Colorado's Landmark AI Act: What Companies Need To Know

Summary

This comprehensive legal analysis from Skadden, Arps, Slate, Meagher & Flom LLP breaks down Colorado's groundbreaking AI Act (CAIA), enacted on May 17, 2024 - one of the first comprehensive state-level AI governance laws in the United States. The resource provides essential guidance for companies navigating the new regulatory landscape around "high-risk" AI systems and algorithmic discrimination compliance. As Colorado sets the precedent for state-level AI regulation, this analysis offers critical insights into what could become a template for AI governance across other U.S. states.

What makes Colorado's approach different

Colorado's AI Act takes a targeted approach that differs significantly from broader federal proposals and international frameworks like the EU AI Act. Rather than attempting to regulate all AI applications, CAIA focuses specifically on "high-risk" AI systems - those used in consequential decisions affecting employment, education, financial services, healthcare, housing, insurance, and legal services. The law introduces the concept of "algorithmic discrimination" as a central compliance concern, requiring companies to assess and mitigate discriminatory impacts in these critical decision-making contexts.

The legislation also establishes a unique enforcement mechanism through the Colorado Attorney General's office and creates specific disclosure requirements for AI system developers and deployers operating within the state's jurisdiction.

Timeline and key compliance dates

Understanding CAIA's implementation timeline is crucial for affected companies:

• May 17, 2024: Colorado AI Act signed into law
• February 1, 2026: Full compliance requirements take effect
• Ongoing: Rulemaking process by Colorado Attorney General to establish specific implementation details

This nearly two-year implementation period provides companies with time to assess their AI systems, develop compliance programs, and adapt their operations to meet the new requirements. However, the analysis emphasizes that companies should begin compliance planning immediately, as the rulemaking process may introduce additional specific requirements.

Who faces the highest compliance burden

The resource identifies distinct categories of entities with varying compliance obligations:

Developers of high-risk AI systems face the most comprehensive requirements, including conducting impact assessments, implementing bias testing protocols, and providing detailed disclosures about system capabilities and limitations.

Deployers - organizations that use high-risk AI systems in their operations - must establish governance frameworks, conduct ongoing monitoring, and ensure appropriate human oversight of AI-driven decisions.

Companies in regulated sectors such as banking, insurance, healthcare, and employment services need to pay particular attention, as these industries are specifically highlighted as areas where AI systems are more likely to be classified as "high-risk" under CAIA.

Penalties and enforcement mechanisms

CAIA establishes significant financial penalties for non-compliance, with the Colorado Attorney General authorized to seek damages and injunctive relief. The law includes both civil penalties and potential damages to affected individuals, making compliance a critical business priority rather than a mere regulatory checkbox.

The analysis details how enforcement will likely focus on demonstrable harm from algorithmic discrimination, meaning companies need robust documentation of their AI governance processes and decision-making safeguards.

How this fits into the broader regulatory landscape

This Skadden analysis contextualizes CAIA within the evolving U.S. AI regulatory environment, comparing it to federal initiatives and exploring how Colorado's approach might influence similar legislation in other states. For companies operating across multiple jurisdictions, understanding CAIA provides insights into emerging regulatory trends and helps inform broader AI governance strategies.

Who this resource is for

• Legal counsel at companies developing or deploying AI systems, particularly those operating in Colorado or multiple states
• Compliance officers responsible for AI governance and risk management programs
• AI product managers and developers working on systems that could be classified as "high-risk" under CAIA
• Executive leadership at companies in regulated industries who need to understand strategic compliance implications
• Policy professionals tracking the evolution of AI regulation at the state level