Colorado AI Act Impact Assessment Guide What Every Colorado Business Must Document Before June 30, 2026
Last updated April 2026 · SB 24-205 · Effective June 30, 2026
The impact assessment requirement is the most distinctive and demanding compliance obligation in the Colorado AI Act. It is also the requirement most Colorado businesses have the least understanding of. This guide covers exactly what an impact assessment is, what it must contain, how to complete one for each AI system you deploy, when it must be updated, and what to do when your vendor will not provide the information you need.
What Is an Impact Assessment Under the Colorado AI Act?
An impact assessment under SB 24-205 is a documented analysis of a high-risk AI system that a Colorado business deploys in consequential decisions affecting Colorado residents. It is not a form you download and fill in. It is not a checkbox on a compliance list. It is a substantive, dated, written document demonstrating that you actually examined the AI system you are using, identified the ways it could produce discriminatory outcomes, and implemented specific measures to manage those risks.
The Colorado AI Act requires impact assessments because its core standard is impact-based rather than intent-based. Unlike Texas TRAIGA, which asks whether you meant to cause harm, Colorado's law asks whether your AI system could cause algorithmic discrimination — regardless of your intent. An impact assessment is the evidence that you took that question seriously and addressed it before consequences occurred.
Colorado is the only state in the United States that explicitly requires deployers to complete impact assessments for each high-risk AI system they use. This requirement has no equivalent in TRAIGA, in any other current state AI law, or in most federal regulatory frameworks. It is specific to Colorado and it is not optional.
Which AI Systems Require an Impact Assessment?
You need an impact assessment for every high-risk AI system you deploy in consequential decisions affecting Colorado residents. A high-risk AI system is one that makes or substantially influences a consequential decision. A consequential decision is one with a material legal or similarly significant effect on a Colorado resident's access to or cost of employment, housing, credit, education, healthcare, insurance, or legal services.
If you use any of the following in ways that affect Colorado residents, you need an impact assessment for each one:
Hiring and employment platforms. Indeed, LinkedIn Recruiter, ZipRecruiter, Workday Recruiting, Greenhouse, Lever, BambooHR, HireVue, and any other AI-assisted platform used to rank, score, or recommend job candidates. Each platform is a separate impact assessment.
Background check services. Checkr, Sterling, HireRight, First Advantage, Accurate Background, GoodHire, and any other AI-assisted screening service used to evaluate job applicants or tenants. Each service is a separate impact assessment.
Tenant screening platforms. TransUnion SmartMove, RentSpree, Experian RentBureau, Rentec Direct, and similar AI-assisted services used to evaluate rental applicants. Each service is a separate impact assessment.
Scheduling and workforce management. 7shifts, HotSchedules, Deputy, When I Work, UKG, Workforce.com, and similar AI-assisted platforms that influence employee scheduling and hours. Each platform is a separate impact assessment.
Credit scoring and lending tools. FICO AI scoring models, VantageScore, Experian's AI-enhanced products, TransUnion CreditVision, Equifax's lending analytics, and any AI-assisted underwriting platform. Each product is a separate impact assessment.
Performance management platforms. Lattice, Culture Amp, 15Five, Workday Performance, and similar tools that use AI to generate employee performance insights used in promotion, demotion, or termination decisions.
Clinical decision support and healthcare AI. AI-assisted scheduling, prior authorization, clinical decision support, and diagnostic tools used in healthcare settings.
The general rule: if the platform uses AI and the AI influences a decision that could significantly help or hurt a Colorado resident in one of the listed categories, you need an impact assessment for it.
What an Impact Assessment Must Contain
The Colorado AI Act specifies the content of impact assessments with more detail than most businesses expect. Each assessment must address six core elements.
1. Purpose and Intended Use
Describe what the AI system does and what role it plays in your specific business context. This is not the vendor's generic product description — it is your description of how you use the system and what decisions it influences in your operation.
A strong purpose statement for an Indeed impact assessment might read: "Indeed's AI-powered candidate ranking and matching system is used by [Company Name] to source and evaluate applicants for open positions in Colorado. The system ranks candidates based on algorithmic assessment of their profiles against job posting requirements. The ranked list is reviewed by HR personnel before any contact decisions are made."
Include the specific consequential decision category the system touches — employment, housing, credit, etc. — and the approximate volume of Colorado residents affected annually.
2. Data Inputs and Sources
Document what data the AI system uses to generate its outputs. This requires information from the vendor — what data types their system processes, where that data comes from, how current it is, and what its known limitations are.
