Colorado AI Act Compliance Checklist for Colorado Small Businesses
Last updated April 2026 · SB 24-205 · Effective June 30, 2026 · Print and work through step by step
This checklist covers the minimum steps a Colorado small business must take to build a defensible compliance record under the Colorado AI Act. Work through it in order. Each phase builds on the previous one. When you have completed all phases and documented everything, you have satisfied the core requirements of SB 24-205 for deployers of high-risk AI systems.
Phase 1 — Identify Your High-Risk AI Systems
☐ List every software platform your business uses that touches consequential decisions. Start with hiring, scheduling, background screening, tenant screening, CRM, lending, and customer service platforms. Write every one down.
☐ For each platform, determine whether AI makes or substantially influences consequential decisions. A consequential decision affects a Colorado resident's employment, housing, credit, education, healthcare, insurance, or legal services. If the platform uses AI to rank candidates, score tenants, assess credit, recommend clinical actions, or optimize staffing — it is a high-risk AI system.
☐ Flag each platform that qualifies as a high-risk AI system. These are your covered systems under SB 24-205. Every covered system requires its own risk management documentation and impact assessment.
☐ Record your flagged systems in a compliance log. Create a dated document listing each covered system, what AI features it uses, and what consequential decisions those features influence. This is your high-risk AI system inventory.
Phase 2 — Write Your Risk Management Policy
☐ Draft a written AI risk management policy. The policy should identify each high-risk AI system you deploy, the risks each system creates, and how you manage those risks. It must specifically address algorithmic discrimination risks — the possibility that AI outputs could disadvantage Colorado residents based on protected characteristics such as race, sex, age, disability, national origin, or religion.
☐ Name responsible personnel in the policy. Identify who in your organization is responsible for AI compliance oversight — who reviews AI outputs, who handles vendor communications, who manages appeal requests.
☐ Date and file the policy. The written policy must be dated and stored in your compliance file. Update it whenever you adopt new AI systems or make significant changes to existing ones.
Phase 3 — Send Vendor Documentation Requests
☐ Draft a formal Colorado AI Act documentation request letter for each covered vendor. The letter must cite the Colorado Artificial Intelligence Act — SB 24-205 — by name. Address it to the vendor's legal or compliance department. Request their AI system documentation, bias audit results, discrimination risk assessments, and Colorado compliance posture. Set a 30-day response deadline.
☐ Send the letter to each covered vendor by email and certified mail. Keep dated copies of everything. Save email send confirmations and certified mail tracking numbers.
☐ Log each send date in your compliance file.
☐ Document all vendor responses. Complete responses are logged with what was provided. Evasive responses are logged as evasive with what was and was not provided. Non-responses are logged the day after the deadline with the date and a note that no response was received.
☐ Send follow-up requests to non-responsive vendors within two weeks of a missed deadline.
Phase 4 — Complete Impact Assessments
☐ Complete a separate impact assessment for each high-risk AI system. Each assessment must document:
The system's purpose and intended use in your business. The categories of data the system processes. Known and reasonably foreseeable risks of algorithmic discrimination. The steps you are taking to identify and mitigate those risks. How you are monitoring the system's performance for discriminatory outcomes. Your human oversight protocols for this specific system.
☐ Use vendor documentation responses to inform your assessments. What the vendor told you about their AI system — or what they refused to tell you — belongs in the impact assessment as evidence of what you could and could not learn.
☐ Date each completed impact assessment.
☐ Schedule annual impact assessment reviews. Set a calendar reminder to review and update each impact assessment annually, on or before June 30 of each year following the law's effective date.
Phase 5 — Build Your Consumer Disclosure Process
☐ Identify every category of Colorado resident affected by your high-risk AI systems. Job applicants, tenants, customers, employees, loan applicants — anyone who receives a decision substantially influenced by AI in your business.
☐ Draft disclosure notices for each category. The notice must state that AI was used in the decision, describe the nature of the consequential decision, and inform the recipient of their right to appeal. Keep it simple — a clear paragraph is sufficient.
☐ Implement the disclosures. Add disclosure language to job postings, rental applications, loan application materials, and any other context where AI influences consequential decisions. Document when disclosures were added.
☐ Inform Colorado residents of their opt-out right. Under the Colorado Privacy Act, Colorado residents have the right to opt out of having their personal data processed by AI systems. Add information about this right to your privacy notices and data collection disclosures.
Phase 6 — Build Your Appeal Process
☐ Write a formal appeal process policy. The policy must describe how Colorado residents can appeal adverse AI-assisted decisions, who handles appeals, and the response timeline. It must be written and accessible.
☐ Name a contact person for appeals. Identify a specific person or role in your organization responsible for receiving and handling appeal requests.
☐ Define a response timeline. State how long you will take to respond to an appeal. 10 to 15 business days is reasonable for most small businesses.
☐ Include the appeal process in your adverse decision notices. Every time you communicate an adverse consequential decision to a Colorado resident, include the appeal process information. For hiring, this means rejection communications. For tenant screening, this means denial notices. For lending, this means adverse action notices.
☐ Create an appeal log. Maintain a log of every appeal received — the date, the name of the person who appealed, the system involved, and the outcome. This log is part of your compliance record.
Phase 7 — Implement Human Oversight
☐ For every high-risk AI output, designate a named person responsible for review. Before acting on any AI-generated ranking, score, or recommendation in a consequential decision, a named human must review it. Write down who is responsible for each type of review.
☐ Create a human review log. Each time a human reviews a high-risk AI output, log the date, reviewer, what was reviewed, and the decision made.
☐ Brief your team. Anyone in your organization who acts on high-risk AI outputs needs to understand the review and logging requirements.
Phase 8 — Publish Your AI Governance Statement
☐ Write a brief public statement about your AI governance practices. The Colorado AI Act requires deployers to make a publicly available statement describing their use of high-risk AI systems and their governance approach. A paragraph on your website describing your AI compliance program satisfies this requirement.
☐ Post the statement publicly. Add it to your website's privacy policy page, a dedicated AI governance page, or your about page. Date it and update it when your AI deployment changes significantly.
Phase 9 — Maintain Your Compliance File
☐ Organize everything in a single compliance file. AI system inventory, risk management policy, vendor documentation requests and responses, impact assessments, disclosure records, appeal process policy, appeal log, human review log, and AI governance statement.
☐ Date every document.
☐ Store the file where you can access it quickly under pressure.
☐ Schedule quarterly compliance reviews and annual impact assessment updates.
Quick Reference — Key Colorado AI Act Numbers
Effective date: June 30, 2026.
Days remaining: Approximately 69 as of April 22, 2026.
Cure period: 60 days after AG notice.
Enforcement authority: Colorado Attorney General only.
Private right of action: None.
Safe harbor: NIST AI RMF substantial compliance plus full requirements of the law.
Small business exemption: Deployers with fewer than 50 employees who do not train AI on their own data.
This checklist is for informational purposes and does not constitute legal advice. For legal advice specific to your situation, consult a licensed Colorado attorney.