Everyday On Ai

Tag: Colorado AI Act

  • Colorado AI Act : What It Means for US Companies and the Path to Federal AI Regulation

    Colorado AI Act : What It Means for US Companies and the Path to Federal AI Regulation

    Colorado’s Governor Jared Polis signed SB 24-205 into law on May 17, 2024, and then, in his own signing letter, urged legislators to fix it before it took effect.[1]

    That opening tells you almost everything you need to know about how Colorado’s AI Act came to be. It’s a first-mover law — ambitious, consequential, and deliberately imperfect. Colorado became the first US state to enact comprehensive AI regulation not because everyone agreed it was ready, but because lawmakers decided that waiting for perfection was its own form of failure.

    Since then, the law has survived a failed special legislative session, intense industry lobbying from over 150 representatives, a five-month implementation delay, and ongoing federal preemption threats.[2] Every core provision — risk assessments, impact assessments, transparency requirements, the duty of reasonable care — survived intact. The deadline is June 30, 2026. It’s coming.

    “In the absence of congressional action, Colorado’s law may help to set the tone for predictive artificial intelligence regulation nationwide, and it may impact the behavior of developers and deployers across state lines as they seek compliance with Colorado’s requirements.”

    — National Association of Attorneys General, October 2024[3]

    This guide is for US companies — and the non-US companies serving Colorado residents — who need to understand exactly what the Colorado AI Act requires before June 30, 2026. I’ll cover the law’s architecture, what “high-risk AI” means in practice, the distinct obligations for developers vs. deployers, how the safe harbor and affirmative defenses actually work, what compliance looks like operationally, and what Colorado’s law signals about where US federal AI regulation is heading.

    This article is part of our EU AI Act Compliance Guide cluster. For a comparison of how Colorado’s Act stacks up against the EU AI Act and other US state laws, see our EU AI Act vs. US AI Policy guide.

    Let’s start with the law’s fundamental architecture — because it’s different from any prior US regulation, and understanding that difference changes how you approach compliance.

    The Architecture: What Kind of Law Is SB 24-205?

    Before diving into specific requirements, you need to understand what kind of law you’re dealing with — because Colorado’s AI Act is architecturally different from most US regulations, and that difference shapes every compliance decision.


    The “Reasonable Care” Standard — Not a Checklist

    Most US regulations work as prescriptive checklists: do X, Y, Z, and you’re compliant. Colorado’s AI Act works differently. It imposes a duty of reasonable care on both developers and deployers of high-risk AI systems — meaning the legal question isn’t “did you check the boxes?” but “did you exercise appropriate care given the known and foreseeable risks?”[4]

    This is a significant architectural choice. It means compliance under Colorado law is inherently fact-specific and context-dependent. An AI system that poses minimal discrimination risk in a low-stakes deployment context requires less documentation and oversight than one deployed in a high-stakes context with known bias issues in the training data. The law doesn’t flatten that distinction into a single compliance checklist — it scales obligations to risk.

    The tradeoff is legal uncertainty. “Reasonable care” is a common law standard that will ultimately be defined through enforcement actions and, potentially, litigation. Unlike the EU AI Act’s prescriptive Annex IV requirements, Colorado’s law leaves substantial interpretation to the Attorney General’s rulemaking authority and eventual enforcement practice. For compliance planning purposes, the law’s specific requirements provide the minimum floor — but demonstrating “reasonable care” in an enforcement action will require showing that you genuinely engaged with the risks, not just that you completed required paperwork.

    Who the Law Applies To: Extraterritorial Reach

    Colorado’s AI Act applies to any person doing business in Colorado who develops, substantially modifies, or deploys a high-risk AI system making consequential decisions affecting Colorado consumers.[4] The territorial scope is consumer-facing — it’s about who the AI affects, not where the company is located.

    A US company headquartered in New York that uses an AI hiring tool to screen applicants across the country — including Colorado residents — is subject to the Act for those Colorado-affecting deployments. A European company’s AI that makes credit decisions for Colorado residents falls within scope. The test is whether your AI makes consequential decisions about people in Colorado, not whether you have a physical office or tax presence there.

    One important nuance: the law distinguishes between developers (entities that develop or intentionally and substantially modify a high-risk AI system) and deployers (entities that use a high-risk AI system in a production context to make consequential decisions about consumers).[5] A company can be both simultaneously — if you build your own AI and use it in your operations, you carry both sets of obligations. And importantly, if you take a third-party AI and substantially modify it for your own purposes, you shift from pure deployer to developer status for that modified version.