For hiring platforms, this typically includes resume content, work history, education credentials, location data, behavioral signals from the platform, and in some cases demographic proxies. For background check services, it includes criminal records databases, employment verification sources, credit reporting data, and professional license records. For tenant screening, it includes credit history, rental payment history, eviction records, and identity verification data.
Document what you were able to learn about data inputs from vendor documentation and what remains unknown because the vendor did not provide the information. Both belong in the assessment.
3. Known and Reasonably Foreseeable Risks of Algorithmic Discrimination
This is the most substantive and legally significant section of any Colorado AI Act impact assessment. It requires you to actually think through the ways the AI system could produce discriminatory outcomes for protected classes — not whether you intend discrimination, but whether discrimination is a foreseeable result of how the system works.
Colorado's protected classes include race, color, sex, sexual orientation, marital status, religion, national origin, ancestry, disability, age, and others under Colorado anti-discrimination law. Federal protected classes under Title VII, the ADA, the ADEA, the Fair Housing Act, and ECOA are also relevant.
For each AI system, consider the following risk categories:
Historical data bias. If the AI system was trained on historical hiring, lending, or housing data, that data reflects historical discrimination patterns. A hiring AI trained on historical hiring decisions may replicate the same demographic patterns as those decisions. Document whether this risk exists for each system and what the vendor has done to address it.
Proxy discrimination. AI systems can discriminate based on characteristics that correlate with protected class status without explicitly using protected class data. ZIP code correlates with race. Names correlate with national origin and gender. Employment gaps correlate with pregnancy and disability. Document whether the system uses inputs that could function as proxies for protected characteristics.
Disparate impact on specific populations. Even without proxy variables, an AI system optimized for certain outcomes — finding candidates most likely to be hired, identifying tenants least likely to miss rent — may produce systematically different outcomes for different demographic groups. Document what is known about the system's disparate impact testing and results.
Feedback loop amplification. AI systems trained on their own outputs can amplify initial biases over time. A system that initially ranks certain candidates lower may receive fewer positive outcomes for those candidates, which its training data then reinforces. Document whether the system has feedback loop protections.
For each risk category, note the severity of the potential harm, the likelihood based on available information, and what you could and could not learn from the vendor about how these risks are managed.
4. Risk Mitigation Measures
Document the specific steps you are taking to identify and reduce the discrimination risks you have identified. Mitigation measures for Colorado deployers typically include:
Vendor documentation requests. Sending formal SB 24-205 documentation requests to each vendor and documenting their responses. The act of formally requesting vendor documentation — and the vendor's response or non-response — is itself a mitigation measure demonstrating reasonable care.
Human review protocols. Implementing documented human review of AI outputs before consequential decisions are made. Describe specifically who reviews each type of AI output, what the review process involves, and how reviews are logged.
Outcome monitoring. Any process by which you observe and document the demographic distribution of outcomes from AI-assisted decisions. Even a basic tracking approach — noting the demographic breakdown of hired candidates versus the applicant pool — demonstrates that you are monitoring for discriminatory outcomes.
Vendor contractual provisions. Any provisions in your vendor contract that address AI bias, discrimination risk, or SB 24-205 compliance. If your contract has none, document that and note that you will seek to add them at next renewal.
Alternative system evaluation. For systems where discrimination risks are high and vendor documentation is inadequate, documenting that you evaluated alternative vendors or approaches demonstrates a higher level of reasonable care.
5. Performance Metrics and Monitoring
Describe how you are evaluating whether the AI system is performing as intended and not producing discriminatory outcomes. This does not need to be technically sophisticated. It needs to show that you have some process for observing what the system actually does rather than accepting its outputs without scrutiny.
Performance monitoring can be as simple as: reviewing the demographic distribution of applicants who advance to interviews versus those who do not, noting any patterns in tenant screening denials by demographic group, tracking whether AI-recommended scheduling consistently assigns fewer hours to specific employee groups, or documenting and reviewing any complaints from individuals who believe they were adversely affected by AI-assisted decisions.
Whatever your monitoring approach, document it specifically. "We review hiring outcomes quarterly" is a monitoring measure. "We have not implemented any monitoring" is also a documented fact — one that demonstrates lower reasonable care but is better than no documentation at all.
6. Human Oversight Protocols
Document the human-in-the-loop processes that apply to this specific AI system. Who reviews its outputs before decisions are made? What are they required to consider in that review? How is the review logged? What authority does the reviewer have to override the AI's recommendation?
Colorado's meaningful human review standard — particularly for the appeal process — requires that reviewers have genuine decision-making authority and access to sufficient information to reach a different outcome than the AI recommended. Your oversight protocol should describe how those conditions are satisfied for this specific system.
