Of all the Colorado AI Act's requirements, the impact assessment obligation is the one that surprises Colorado businesses most — both in its existence and in what it actually requires. An impact assessment is not a checkbox or a policy statement. It is a documented analysis of each AI system you deploy, the risks it creates, and how you are managing those risks.

Here is exactly what the Colorado AI Act requires in an impact assessment and what you need to do to build one.

What Triggers the Assessment Requirement

You need an impact assessment for every high-risk AI system you deploy in consequential decisions affecting Colorado residents. High-risk systems are those that make or substantially influence decisions about employment, housing, credit, education, healthcare, insurance, or legal services.

If you use Indeed to hire employees — impact assessment required for Indeed's AI system. If you use TransUnion SmartMove to screen tenants — impact assessment required for SmartMove. If you use an AI-assisted underwriting platform — impact assessment required. Each system is a separate assessment.

What an Impact Assessment Must Contain

The Colorado AI Act specifies the content of impact assessments with more detail than most businesses expect. Each assessment must include:

Purpose and intended use. A clear description of what the AI system does, what decisions it influences, and what the intended benefit is for your business.

Data inputs and sources. What data does the system use to make recommendations or decisions? Where does that data come from? How current is it? What are the known limitations of the data?

Known and reasonably foreseeable risks. What are the ways this system could produce discriminatory outcomes? This requires you to actually think through the failure modes — what populations might be disadvantaged by this system's recommendations, and why?

Risk mitigation measures. What specific steps are you taking to identify and reduce the discrimination risks you have identified? This is where your human review protocols, your vendor demand letters, and your monitoring processes get documented.

Performance metrics. How are you evaluating whether the system is working as intended and not producing discriminatory outcomes?

When Assessments Must Be Updated

Impact assessments are not a one-time exercise. The Colorado AI Act requires that they be reviewed and updated at least annually, and also whenever you make a significant change to how you use a system — switching from one hiring platform to another, changing your screening criteria, or adopting a new AI feature within an existing platform.

Annual updates are manageable if you build a compliance calendar. A recurring annual review of each AI system assessment, timed to the June 30 anniversary of the law's effective date, is a reasonable approach.

The Practical Challenge for Small Businesses

A small Colorado business using five AI-powered platforms needs five separate impact assessments, each containing all the elements above, updated annually. That is a real documentation burden — but it is also exactly the kind of documented due diligence that protects you if the AG ever investigates.

The key insight is that the assessment work and the vendor demand letter work overlap significantly. When you send a formal documentation request to Indeed asking for their AI system documentation, you are gathering the information you need to complete your impact assessment for Indeed's system. The two processes feed each other.

Build the vendor demand letter first. Use the vendor's response — or documented non-response — as the foundation for your impact assessment. Document what you know, what you asked, what they told you, and what risks remain given what you could not learn. That is a complete impact assessment under the Colorado AI Act's standard.

This article is for informational purposes and does not constitute legal advice. For legal advice specific to your situation, consult a licensed Colorado attorney.