    Implementation Timeline and What Changed

    Understanding the timeline helps you understand the political context and what’s still fluid.

    Date Event Significance
    May 17, 2024 Governor Polis signs SB 24-205 — with reservations Colorado becomes first US state with comprehensive AI law; Polis immediately calls for improvements
    May 7, 2025 SB 25-318 (amendment bill) fails to pass before legislative session end Significant attempted amendments — new “algorithmic discrimination” definition, expanded exemptions, delayed deployer obligations — all fail
    August 28, 2025 Governor signs SB 25B-004 after special session Effective date delayed from February 1, 2026 to June 30, 2026; all core provisions unchanged
    January 2026 Colorado 2026 regular session begins; new amendment bills introduced Further narrowing attempts underway; outcome uncertain at time of writing
    June 30, 2026 ⚠ SB 24-205 effective date — all obligations apply Compliance deadline for developers and deployers of high-risk AI affecting Colorado consumers
    February 1, 2027 Deployer disclosure and impact assessment requirements fully enforced Some deployer-specific provisions have a secondary effective date per the glacis.io analysis[6]

    The most important takeaway from this history: despite intense industry opposition, the law’s core framework survived intact. The American Bar Association reported in November 2025 that “nothing fundamental changed” through the special session process.[2] Companies that delayed compliance planning hoping amendments would significantly reduce obligations made a strategic error.

    ⚠ 2026 Session Monitoring Required

    The Colorado 2026 regular session, which began in January 2026, has introduced new amendment bills. While the June 30, 2026 deadline is currently set, the scope of some obligations may shift before that date. Monitor the Colorado General Assembly (leg.colorado.gov) for bill activity, and build your compliance program around the law as enacted — not around hoped-for amendments.

    What Is a “High-Risk AI System” Under Colorado Law?

    The high-risk definition is the critical gateway to Colorado AI Act compliance. If your AI system doesn’t qualify as high-risk, almost none of the law’s substantive requirements apply. Get this classification wrong — in either direction — and you’re either wasting compliance resources or creating serious legal exposure.


    The “Consequential Decision” Test

    Under SB 24-205, an AI system is high-risk when it makes, or is a substantial factor in making, a consequential decision affecting a Colorado consumer.[4] Two elements require careful analysis.

    First: “substantial factor.” An AI system doesn’t need to make the final decision to be high-risk — it just needs to be a substantial factor in that decision. The most significant question for most deployers is exactly how direct the AI’s influence needs to be. Pacific AI’s compliance guidance offers useful framing: “the fastest way to scope exposure is to start with the decision workflow rather than the model.” If a system’s output can materially influence whether someone gets a job, a loan, or housing, treat it as high-risk until you have documented rationale for a different classification.[7]

    Second: “consequential decision.” The Act defines this specifically as any decision that has a material legal or similarly significant effect on the provision or denial to a consumer of one of the eight covered services, or on the cost or terms of those services.[4] The “cost or terms” addition is important — an AI that doesn’t deny you insurance but significantly raises your premium based on demographic factors still qualifies.

    The Eight Covered Sectors (with Examples)

    Consequential decisions in the following eight sectors trigger high-risk classification under SB 24-205:[4]

    1. Education enrollment or education opportunities. AI that determines admission to educational programs, allocates scholarships, or evaluates academic performance in ways that affect enrollment qualifies. Note that AI tutoring tools that adapt content delivery without affecting enrollment decisions do not.

    2. Employment or employment opportunities. This is the most immediately impacted sector for most US companies. CV screening tools, interview analysis AI, performance evaluation systems, promotion recommendation engines, and workforce reduction tools all qualify. If your AI makes or substantially influences who gets hired, promoted, evaluated, or laid off, it’s high-risk.

    3. Financial or lending services. Credit scoring AI, loan application processing tools, mortgage approval systems, and any AI that affects whether or on what terms a consumer receives financial services qualifies.

    4. Essential government services. AI systems used by government agencies or their contractors to determine eligibility for government benefits, services, or programs fall within this category.

    5. Healthcare services. AI that influences clinical treatment decisions, diagnostic recommendations, or healthcare access falls within scope. This category can interact with federal FDA or ONC regulations — the law provides specific exemptions for systems approved by relevant federal agencies where those approvals impose equivalent or stricter standards.

    6. Housing. AI used in tenant screening, rental pricing algorithms that affect individual pricing based on demographic factors, or mortgage approval decisions affecting housing access qualifies.