When Impact Assessments Must Be Completed and Updated
The Colorado AI Act requires that impact assessments be completed before you deploy a high-risk AI system and updated on two triggers.
Annual review. Each impact assessment must be reviewed and updated at least annually. The practical approach is to schedule all assessments for review on or before June 30 of each year — the anniversary of the law's effective date. Annual reviews should address whether the vendor has updated their AI system, whether new public information about the system's discrimination risks has emerged, whether your monitoring has revealed any concerning patterns, and whether your mitigation measures need adjustment.
Significant system changes. Whenever you make a significant change to how you use a high-risk AI system — switching from one hiring platform to another, adopting a major new AI feature within an existing platform, changing your adjudication criteria in a background check service — you must update the impact assessment for that system. Document what changed, when it changed, and how the change affected your risk assessment.
Date every assessment and every update. The date of your initial assessment and subsequent updates is part of the compliance record the AG may request during an investigation.
What to Do When Vendors Will Not Provide Information
This is the most common practical challenge Colorado businesses face when completing impact assessments. Many major AI vendors — Indeed, LinkedIn, Checkr, Workday, TransUnion — have not published SB 24-205-specific documentation. Some will not respond to formal documentation requests. Others will respond with general statements about their commitment to responsible AI without providing the specific information an impact assessment requires.
Here is how to handle each scenario.
When the vendor provides comprehensive documentation. Use it. Incorporate the vendor's own discrimination risk disclosures, bias testing results, and mitigation recommendations into your impact assessment. Note specifically what the vendor provided and when. This is the best-case scenario — the vendor's own documentation becomes the factual foundation of your risk analysis.
When the vendor provides partial information. Document what was provided and what was not. For the gaps — risks the vendor did not address, testing results they did not share, compliance posture they would not disclose — conduct your own assessment using publicly available information. Academic research on similar AI systems, CFPB guidance on algorithmic credit decisions, EEOC guidance on AI in hiring, and the vendor's public blog posts and policy documents can all inform a reasonable risk assessment when vendor-specific documentation is unavailable.
When the vendor does not respond at all. Document the non-response. Your impact assessment should state that you requested SB 24-205 documentation from the vendor on specific dates, that no response was received, and that you therefore conducted your risk assessment based on publicly available information about the system's operation. This is not ideal — but it demonstrates reasonable care when the vendor's silence was the limiting factor.
A business that completes impact assessments using whatever information is available — vendor documentation where provided, public information where not — has demonstrated substantially more reasonable care than a business that never attempted impact assessments because the vendor was uncooperative. The Colorado AG's reasonable care standard is calibrated to what you can actually accomplish, not to what a fully cooperative vendor ecosystem would enable.
Storing and Producing Impact Assessments
Impact assessments must be stored as part of your Colorado AI Act compliance record. The record needs to be organized, dated, and accessible — the Colorado AG can request these documents during an investigation, and you will have a defined window to respond.
Static PDF files are not an ideal storage format. A PDF can be modified after the fact and its creation date can be altered. The strongest storage approach uses timestamped, cryptographically verified documents that can prove they have not been changed since they were created.
At minimum, store impact assessments in a dedicated compliance folder with clear naming conventions, date stamps, and a log of when each was created and updated. Keep the original version of each assessment alongside any subsequent updates. The update history is itself evidence of compliance — it shows that you maintained the assessment over time rather than creating it retroactively.
Impact assessments are not public documents. The Colorado AI Act does not require you to publish your impact assessments. You are required to maintain them and produce them to the AG upon request. Keep them internal and treat them as you would any sensitive compliance document.
A Note on the Annual Update Requirement
The annual update requirement is not a formality. It is an opportunity to catch problems before they become enforcement issues.
In the year since you completed your initial assessments, the AI systems you use may have changed in material ways. Vendors update their algorithms. New public research may have identified discrimination risks in systems you use. Your own outcome monitoring may have revealed patterns worth investigating. A new AI feature may have been added to a platform you already have an assessment for.
Build annual impact assessment review into your compliance calendar as a standing annual event — not something you do when you remember. The businesses that will have the strongest Colorado AI Act compliance posture in 2027 and 2028 are the ones that treated this as an ongoing governance function rather than a one-time compliance project.
This guide is for informational purposes and does not constitute legal advice. For legal advice specific to your situation, consult a licensed Colorado attorney. ColoradoAIAct.news is an independent publication and is not affiliated with the Colorado government or Colorado General Assembly.