Colorado SB 24-205 — the Colorado AI Act — takes effect June 30, 2026. That is 72 days from today. The law is not aspirational guidance or a policy framework. It is enforceable state law requiring specific, documented compliance actions from any enterprise deploying AI systems that make consequential decisions about Colorado consumers. Most large enterprises have not completed those actions. The countdown is real, and the White House framework recommending federal preemption of state AI laws has not changed it.
The AI Act’s requirements divide cleanly across two roles: developers (companies that build or train AI systems) and deployers (companies that use those systems to make decisions). If your company uses a
What the AI Act Requires
The Act targets “high-risk AI systems” — defined as systems that make or substantially influence consequential decisions in employment, education, financial services, healthcare, housing, insurance, or legal services.
Developer obligations under Colorado SB 24-205 include: disclosing system capabilities, known limitations, and discrimination potential to deployers; providing documentation on training data, intended use, and performance evaluations; and reporting discovered algorithmic discrimination to the Colorado Attorney General within 90 days of discovery.
Deployer obligations are more extensive: conduct a pre-deployment impact assessment for each high-risk AI system; maintain an annual algorithmic discrimination review process; provide consumer-facing disclosures explaining AI use in consequential decisions; establish complaint mechanisms that allow consumers to contest AI-driven decisions; and report discovered algorithmic discrimination to the AG within 90 days.
The 90-day AG reporting obligation deserves particular attention. It is not triggered by a breach or a lawsuit — it is triggered by discovery. If after June 30 your AI system produces discriminatory outcomes — even inadvertently — and your internal processes identify it, you have 90 days to report to the Attorney General. Without a pre-deployment impact assessment and annual review process already in place, your organisation has no systematic mechanism for early discovery and no audit trail demonstrating good-faith compliance effort.
The Three AI Act Compliance Gaps Most Enterprises Have
Pre-deployment impact assessments. The assessment process requires documenting the AI system’s purpose, the population it affects, known bias risks in training data, the protected characteristics at risk, and the mitigation measures in place. This is a multi-week process requiring coordination between legal, data science, and product teams. Most enterprises have not started it for their AI-assisted decision workflows.
Annual discrimination review processes. Even companies that have conducted one-time bias audits for regulatory purposes do not typically have a standing annual review process with documented ownership, defined methodology, and executive sign-off. The Act requires this as an ongoing obligation, not a one-time certification.
AG reporting mechanisms. The 90-day reporting obligation to the Colorado AG requires that an enterprise has: a process for identifying when algorithmic discrimination has been discovered; a defined internal escalation chain for that discovery; and a prepared reporting template and designated legal contact for AG notification. The Colorado AG’s office is running active rulemaking that will specify reporting formats — but enterprises cannot wait for rulemaking completion before building the internal process.
The Federal Preemption Misconception About the AI Act
The most common reason enterprise compliance teams are deferring action is the White House framework issued March 20, 2026, which recommends federal preemption of state AI laws. The problem with this reasoning is that the White House framework is a policy recommendation, not law. Congress has not passed federal AI legislation. The Colorado Act stands as enforceable state law until Congress passes something different — and the probability of that happening in the next 72 days is effectively zero.
This is not analogous to a regulatory grace period or a temporary moratorium. Colorado’s Act is operating alongside Illinois AI disclosure requirements and California employment discrimination AI regulations — a multi-state compliance environment that is deepening, not contracting, regardless of federal preemption intent. For context, the EU AI Act provides a useful comparison: broader in scope but measured in years. Colorado’s Act is narrower but takes effect in 72 days with no further delay mechanism available.
What to Watch
Colorado AG rulemaking output. The AG’s office is developing specific compliance standards. Any rulemaking published before June 30 will clarify the impact assessment methodology, the AG reporting format, and potentially the enforcement posture for the first 90 days post-effectiveness. This is the single most actionable signal for compliance teams.
Multi-state AI regulatory convergence. If Texas or New York introduce comparable legislation in H2 2026, the compliance cost of managing state-by-state AI regulation will begin to approach EU AI Act complexity. See our US AI regulation gap analysis for the broader federal context.
The June 30 deadline will not shift again. The compliance actions required — impact assessments, annual review processes, AG reporting mechanisms, consumer disclosures — are not overnight tasks. Enterprises waiting for federal preemption are making a bet that has a near-zero probability of paying off in 72 days.
This article was produced with AI assistance and reviewed by the editorial team.
Related posts:
The EU AI Act Is Already Partly in Force. Most Enterprises Are Not Ready.
White House AI Framework Signals Federal Preemption Push — But Colorado’s Law Is Still Live on June 30
Enterprise AI ROI: Which Industries Are Seeing Real Returns — and Which Aren’t
Anthropic’s Mythos Model Finds Thousands of Zero-Days — Then Gets Locked Behind a 40-Org Consortium