    7. Insurance. Underwriting AI that determines individual policy eligibility, premium levels, or coverage terms qualifies. The law also specifically exempts insurers subject to Colorado insurance commissioner regulations if those regulations are substantially equivalent or stricter — but this exemption requires affirmative verification, not assumption.[4]

    8. Legal services. AI that substantially influences legal representation decisions, bail recommendations, sentencing inputs, or other legal process outcomes affecting consumers qualifies.

    What Is Explicitly Excluded

    The Act excludes several categories that might otherwise seem to fall within its scope. Anti-fraud systems that do not use facial recognition are excluded. Systems used purely for internal procedures with no consumer-facing impact are excluded. Cybersecurity and data security systems are excluded. AI systems approved, authorized, or cleared by federal agencies like the FDA or FAA — where those approvals impose substantially equivalent or stricter standards — are also excluded.[8]

    The small business exemption is more limited than it might appear. Companies with fewer than 50 employees are partially exempt — but only if they do not use their own data to train or fine-tune the AI system. Customizing a model with proprietary data removes the exemption entirely.[9] This matters significantly for SaaS companies that offer “customizable” AI products built on customers’ own data.

    Classification Decision Table: 12 Real-World Examples

    AI System Sector High-Risk? Reasoning
    CV screening tool that ranks job applicants Employment Yes Substantial factor in employment opportunity decision
    Employee scheduling optimization AI Employment (adjacent) No Operational, not a decision about employment opportunity
    Credit scoring model for personal loans Financial services Yes Determines access to financial services
    Transaction fraud detection (no account freeze) Financial (adjacent) No Anti-fraud system, explicitly excluded; no consequential consumer decision
    AI clinical decision support for diagnosis Healthcare Yes Substantial factor in healthcare service decisions
    AI scheduling for medical appointments Healthcare (adjacent) No Operational scheduling, not a clinical or access decision
    Tenant screening AI for rental applications Housing Yes Consequential housing access decision
    Property management AI for maintenance scheduling Housing (adjacent) No Operational, no consequential consumer decision
    University admissions AI ranking applicants Education Yes Substantial factor in education enrollment decision
    Adaptive learning content recommendation Education (adjacent) No No access or enrollment decision; purely content-level
    Insurance underwriting AI for individual policies Insurance Yes Determines access and cost of insurance services
    AI chatbot answering insurance product questions Insurance (adjacent) No Information provision, not a coverage decision; also covered by chatbot disclosure rules

    Developer Obligations: Five Core Requirements

    Under SB 24-205, developers carry five distinct obligations, all grounded in demonstrating that they took reasonable care to prevent algorithmic discrimination.[4] If you develop or substantially modify high-risk AI systems deployed in Colorado, these apply to you starting June 30, 2026.


    Requirement 1: Duty of Reasonable Care

    Developers must use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination arising from the intended and contracted uses of their high-risk AI system. This standard — notably flexible — covers both the AI’s performance in intended use cases and foreseeable misuse scenarios.

    What “reasonable care” looks like in practice for a developer: bias testing across protected demographic groups before deployment; documentation of training data sources and known limitations; evaluation of the system for algorithmic discrimination prior to market placement; and ongoing monitoring after release for discrimination issues reported by deployers. The law doesn’t mandate a specific testing methodology — but your choice of methodology, and the evidence that you actually ran it, will be central to any enforcement defense.

    Requirement 2: Documentation Disclosure to Deployers

    Developers must make available to deployers (or other developers downstream in the distribution chain) the documentation and information necessary for a deployer to complete an impact assessment of the high-risk AI system.[4]

    The law specifies the types of documentation that must be provided, including: a general statement describing reasonably foreseeable uses and known harmful or inappropriate uses; high-level summaries of the training data used and data governance measures; documentation of how the system was evaluated for algorithmic discrimination; intended use cases, foreseeable limitations, and technical capabilities; and artifacts such as model cards, dataset cards, or prior impact assessments necessary for deployers to complete their own assessments.

    This creates a direct contractual implication: your deployer agreements must address which party is responsible for providing which documentation, and developers who withhold documentation necessary for impact assessment compliance are exposed both to direct regulatory liability and to indemnification claims from deployers.

    Requirement 3: Public Statement Requirement

    Developers must maintain a publicly available statement — on their website or in a public use case inventory — summarizing the types of high-risk AI systems they develop and make available, and how they manage known or reasonably foreseeable risks of algorithmic discrimination.[4] This statement must be kept current and updated when material changes occur.

