← Blog
ComplianceMay 28 2026|7 min read

The Colorado AI Act takes effect June 1, 2026. Here is what your engineering team needs to do.

What is the Colorado AI Act?

Colorado SB 24-205, known as the Colorado Artificial Intelligence Act, is the first comprehensive state-level AI law in the United States. It takes effect June 1, 2026. If your company develops or deploys AI systems that make or assist in consequential decisions affecting Colorado residents, this law applies to you.

The Act creates a framework of obligations for two types of entities: developers (organizations that create high-risk AI systems) and deployers (organizations that use those systems to make consequential decisions). Many companies will be both.

Who does it apply to?

The Act applies to any developer or deployer of a high-risk AI system that affects a Colorado resident. High-risk AI systems are those that make or substantially assist in consequential decisions about individuals in the following domains:

  • Education enrollment or education opportunities
  • Employment or employment opportunities
  • Essential government services
  • Financial or lending services
  • Healthcare services
  • Housing or lodging
  • Legal services
  • Places of public accommodation

If your AI system makes or assists in decisions in any of these categories and the decision affects someone in Colorado, you are in scope. This is not limited to Colorado companies — it applies to any company whose AI system touches Colorado residents.

What counts as a consequential decision?

A consequential decision is any decision that has a material, legal, or similarly significant effect on an individual. This includes decisions to approve or deny financial products, hiring decisions, medical treatment recommendations, and access to housing. The key question is whether the AI system has a meaningful impact on the decision, not whether a human is also involved.

What does the Act require?

The Act creates four main obligations for deployers of high-risk AI systems:

1. Impact assessments

Before deploying a high-risk AI system, and annually thereafter, deployers must conduct an impact assessment that covers:

  • The intended purpose and use cases of the system
  • Known or reasonably foreseeable risks of algorithmic discrimination
  • Measures taken to mitigate those risks
  • The data used to train and evaluate the system
  • Performance metrics and how the system is evaluated

Ryva generates a structured impact assessment template from your agent configuration. Run ryva governance report --regulation colorado to get a draft that covers all required fields.

2. Consumer notice

Deployers must provide clear notice to individuals when an AI system is used to make a consequential decision about them. The notice must include a plain-language description of the system and the right to request a human review of the decision.

Ryva generates model cards that include the information required for consumer notices. The ryva modelcard generate command produces a structured JSON document that can be used to populate consumer-facing disclosures.

3. Audit trails

The Act requires deployers to maintain records demonstrating compliance. These records must be retained for three years and made available to the Colorado Attorney General upon request.

Ryva records every agent run with an HMAC-signed lineage record. These records include the input, prompt version, model used, output, and any data sources referenced. They are tamper-evident and exportable as a complete audit package.

4. Non-discrimination testing

Deployers must take reasonable care to ensure their AI systems do not result in algorithmic discrimination based on protected characteristics. This requires testing your system for disparate outcomes across demographic groups.

Ryva's adversarial testing suite includes bias and fairness probes that test for differential behavior based on demographic inputs. Results are included in the compliance report.

Compliance checklist for engineering teams

  • Map all AI systems that make consequential decisions affecting Colorado residents
  • Classify each system as high-risk or not using the domain list above
  • Conduct a pre-deployment impact assessment for each high-risk system
  • Generate model cards for each system covering purpose, data, and limitations
  • Implement consumer notice for all consequential AI decisions
  • Set up automated lineage recording for all production runs
  • Run adversarial and bias testing before deployment and on a quarterly basis
  • Schedule annual impact assessment reviews
  • Configure audit trail retention for three years minimum

How Ryva helps

Ryva automates the evidence generation side of Colorado AI Act compliance. The CLI records every agent run with a tamper-evident lineage record, generates impact assessment templates, and produces model cards that meet the Act's transparency requirements.

Run ryva governance report --regulation colorado to get a scored compliance report. Run ryva audit export to package everything your legal team needs in a single zip file.

The Colorado AI Act is the first of what will be many state-level AI laws. Building the compliance infrastructure now means you are ready for what comes next.

Try Ryva freeBook a demo

More from Ryva

Compliance9 min read

EU AI Act Articles 9-15: what they actually require and how to prove compliance

Testing6 min read

We fuzz tested 15 categories of bad inputs against our LLM agents. Here is what we found.