, regardless of which version you’re preparing for.
Here’s the timeline. Every attempt to amend, repeal, or gut SB 24-205 has failed. What passed was a five-month delay.
The law may be rewritten. But it hasn’t been rewritten yet. And every proposed replacement has preserved the core requirements: impact assessments, risk management programs, and consumer disclosures. If you’re building for the original law, you’re building for whatever comes next. The technical requirements are converging, not diverging.
SB 24-205 creates obligations for two roles: developers (who build or substantially modify AI systems) and deployers (who use them to make consequential decisions). Most Colorado companies are deployers.
| Requirement | Developer | Deployer | What It Means Technically |
|---|---|---|---|
| Duty of reasonable care | ✔ | ✔ | Document that you tested for algorithmic discrimination. “We didn’t know” is not a defense. |
| Impact assessment | ✔ | ✔ | Annual assessment + within 90 days of substantial modification. Must cover purpose, data, performance, discrimination risks, and mitigation steps. |
| Risk management program | — | ✔ | Documented policy with principles, processes, and personnel for identifying and mitigating discrimination risks. |
| Technical documentation | ✔ | — | Model cards, dataset cards, or impact assessments sufficient for deployers to complete their own assessments. |
| Public statement | ✔ | ✔ | Developers: published summary of high-risk systems and risk management. Deployers: website disclosure of high-risk AI use. |
| Consumer notice | — | ✔ | Before a consequential decision: disclose AI involvement, purpose, data sources, right to correct data, right to appeal. |
| Discrimination discovery | ✔ | ✔ | If you discover algorithmic discrimination, notify the AG within 90 days. |
| Annual review | — | ✔ | Yearly review of each deployed high-risk system to verify it’s not causing discrimination. |
Here’s the incentive structure: if you comply with the law’s requirements, there’s a rebuttable presumption that you used reasonable care. Translation: if the AG comes knocking and you have documented impact assessments, a risk management program, and evidence of testing — you have a legal defense. If you don’t, you don’t. The law also provides an affirmative defense if you adopt NIST AI RMF or ISO/IEC 42001 and take steps to discover and correct violations.
The law says you need an impact assessment. Here’s what that means for your engineering team, not your legal team.
The impact assessment is the centerpiece of SB 24-205 compliance. It must be completed before or at first deployment, annually thereafter, and within 90 days of any substantial modification. The law specifies what it must contain. Here’s each requirement translated into technical deliverables:
The law requires testing for algorithmic discrimination. Most organizations are doing standard safety benchmarks. These are not the same thing.
Standard safety benchmarks test whether a model produces harmful text. They don’t test whether a model treats protected groups differently. They don’t test what happens when the model is connected to real tools. They don’t test whether your defense stack actually works. And they don’t produce the documentation the law requires.
Our assessment of GPT-4.1 illustrates the gap: the model passes 84% of standard safety benchmarks, but when connected to enterprise tools via MCP, breach rates jump to 55–75%. A compliance program built on benchmark pass rates alone creates what we call the “safety illusion” — documentation that looks complete but doesn’t actually test the risks the law is designed to address.
A compliant impact assessment needs adversarial testing across multiple dimensions: bias testing across protected classes, security testing for prompt injection and data exfiltration, tool-use testing if the system has tool access, cross-model comparison if you’re evaluating alternatives, and defense verification if you’ve deployed mitigations. Every finding needs to be reproducible, documented, and mapped to a recognized risk framework (NIST AI RMF or ISO/IEC 42001) to support the rebuttable presumption and affirmative defense.
The law points to NIST AI RMF and ISO/IEC 42001 for the affirmative defense. Here’s how the requirements map across frameworks.
| SB 24-205 Requirement | NIST AI RMF | OWASP LLM Top 10 | MITRE ATLAS |
|---|---|---|---|
| Algorithmic discrimination testing | MAP 2.3, MEASURE 2.6 | LLM02: Output Handling | AML.T0048 |
| Impact assessment | GOVERN 1.2, MAP 1.1 | — | — |
| Risk management program | GOVERN 1.1–1.7 | — | — |
| Prompt injection defense | MANAGE 2.1 | LLM01: Prompt Injection | AML.T0051 |
| Data exfiltration prevention | MANAGE 2.2 | LLM06: Sensitive Info | AML.T0024 |
| Tool-use security | MANAGE 3.1 | LLM07: Insecure Plugin | AML.T0054 |
| Post-deployment monitoring | MEASURE 4.1–4.3 | LLM09: Overreliance | AML.T0043 |
| Consumer disclosure | GOVERN 4.1 | — | — |
The law provides an affirmative defense for organizations that adopt NIST AI RMF or ISO/IEC 42001 and take steps to discover and correct violations. Adopting the framework without testing is not sufficient. Testing without adopting the framework is not sufficient. You need both: the governance structure and the technical evidence. Your impact assessment is the bridge between the two.
June 30 is ~100 days away. Here’s the sequence.
If you employ fewer than 50 full-time employees, you may be exempt from the impact assessment, risk management program, and website disclosure requirements. But there are conditions. The exemption only applies if you (1) don’t use your own data to train or significantly customize the AI system, and (2) use the system for its intended purpose as documented by the developer. If you’re fine-tuning a model on your own data or repurposing it beyond the developer’s intended use, the full requirements apply regardless of company size. We’d rather you know that upfront than find out after paying for compliance work you didn’t need.
Even with the exemption, you still have the general duty of reasonable care, you still need to provide consumer disclosures when AI makes consequential decisions, and you still need to provide appeal rights for adverse decisions. The documentation burden is lighter, but the consumer-facing obligations remain.
This exemption covers most startups and small businesses using off-the-shelf AI tools. If you’re a 30-person company using an LLM-powered HR screening tool from a vendor, you don’t need to complete your own impact assessment, but the vendor (as developer) does, and they need to provide you with the documentation to understand the system’s risks.
CLS Security Labs provides the adversarial testing, bias evaluation, and compliance-mapped documentation that SB 24-205 impact assessments require. Every finding scored across five severity dimensions by three independent judges and mapped to NIST AI RMF, OWASP LLM Top 10, and MITRE ATLAS.
Forge Assessments start at $2,500. Full CLAP Assessments, including remediation and re-verification, start at $15,000. Both produce audit-ready documentation for Colorado AG compliance. Not sure if your AI systems qualify as high-risk under SB 24-205? Book a free 30-minute consultation — we’ll help you figure that out before you spend anything.
This blog post is for informational purposes only and does not constitute legal advice. CLS Security Labs is not a law firm. The Colorado AI Act is subject to ongoing legislative revision. The repeal-and-replace bill referenced in this post may alter specific requirements. Organizations should consult qualified legal counsel for compliance guidance specific to their situation. CLS Labs provides the technical testing and documentation components of impact assessments, not legal interpretation.