Colorado SB 24-205 — Consumer Protections for Artificial Intelligence
Colorado SB 24-205 (effective 2026-02-01) imposes a duty of care on developers and deployers of high-risk AI systems used in consequential decisions, with structured impact-assessment, notice, and discrimination-disclosure obligations. Ledgix evidences every control via signed Colorado-typed Algorithmic Impact Assessments, bias audits, per-decision ledger events, and incidents.
Status: Full — every control resolves to an artifact Ledgix produces today following the Phase 3 bias-audit and Phase 4 impact-assessment shipping.
Scope
SB 24-205 applies to developers and deployers of high-risk AI systems that make, or are a substantial factor in making, consequential decisions affecting Colorado consumers (housing, employment, education, lending, healthcare, legal services, essential government services, insurance). Impact assessments are required at deployment, annually, and on substantial modification; discrimination must be disclosed to the Attorney General within 90 days of discovery.
Controls covered
| Field | Type | Required | Description |
|---|---|---|---|
| CO-SB205-6-1-1702 | impact_assessments / bias_audits | Duty of care to avoid algorithmic discrimination | Signed Colorado AIA (ia_type=aia_colorado) plus statistical bias audits. |
| CO-SB205-6-1-1703(1) | impact_assessments | Impact assessment at deployment and annually thereafter | AIA records with next_review_at enforcing annual cadence. |
| CO-SB205-6-1-1703(2) | impact_assessments | Impact assessment contents — purpose, use, benefits | assessment_json.purpose and benefits fields on each AIA. |
| CO-SB205-6-1-1703(3) | impact_assessments | Impact assessment contents — risks of algorithmic discrimination and mitigations | risk_categories, mitigation_steps, residual_risk in each AIA. |
| CO-SB205-6-1-1703(4) | impact_assessments / policy_snapshots | Impact assessment contents — data categories and governance | data_categories, policy_version_refs, and immutable policy text describing data governance. |
| CO-SB205-6-1-1704 | events_jsonl / policy_snapshots | Notice and explanation to consumers and decision review | Per-decision records supporting explanation and appeal, plus governing policy at decision time. |
| CO-SB205-6-1-1705 | incidents / impact_assessments | Disclosure to the Attorney General of algorithmic discrimination | Incident records with severity/source metadata support the 90-day disclosure workflow; AIAs updated on discovery. |
Evidence types referenced
- impact_assessments — signed Colorado Algorithmic Impact Assessments.
- bias_audits — statistical evidence of algorithmic-discrimination mitigation.
- events_jsonl — per-decision consumer-facing explanation and appeal record.
- policy_snapshots — policies governing explanation and data governance at decision time.
- incidents — records supporting Attorney-General disclosure workflows.
Known gaps (if any)
None — every control resolves to an artifact Ledgix produces today. Tenants can start from a Colorado AIA template in the admin console that is pre-populated from operational ledger data.
Audit pack workflow
Export an evidence ZIP for this framework from the admin console's Evidence Exports panel by selecting Colorado SB 24-205 — Consumer Protections for Artificial Intelligence and a time window. Each control's evidence_locators[] in the included framework_mapping.json points to the corresponding file in the ZIP.
References
- Framework mapping JSON:
vault/internal/compliance/frameworks/colorado_sb_205.json - Canonical source: Colorado SB 24-205 — leg.colorado.gov