Compliance

Colorado Artificial Intelligence Act (CAIA) Compliance

Requirements, timelines, and a practical readiness checklist for developers and deployers of high-risk AI used in consequential decisions across hiring, lending, housing, healthcare, insurance, education, and essential services.

Who Must Comply

The Colorado Artificial Intelligence Act (CAIA) covers high-risk AI used in consequential decisions. Obligations apply to developers that build or modify such systems and deployers that use them in Colorado.

Developers

Create, license, or substantially modify high-risk AI used in consequential decisions (e.g., hiring, lending, housing, healthcare, insurance, education, essential services).

Deployers

Organizations in Colorado using high-risk AI to make or materially influence consequential decisions affecting consumers.

What Counts as “High-Risk” AI

High-risk AI under the Colorado Artificial Intelligence Act (CAIA) is defined by use case, not by model type. A system is in scope when its output makes or materially influences a consequential decision about a consumer.

Education access and outcomes

Employment screening, hiring, promotion, termination

Credit/financing eligibility and terms

Healthcare eligibility, triage, or benefits

Housing approval and tenant screening

Insurance underwriting, pricing, or claims handling

Essential government services and benefits

Legal services access or outcomes

Core Obligations for Developers (CAIA)

Reasonable Care & Bias Controls

Technical Documentation Package

Use Boundaries

Impact-Assessment Enablement

Public Transparency Statement

Incident Notification (90-Day)

Change Management & Versioning

Data Governance

Security & Access Controls

Operator & Monitoring Guidance

Core Obligations for Deployers (CAIA)

Scope and Inventory

AI Risk Management Program

Impact Assessments

Human Oversight

Data Governance

Transparency Statement

Recordkeeping and Auditability

Vendor & Contract Controls

Small-Deployer Relief Check

Governance Cadence

How We Work

A practical checklist to structure compliance work under the Colorado Artificial Intelligence Act (CAIA) for high-risk AI used in consequential decisions.

Step 1: Confirm Scope

Map AI use cases to consequential decisions; flag systems that make or materially influence eligibility, pricing, benefits, or rights.

Step 2: Assign Ownership

Name accountable leads across product, legal, data, and compliance, define decision rights

Step 3: Risk Management

Establish an AI RMP aligned with NIST AI RMF / ISO/IEC 42001, scaled to system impact.

Step 4: Technical Documentation

Intended use, data sources, limitations, performance, monitoring guidance, change history.

Step 5: Impact Assessments

Complete before deployment, on schedule (e.g., annually), and after material changes, record outcomes.

Step 6: Consumer Disclosures

Pre-use notice of AI involvement, adverse-decision explanations, and a human-review appeal path, ensure accessibility and language coverage.

Step 7: Data Governance & Testing

Provenance tracking, representativeness checks, bias/fairness testing, robustness, drift monitoring with thresholds.

Step 8: Periodic Reviews

Calendarized reviews and internal audits to verify controls, metrics, and disclosure accuracy.

CAIA Readiness and Implementation Support

Accelerate alignment with the Colorado Artificial Intelligence Act (CAIA) through a structured program for high-risk AI used in consequential decisions.

Start Readiness Check

FAQs

Explore answers to pressing questions about CAIA risk tiers, duties, and documentation.

Does CAIA apply to non-Colorado companies?

Yes, if products or services result in consequential decisions about Colorado consumers, or if high-risk AI is deployed in Colorado.

Are small organizations treated differently?

Certain deployer duties may not apply to organizations with fewer than 50 FTEs that use systems as intended and do not train them on their own data, provided equivalent impact assessments from the developer are available.

What disclosures are required to consumers?

Pre-use notice of AI involvement, explanation of any adverse decision, and a clear path to human review/appeal. Disclosures should be accessible and available in appropriate languages.

Is there a private right of action?

No. Enforcement authority rests with the Colorado Attorney General.

Question text How does CAIA relate to the EU AI Act?

Both regulate risk in AI, but CAIA centers on consequential decisions about consumers in Colorado, while the EU AI Act uses tiered risk categories and broader market-conformity duties.

Does CAIA cover SaaS and cloud-based systems?

Yes. Coverage depends on how the system is used in decisions, not on hosting model.

What counts as algorithmic discrimination under CAIA?

Outcomes that unlawfully differentiate or unfairly disadvantage protected classes or consumers through the AI system’s operation or data, considering intended and known uses.