Colorado Artificial Intelligence Act Sets the Standard for AI Governance

Since the rise of artificial intelligence (“AI”), legislatures have grappled with its rapid advancement and potential risks it poses to consumers. In May 2024, Colorado Governor Jared Polis signed Senate Bill 24-205, the Colorado Artificial Intelligence Act (“CAIA”), making it “the first United States law to comprehensively regulate the development and use of high-risk AI systems.” (Tatiana Rice, Keir Lamont & Jordan Francis, FPF Legislation Policy Brief - The Colorado AI Act). CAIA is set to go into effect on June 30, 2026. (Hunton Andrews Kurth LLP). This post examines the impetus driving CAIA, the rebuttable presumption of reasonable care for developers and deployers adhering to recognized AI risk-management frameworks like NIST or ISO/IEC 42001, available exemptions, and the act’s broader implications on the tech industry and state-level legislation. 

Driven by the absence of federal oversight and the rising threat of biased technology, Colorado enacted CAIA. (NAAG). The advancement of AI creates a growing risk of “algorithmic discrimination” to consumers. (Patrick Oakford, Josh Bivens, Celine McNicholas, Economic Policy Institute. Because humans design AI, their biases can become incorporated into it, utilized, and then trained by them. (Olga Akeselrod, ACLU). This process leads to differential treatment between groups or individuals based on protected classifications under federal or state law. (Bruan McGowan, KPMG). CAIA directs developers and deployers of high-risk AI systems to exercise “reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination. . . .” (Robert Rodriguez, Brianna Titone, Manny Rutinel, Colorado General Assembly). The act defines a “developer” as an individual who conducts business in Colorado and “develops or intentionally and substantially modifies” AI systems, while a “deployer” is one who conducts business in the state and uses a high-risk AI system. Id. An AI system is “high-risk” when it heavily influences “a consequential decision” carrying a “material legal or similarly significant effect” on a consumer’s access to services, such as housing, insurance, legal services, employment, education, or other essential services. Id. Under CAIA, the Colorado legislature adopts a hands-on approach to ensuring access to AI’s benefits while protecting Colorado consumers from potential risks AI systems can produce. Id.

CAIA incentivizes compliance by granting a “rebuttable presumption” of “reasonable care” to developers and deployers who adhere to established international and national frameworks. (Id.; Tatiana Rice, Keir Lamont, Jordan Francis, FPF Legislation Policy Brief - The Colorado AI Act). The Colorado Attorney General (“AG”) exclusively enforces the act and implements any necessary regulations. Id. When an enforcement action is brought, a developer or deployer can assert this “rebuttable presumption” of “reasonable care” by demonstrating their AI system complies with a “recognized national or international risk management framework, or any other risk management framework” authorized by the AG. Id. NIST and ISO/IEC 42001 are two recognized frameworks utilized by AI developers and deployers to promote “responsible AI governance.” (Danny Manimbo, Sabrina Caplis, Schellman). NIST is a voluntary framework created by the United States’ Department of Commerce that is designed to manage, assess, and mitigate risks such as hallucinations, systemic bias, and data breaches posed by AI systems. (NIST; ModelOp). ISO/IEC 42001 is a certifiable, international framework used as a tool to develop ethical AI practices and maintain compliance through the monitoring and reviewing of AI systems. (StandardFusion). These frameworks offer “a practical roadmap” in demonstrating “reasonable care” for deployers and developers. (Danny Manimbo, Sabrina Caplis, Schellman). Thus, by complying with a recognized framework, a developer or deployer establishes a rebuttable presumption of reasonable care against enforcement.

CAIA also imposes specific disclosure and operational requirements for AI systems. (Tatiana Rice, Keir Lamont, Jordan Francis, FPF Legislation Policy Brief - The Colorado AI Act). Developers must provide “a general statement” disclosing “reasonably foreseeable uses and known harmful or inappropriate uses” to other developers and deployers. Id. They must make these disclosures available to the public and notify the AG and “all known deployers” within 90 days if they discover their AI system “has caused or is reasonably likely to have caused algorithmic discrimination.” Id. Alternatively, deployers must employ a “risk management policy and program” that oversees the use of their system, conduct impact assessments annually and within 90 days of any “substantial and intentional modification to a high-risk AI system.” Id.

CAIA likewise provides several exemptions for developers and deployers to bypass their obligations. Id. The act exempts small business deployers from their outlined responsibilities if they employ less than 50 full-time employees, do not use their data to train a high-risk system, limit the use of their system, and continue to provide consumers with impact assessments. (Jon Brigagliano, Jon Neidtz, Meghan Farmer, Byte-sized Justice: Colorado's New AI Bill Seeks to Address Algorithmic Discrimination). CAIA also incorporates exemptions for HIPAA-regulated covered entities that provide low-risk health care recommendations, as well as for insurers and financial institutions that follow “substantially equivalent or more stringent rules.” (Tatiana Rice, Keir Lamont, Jordan Francis, FPF Legislation Policy Brief - The Colorado AI Act). Furthermore, there is an approved technology exemption for high-risk systems that have been “approved, certified, or cleared by a federal agency” or those meeting federal standards “substantially equivalent or more stringent” than CAIA’s. Id. Lastly, CAIA provides purpose-based exemptions permitting developers and deployers to engage in activities necessary to comply with existing laws, manage legal claims, ensure physical safety, safeguard against security threats, or conduct testing, pre-deployment research, or developmental activities. Id. Under CAIA, generative AI systems like ChatGPT are excluded because they are developmental and not predicative. (NAAG). These exemptions allow CAIA to expand its regulatory reach over high-risk systems while exempting ones rigorously overseen or engaged in limited operations. (Tatiana Rice, Keir Lamont, Jordan Francis, FPF Legislation Policy Brief - The Colorado AI Act).

As a pioneer in AI regulation within the United States, CAIA has the potential to significantly influence the greater technology industry and create state-level momentum toward comprehensive AI governance. (Stephanie-Solange Campbell, Bloomberg Law). By requiring developers and deployers to adhere to principles of transparency and fairness, CAIA places consumers at the forefront of AI-driven decisions by mandating notification when individuals are subject to AI-driven decisions that affect them. Id. Because of this, CAIA can be viewed as a practical, consumer-focused roadmap states may use as a model for future legislation.

While CAIA currently provides a model for comprehensive, state-level AI governance, its success ultimately hinges on if and when the federal government decides to act. When that time comes, such federal intervention could create a potential preemption issue for the act. For now, in the absence of federal oversight, the future of AI regulation remains in the hands of state legislatures.