verified_user
Standardful
Homechevron_rightStandardschevron_rightColorado ADMT Act
ActiveInternational Standardupdate Standard Updated: May 2026fact_check Fact checked: Jun 28, 2026

Colorado ADMT Act

Consumer Protections for Automated Decision-Making Technology — SB24-205 as amended by SB26-189

apartmentPublishing Organization:State of Colorado

Standard Introduction

Colorado ADMT Act is an active standard published by State of Colorado. It is commonly used across Technology, Finance & Banking, Healthcare, Education, Services, Government and applies in United States.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with Colorado ADMT Act.

balance

Consequential-decision focus

The amended law centers on automated decision-making technology used for consequential decisions affecting Colorado consumers.

rule

Developer and deployer duties

Developers and deployers have role-specific obligations for disclosures, risk management, impact assessments, notices, and consumer controls.

map

US state-law signal

Colorado is an important indicator of how US state AI regulation may develop outside a single federal AI statute.

list_alt Operational Controls

  • Inventory ADMT systems used in consequential decisions
  • Define developer vs deployer responsibilities
  • Conduct impact assessments for covered decisions
  • Maintain risk management policies and documentation
  • Provide consumer notices and appeal pathways where required
  • Monitor for algorithmic discrimination and remediation needs

Who Needs to Comply?

groups

Developers and deployers of automated decision-making technology doing business in Colorado or producing consequential decisions affecting Colorado consumers. Relevant areas include employment, lending, education, housing, insurance, healthcare, legal services, and government benefits.

Key Requirements

1

Determine ADMT scope

Identify automated decision-making technology that makes, or is a substantial factor in, consequential decisions. Document why each system is or is not in scope.

2

Use reasonable care

Implement policies, testing, monitoring, and governance designed to protect consumers from algorithmic discrimination risks.

3

Run impact assessments

For deployers, assess purpose, intended use, benefits, known risks, data inputs, outputs, safeguards, and mitigation measures for covered ADMT systems.

4

Provide notices and controls

Prepare consumer-facing notices, adverse decision information, correction or appeal workflows, and internal incident escalation procedures where applicable.

Implementation Roadmap

1
Phase 1schedule Duration: 2-4 weeks

Prepare scope, ownership and obligations

Define the high-risk AI governance and consumer protection program scope across high-risk AI systems, developers, deployers, algorithmic discrimination risks, impact assessments, consumer notices, risk management policies, documentation, and Attorney General reporting. Assign accountable owners, identify applicable legal, customer, certification, or regulatory drivers, and agree how evidence will be governed.

2
Phase 2schedule Duration: 4-8 weeks

Gap analysis and risk prioritisation

Assess current practices against Colorado AI Act expectations and risk context. Review high-risk AI inventory, developer documentation, deployer impact assessments, risk management, algorithmic discrimination controls, consumer disclosures, adverse decision notices, post-deployment monitoring, incident reporting, and governance accountability, then prioritize gaps by legal exposure, safety or consumer impact, customer impact, operational dependency, and review readiness.

3
Phase 3schedule Duration: 8-20 weeks

Implement controls, records and reporting

Deploy required controls, operating processes, documentation, supplier or partner workflows, testing, reporting, and escalation paths. Build traceable evidence around AI inventories, system documentation, impact assessments, risk-management policies, bias testing records, consumer notices, adverse-decision notices, monitoring reports, incident assessments, and governance approvals.

4
Phase 4schedule Duration: Ongoing

Review, audit and keep current

Complete readiness reviews, internal checks, and corrective actions before the internal AI governance review or Attorney General inquiry. Refresh the program after product, service, supplier, technology, legal, market, incident, or regulator changes.

Compliance Checklist

0 / 12

checklist Scope and accountability

checklist Controls and evidence

checklist Monitoring and improvement

Penalties & Enforcement

warning

The Colorado Attorney General has enforcement authority. Violations may be treated as deceptive trade practices under Colorado consumer protection law, exposing companies to investigations, injunctive relief, civil penalties, and remediation obligations.

Frequently Asked Questions

Who needs Colorado AI Act?

expand_more

Colorado AI Act is relevant for organizations whose products, services, systems, or regulated activities fall within high-risk AI systems, developers, deployers, algorithmic discrimination risks, impact assessments, consumer notices, risk management policies, documentation, and Attorney General reporting. It is commonly driven by regulation, customers, certification, market access, or assurance needs.

What is the main purpose of Colorado AI Act?

expand_more

The practical purpose is to create a repeatable program for high-risk AI inventory, developer documentation, deployer impact assessments, risk management, algorithmic discrimination controls, consumer disclosures, adverse decision notices, post-deployment monitoring, incident reporting, and governance accountability. The program should make obligations visible, define accountable owners, operate controls, and keep evidence current.

What should be done first?

expand_more

Start by confirming scope, ownership, and applicable obligations. This prevents teams from building documents or controls that do not match the actual product, service, system, or regulated activity.

How long does implementation take?

expand_more

A focused implementation can take several weeks or months. Timing depends on maturity, number of sites or systems, supplier involvement, technical complexity, testing needs, and external review depth.

What evidence is most useful?

expand_more

Useful evidence includes AI inventories, system documentation, impact assessments, risk-management policies, bias testing records, consumer notices, adverse-decision notices, monitoring reports, incident assessments, and governance approvals. Reviewers usually expect traceable evidence that connects obligations to decisions, controls, tests, reports, and corrective actions.

How should suppliers or partners be managed?

expand_more

Supplier and partner duties should be documented through contracts, onboarding requirements, data or evidence requests, performance monitoring, and escalation routes for findings, incidents, or changes.

When should the program be updated?

expand_more

Update the program after legal changes, product or service changes, supplier changes, new markets, incidents, complaints, regulator feedback, or audit findings. Stale evidence is a common compliance failure.

Can this be integrated with other programs?

expand_more

Yes. Colorado AI Act can usually share governance, document control, training, supplier management, issue tracking, risk management, internal review, and corrective-action workflows with adjacent compliance programs.

Official Documentation

View All

Implementation Timeline

gavel
May 2024
Colorado enacted SB24-205, creating consumer protections for high-risk AI systems
update
May 2026
SB26-189 amended and reenacted the law as an automated decision-making technology framework
event
Feb 2027
Core ADMT obligations scheduled to apply after the one-year postponement

Related Categories