Skip to content
Casework
Colorado, USAEffective February 1, 2026

Colorado AI Act: what hiring AI deployers must do

The Colorado AI Act (SB24-205) creates the first US comprehensive AI law. Hiring is a 'consequential decision' under the statute, which means deployers must conduct an impact assessment, implement a risk management program, and notify candidates.

Short name
Colorado AI Act
Jurisdiction
Colorado, USA
Penalty ceiling
Civil penalties enforced by the Colorado AG. [TODO: confirm latest cap]
Last updated
May 21, 2026

Applies to

  • Colorado-resident candidates
  • Colorado-based hiring decisions

What it is

The Colorado AI Act (Senate Bill 24-205, codified at C.R.S. §6-1-1701 et seq.) is the first comprehensive US state law regulating AI in consequential decisions. It tracks the EU AI Act’s structure in several respects but is enforced by the Colorado Attorney General rather than by a regulatory agency.

The Act distinguishes between developers (those who develop or substantially modify a high-risk AI system) and deployers (those who use one). Hiring decisions are explicitly enumerated as consequential decisions under the statute.

Who is on the hook

You are a covered deployer if you use a high-risk AI system to make, or as a substantial factor in making, a consequential decision affecting a Colorado resident — including any hiring decision affecting a candidate located in Colorado. There is no employee headcount threshold for deployers under the Act; small employers are not exempt.

What the deployer must do

The Act requires deployers to:

  • Use reasonable care to protect candidates from algorithmic discrimination. What "reasonable care" means is fleshed out by the statute and AG rulemaking.
  • Implement and maintain a risk management policy and program that governs the deployer’s use of the high-risk AI system. The statute references the NIST AI Risk Management Framework as a safe harbor reference.
  • Conduct an impact assessment annually, and within 90 days of an intentional and substantial modification to the system or its use.
  • Notify candidates that an AI system was used as a substantial factor in the decision. Provide a plain-language description of the system’s purpose and the personal data it considered.
  • Provide an appeals process for adverse decisions: an opportunity for the candidate to correct inaccurate personal data and a human review of the decision.
  • Notify the Colorado AG of discovered algorithmic discrimination within 90 days.

Penalties

The Act is enforced by the Colorado Attorney General as an unfair or deceptive trade practice under Colorado’s consumer protection law. Private right of action is not provided. Civil penalty amounts are governed by the underlying consumer-protection enforcement regime. [TODO: confirm latest cap and rulemaking status before relying on this page for compliance work.]

Timeline

The Colorado AI Act took effect on 1 February 2026. Rulemaking by the Colorado AG continues; deployers should monitor the AG’s website for implementing regulations.

How this overlaps with the EU AI Act

The two regimes are independently scoped but the underlying obligations rhyme: impact assessment, risk management program, candidate notice. A deployer that has produced a EU AI Act conformity file and FRIA has done most of the substantive Colorado work; the remaining work is mapping the deliverables to the Colorado-specific notice and appeals requirements.

The Casework engagement covers both regimes when both are in scope.

Looking at this regulation from the vendor side instead? HireAIScore covers vendor compliance posture against this regulation.

Need the deployer-side documentation this regulation requires?

The Pack produces it in four weeks for a single AI hiring tool. Fixed scope, fixed price.

Start your intakeRead the SKU