Colorado AI Act's June 30 Deadline Forces Companies to Confront Compliance Reality

By Hector Herrera | May 4, 2026 | Government

Colorado's landmark AI accountability law takes effect June 30, 2026 — and most companies that fall under it are not ready. Any business that develops or deploys AI that makes, or substantially influences, consequential decisions affecting Colorado residents must have risk management policies, bias impact assessments, and consumer disclosure procedures in place. That deadline is now less than 60 days away.

Background

Colorado's AI Act, passed in 2023, was the first U.S. state law to establish comprehensive obligations for developers and deployers of high-risk AI systems. It drew heavily from the European Union's AI Act framework, requiring organizations to conduct algorithmic impact assessments — systematic reviews of whether an AI system could produce biased or discriminatory outcomes — and to notify consumers when AI is making consequential decisions about them, such as credit approvals, job applications, housing decisions, and insurance eligibility.

The law was designed to have extraterritorial reach: it doesn't matter where a company is headquartered. If the AI system touches Colorado residents, the law applies.

What the Law Requires

Legal analysts at Gunderson Dettmer have published detailed compliance guidance outlining the core obligations:

For AI developers:

• Maintain documentation of training data sources, intended uses, and known limitations
• Conduct and document impact assessments before deployment in high-risk categories
• Make summary disclosures available to AI deployers who license the system

For AI deployers (companies using AI they didn't build):

• Implement a written risk management policy governing AI use
• Conduct algorithmic bias impact assessments for high-risk applications
• Provide consumers with notice that AI is being used in a decision affecting them
• Offer a process for consumers to request human review of adverse AI decisions
• Notify the Colorado Attorney General of material AI-related discrimination incidents

High-risk AI categories under the law include:

• Employment decisions (hiring, firing, promotion, performance evaluation)
• Credit and insurance underwriting
• Housing eligibility determinations
• Access to education and educational institutions
• Access to healthcare

The law defines "consequential decisions" broadly enough that many AI systems currently in production deployment at mid-market companies likely qualify.

Why Most Companies Are Behind

Three factors explain the compliance gap:

1. "Colorado" doesn't register as a national compliance issue. Many companies — particularly those headquartered outside Colorado — have treated this as a regional concern rather than a national one. The law's extraterritorial reach means that misread is costly.

2. Algorithmic impact assessments are genuinely hard. Unlike a privacy policy or a cookie disclosure, an algorithmic bias assessment requires actual technical work: auditing the training data for historical bias, testing model outputs across demographic groups, and documenting both the methodology and the findings. Most legal and compliance teams don't have the in-house technical capacity to do this, and the market for qualified AI auditors is thin.

3. No federal preemption exists. There is currently no federal AI law that would supersede Colorado's requirements. Several federal preemption proposals have stalled in Congress, meaning Colorado's law operates in full force. Companies that were waiting for federal clarity before moving on state compliance are now caught short.

Who This Affects Most

The law's practical reach is broadest for:

• Fintech and lending companies that use AI in credit underwriting or loan eligibility
• HR software vendors and their enterprise customers using AI in recruiting, performance management, or workforce reduction decisions
• Health insurers and healthcare companies using AI in prior authorization, coverage decisions, or patient triage
• Property managers and mortgage lenders using AI in tenant screening or appraisal tools

A company using an off-the-shelf AI recruiting tool built by a third-party vendor is still a "deployer" under Colorado's law and carries its own obligations — it cannot simply point to the vendor's compliance documentation and call it done.

The Enforcement Picture

Colorado's Attorney General has enforcement authority under the Act and has not announced a grace period or soft-launch enforcement posture. While it is unlikely that enforcement will begin with aggressive action against companies that made good-faith compliance efforts, organizations with no compliance documentation, no impact assessment, and no consumer disclosure mechanism are in a materially different position than those that built imperfect programs in good faith.

The floor for "good faith" compliance by June 30 includes:

• A written AI risk management policy, even if incomplete
• A documented attempt at impact assessment for high-risk AI uses
• Consumer-facing notice language for AI-influenced consequential decisions
• A human review request process, even if manual

What to Watch

Colorado is not alone. Legal analysts tracking the national landscape count at least 25 enacted state AI laws as of spring 2026, with provisions ranging from narrow transparency requirements to comprehensive risk management mandates. Companies building Colorado compliance programs are well-positioned to adapt them for the next wave of state laws rather than starting from scratch each time. Watch for the Colorado AG's enforcement guidance, which will signal how aggressively the state intends to move against non-compliant companies in the law's first months.

Source: 2026 AI Laws Update: Key Regulations and Practical Guidance, Gunderson Dettmer