Hael
Sign inBook a demo
All frameworks
COLORADO, USACOLORADO AI ACTFEB 2026

Colorado SB 24-205 — the first US state high-risk AI law in force.

How Hael produces the algorithmic impact assessments and consumer disclosure notices the Colorado AI Act demands — generated against live operational state, sealed for the regulator.

Feb 2026
Effective
High-risk
Coverage tier
AIA
Algorithmic impact assessment
AG
Enforcement authority

What the Colorado AI Act requires

Colorado SB 24-205, signed in 2024 and effective February 2026, is the first US state high-risk AI law to take effect. It applies to developers and deployers of high-risk AI systems — defined as AI systems making consequential decisions about Colorado residents in education access, employment, financial services, essential government services, healthcare, housing, insurance or legal services.

The statute imposes substantive obligations on both developers and deployers. Developers must provide documentation about the AI system to deployers — its intended purpose, known limitations, evaluations performed, data governance practices and risk mitigation measures. Deployers must complete and maintain algorithmic impact assessments before deploying high-risk AI, provide consumer-facing notices when AI is used in consequential decisions, and offer consumers the right to appeal adverse decisions to a human reviewer.

Enforcement sits with the Colorado Attorney General. Violations carry civil penalties up to $20,000 per violation. The statute includes an affirmative defence for organisations following recognised AI risk management frameworks — NIST AI RMF and ISO/IEC 42001 both qualify. The combination of the affirmative defence and the substantive obligations makes Colorado SB 24-205 the most operationally specific US state AI law currently in force.

Colorado is the first US state where AI deployment without an impact assessment is a civil penalty offence.

The artefact, not the disclosure

Two substantive artefacts the statute demands: the algorithmic impact assessment and the consumer-facing notice. The impact assessment must document the system's purpose, the categories of personal data processed, the categories of decisions the system makes, the evaluations of the system's accuracy and bias, the safeguards in place, and the post-deployment monitoring conducted. The consumer notice must disclose the use of AI in the decision, the nature of the consequential decision, and the consumer's right to appeal.

These are not boilerplate disclosures. The Colorado AG has signalled enforcement priorities around substantive compliance, not formal-but-empty notices. The impact assessment must reference the specific AI system, specific data, specific evaluations and specific safeguards. The notice must be intelligible to the consumer and provide a workable appeal pathway.

How Hael runs it

Hael generates the algorithmic impact assessment and the consumer-facing notice from operational state. The agent registry populates the system description, data categories, decision categories and safeguards. The evaluation pipeline populates the accuracy and bias evaluations. The lifecycle state machine populates the post-deployment monitoring records. The consumer notice is generated as a portable document, customisable to deployment context (web disclosure, in-app notice, written consent form).

The affirmative defence pathway is built in. Organisations running NIST AI RMF or ISO/IEC 42001 through Hael have the substantive evidence of framework compliance the affirmative defence requires — the profile, the AIMS records, the control evidence, all sealed with hash-chained provenance.

The affirmative defence works when you have substantive evidence. Hael ships substantive evidence.

SectionObligationCoverageHow Hael runs it
DEV-1Developer documentation to deployersFullAuto-generated developer disclosure pack per system
DEV-2Disclosure of intended purposeFullRequired field in agent registry
DEV-3Disclosure of known limitationsFullLimitations register with version tracking
DEV-4Evaluation summary disclosureFullEvaluation pipeline outputs included in disclosure pack
DEV-5Data governance practices disclosureFullData lineage and quality artefacts surfaced
DEV-6Risk mitigation disclosureFullMitigation register included in pack
DEP-1Algorithmic impact assessmentFullAIA generation workflow with sealed provenance
DEP-2AIA — purpose and decision categoriesFullPulled from agent registry
DEP-3AIA — data categoriesFullPulled from data lineage
DEP-4AIA — accuracy and bias evaluationsFullPulled from evaluation pipeline
DEP-5AIA — safeguards documentationFullPulled from controls register
DEP-6AIA — post-deployment monitoringFullPulled from continuous monitoring telemetry
DEP-7Consumer notice generationFullPortable notice document with deployment-context variants
DEP-8Right to appeal — human reviewer pathwayFullAppeal workflow with human-review SLA tracking
DEP-9Annual AIA review and updateFullScheduled regeneration with delta tracking
AD-1Affirmative defence — NIST AI RMF compliance evidenceFullNIST profile sealed with hash-chained provenance
AD-2Affirmative defence — ISO 42001 compliance evidenceFullAIMS records sealed with hash-chained provenance
AD-3Affirmative defence — incident remediation recordsFullRemediation chain demonstrating substantive compliance

Questions

What counts as a 'high-risk AI system' under Colorado SB 24-205?

AI systems making consequential decisions about Colorado residents in education access, employment, financial services, essential government services, healthcare, housing, insurance or legal services. Consequential decisions are those that materially impact access to, the cost of, or the terms of these services.

What's the difference between developer and deployer obligations?

Developers build or substantially modify high-risk AI systems and must provide downstream documentation. Deployers use high-risk AI systems to make consequential decisions and must complete impact assessments, provide consumer notices and offer appeal pathways. Many organisations are both — they develop internal AI and deploy it for consequential decisions.

How does the affirmative defence work?

Organisations following a recognised AI risk management framework (NIST AI RMF, ISO/IEC 42001) and demonstrating substantive compliance have an affirmative defence against enforcement. Hael ships the substantive evidence — sealed profile, AIMS records, control evidence — that converts the defence from theoretical into operationally verifiable.

What does the consumer appeal process look like in practice?

Consumers receiving an adverse consequential decision must be able to request human review. The reviewer must be qualified to assess the AI system's output and authorised to overturn it. The appeal must be substantively considered — boilerplate denials do not satisfy the statute. The right to appeal must be communicated in the consumer notice.

What enforcement priorities has the Colorado AG signalled?

The Colorado AG has signalled focus on substantive compliance — actual impact assessments, real consumer notices, workable appeal pathways — rather than paperwork. Boilerplate disclosures and formal-but-empty AIAs are likely to draw enforcement attention. Organisations following recognised frameworks with substantive evidence are positioned for the affirmative defence.

See Hael generate your Colorado AI Act impact assessment.

A scoped four-week proof-of-value: map your high-risk AI systems, generate sealed impact assessments and consumer notices, position for the affirmative defence.

Book a demoSee the platform