Building Your Colorado AI Act Compliance Project: A User’s Guide to Key Assessments, Staffing, Tasks, and Timing

Among the dozens of state statutes now addressing artificial intelligence in the commercial context, Colorado stands out especially. The statute includes express policy, notice, and risk-assessment requirements. Businesses will need to invest resources for compliance and make decisions regarding the adoption of formal control frameworks. The law applies to both developers and deployers of artificial intelligence systems. We believe that the law ultimately poses both public and private enforcement risks, starting early next year.

The MMM team has detailed experience advising under the Colorado AI Act. So, below, we offer a list of certain key tasks and decisions required to support your own Colorado AI Act compliance project.

Threshold Legal Assessments

Your company will need to address certain threshold questions to categorize your business and AI model under the Colorado statute. These assessments will drive further tasks required.

1. Does the company act as a “developer” or a “deployer”? The legal/interpretive question may be especially difficult for software or SaaS providers who permit their products to be customized to a high degree.
2. Is the system a “high risk” AI system? This classification will drive substantial requirements. In some cases, the question may be a close one, and companies may want to take a conservative approach given the enforcement risk. Such an approach could involve, e.g., building compliance in response to “high risk” requirements while maintaining the flexible legal position that the company’s AI does not operate as such a system. Note, however, that even if your company is not operating a “high risk” AI system, there may be some Colorado requirements that apply in any case (such as the notice requirement).
3. Do any exceptions apply? The law provides some exceptions for, e.g., small businesses and/or certain government activity. The “high risk” classification may also be subject to specific, narrow exception. For instance, some requirements for “high risk” may not apply if the system in question is limited to performing only “a narrow procedural task.” However, this statutory phrasing leaves room for interpretation and could raise questions about how broadly (or narrowly) regulators will apply it.

Resources / Stakeholder Identification

Your company will need to identify external advisors and internal stakeholders to contribute to key tasks. These roles can include:

1. Legal advisors. Legal counsel can help advise categorizations under the law, provide strategic oversight, and help prepare or contribute to draft notices, policies, and public-facing documentation under the law.
2. Anti-Discrimination Consultants. Like other AI laws, an assessment of algorithmic discrimination risk may be required. Here, some consultants have started to develop products or services to help perform such assessments. Some companies may also have internal resources that can perform such anti-discrimination assessments.
3.  Risk Management / Compliance. The Colorado AI Act encourages participation in the NIST Artificial Intelligence Risk Management Framework and ISO/IEC 42001. Companies participating in these control frameworks will need to identify internal managers to oversee the same.
4. Governance, oversight, on-going policy and program managers/consultants. Companies should plan to assign internal ownership for program governance. Colorado AI Act compliance activity should not be viewed as a once-and-done activity. Certain statutory requirements imply the need for on-going, active, continuing management. E.g., consider the need for an annual review for algorithmic discrimination, the need to manage voluntary self-reporting to the Colorado Attorney General, and the requirement to update website statements within 90 days of substantial AI modification. External consultants may help manage governance, but governance responsibility ultimately lies with the company itself and cannot be outsourced.
5. Technical Support. Colorado AI compliance may require the company to answer specific questions about the type of data used by the AI, the type of use, the type of outputs generated, and quality control of data sources. For developers, these and other questions will require technical support from coders, data scientists, and company brand and product managers. For deployers, vendor/developer support will likely prove crucial.

Project Tasks

Based on the assessments and roles noted above, you may have anticipated some required tasks under Colorado law. You may not yet have guessed at others. Key tasks can include:

1. Preparation of the “Colorado Bundle of Documentation” (for developers) or preparation of an “Impact Assessment” (for deployers). See the reference below to understand certain required informational elements.
2. Develop an acceptable use policy prohibiting harmful or discriminatory uses of the AI system.
3. Develop specific internal governance mechanisms for (1) discovering legal violations, (2) voluntary self-reporting identified risks to the Colorado Attorney General, and (3) identifying system changes requiring updated anti-discrimination notice within 90 days.
4. Document governance mechanisms and procedures.
5. Prepare a website statement. Developers may need to summarize general risks of algorithmic discrimination. Deployers may need to prepare additional notices or additional content for online notices describing purposes, use, offering consumer opt-out rights (among other required content).
6. Prepare customer and end-use disclosures regarding interaction with the AI system.
7. Build/assess/confirm compliance with NIST Artificial Intelligence Risk Management Framework and ISO/IEC 42001.
8. Prepare and document an anti-discrimination assessment for high-risk AI systems.
9. Conduct final business and legal reviews of public-facing documentation for factual accuracy and strategic / legal defensiveness.

Many of these items can involve sub-tasks across coordinated resources and stakeholders.

The Colorado “Bundle of Documentation”

For reference, the below list includes key items that may need to be formally documented with respect to the AI system by developers and deployers. In many cases, this documentation must be publicly or quasi-publicly accessible (e.g., developers may need to make this available to their Colorado customers; deployers may need to share certain information with consumers). Given publicity requirements, a layer of legal review is highly recommended for final assessments and documentation. Legal review can help address the strategic defensibility of public representations given that such representations can form the basis for public or private enforcement, or other adverse action against the company.

1. A general statement of the "reasonably foreseeable and known harmful or inappropriate uses" of the AI system.
2. The type of data used for training.
3. Known limitations, including risks of algorithmic discrimination from intended uses;
4. Purpose, benefits, and uses;
5. Any other information necessary for users to meet obligations under the Act;
6. Methods of evaluation for performance and mitigation of algorithmic discrimination;
7. Data governance measures used to cover training data sets;
8. Data governance measures used to "examine the suitability of data sources, possible biases and appropriate mitigations";
9. Intended outputs;
10. Measures to mitigate risks of algorithmic discrimination;
11. How the system should be "used, not be used, and be monitored by an individual" when being used for decision-making;
12. Any other documentation needed to "understand the outputs and monitor the performance."

Timing

The Colorado AI Act requires independent action from companies within its scope, whether developers or deployers. As indicated above, action required for compliance may not be trivial. Special effort may be required for “high risk” AI systems operating in areas of education, employment, finance, essential government services, health care, housing, insurance, or law.  With a February 1, 2026, effective date for many substantial provisions, there is likely no better time to act than now.

Disclaimer: The above is for general information purposes only. The above does not constitute legal advice or establish an attorney-client relationship. Businesses should conduct their own review of legal requirements in their circumstance with their legal advisors as appropriate.