    This requirement creates ongoing reputational accountability beyond regulatory exposure. Your public statement becomes searchable, quotable, and potentially usable as evidence in enforcement proceedings. Draft it with legal review, and treat updates with the same seriousness as material disclosures in other regulated contexts.

    Requirement 4: 90-Day Discrimination Reporting to AG

    Within 90 days of discovering, or receiving a credible report from a deployer, that a high-risk AI system has caused or is reasonably likely to have caused algorithmic discrimination, developers must notify the Colorado Attorney General and all known deployers of the system.[4]

    This reporting obligation starts running from the moment of discovery — not from when discrimination is confirmed. “Reasonably likely to have caused” is a lower bar than confirmed causation. If your monitoring program flags a potential discrimination issue, the 90-day clock starts. Build your internal escalation procedures with this timeline explicitly in mind.

    Requirement 5: Responding to AG Documentation Requests

    Upon request from the Colorado Attorney General, developers must provide specified documentation within 90 days. Developers may designate submitted documentation as proprietary to prevent disclosure under the Colorado Open Records Act, and sharing information with the AG does not waive attorney-client privilege.[4]

    This provision gives the AG investigative tools without requiring litigation. From a compliance planning perspective, maintain documentation that you could produce within 90 days of an AG request — and ensure that documentation is genuinely organized and retrievable, not scattered across engineering repositories and personal drives.

    Deployer Obligations: Five Core Requirements

    Deployers — the organizations using high-risk AI to make or substantially influence consequential decisions about Colorado consumers — face the most operationally intensive compliance obligations under SB 24-205. The law places the consumer-protection interface primarily at the deployer level.[4]

    Requirement 1: Risk Management Policy and Program

    Deployers must establish and maintain a risk management policy and program that specifies the principles, processes, and personnel used to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. Critically, this is described as an iterative process — it must be regularly reviewed and updated over the lifecycle of the AI system, not completed once at deployment.[4]

    The risk management policy and program aligns most directly with NIST AI RMF’s GOVERN and MANAGE functions. If your organization is already building to NIST AI RMF standards — for EU AI Act compliance or for general AI governance — you have a significant head start on this requirement. The policy format doesn’t need to be proprietary — Colorado’s law doesn’t specify a template — but it must address the specific risks of algorithmic discrimination in your specific deployment context.

    Requirement 2: Annual Impact Assessments

    Deployers must complete an annual impact assessment of each high-risk AI system they deploy. The assessment must cover: a description of the system and its purpose; the deployment context; the data used; an evaluation of the system’s reasonably foreseeable risk of algorithmic discrimination; a description of mitigation measures; a description of categories of data used to make consequential decisions; and a description of affected consumer categories.[5]

    Impact assessments must be completed before deploying a high-risk AI system and annually thereafter. Third parties contracted by deployers can complete the assessments on their behalf — there’s no requirement for internal completion. Deployers must retain the most recently completed assessment, all records concerning each assessment, and all prior assessments for at least three years following the final deployment of the system.[10]

    Requirement 3: Consumer Notification and Disclosure

    Before a deployer deploys a high-risk AI system to make or substantially influence a consequential decision concerning a specific consumer, the deployer must notify that consumer that a high-risk AI system will be used, and provide: a statement disclosing the purpose of the system; a description in plain language of the high-risk AI system; the contact information for the deployer; and instructions on how the consumer can access additional information or exercise their rights.[10]

    Additionally, if the high-risk AI system makes an adverse consequential decision about a consumer — denying them a job, loan, housing, or other covered service — the deployer must notify the consumer of that adverse decision and how they can appeal it. This creates a dual notification obligation: before-the-decision notice and after-the-adverse-decision notice.

    Requirement 4: Right to Appeal Adverse Decisions

    Deployers must provide consumers with an opportunity to appeal, via human review if technically feasible, any adverse consequential decision arising from the deployment of a high-risk AI system.[4]

    The “technically feasible” qualifier provides some flexibility — but courts and the AG are unlikely to accept that pure cost or operational inconvenience makes human review technically infeasible. The feasibility standard is engineering feasibility, not business preference. If you’re deploying high-risk AI in Colorado, build a human review pathway into your decision workflow before June 30, 2026.

    There is one critical exception: if a delay in the appeal process would pose a risk to the consumer’s life or physical safety, the normal appeal requirement may be modified. This carve-out is primarily relevant for emergency healthcare or public safety applications.

    Requirement 5: 90-Day Discrimination Reporting to AG

    Deployers face the same 90-day reporting obligation as developers: within 90 days of discovering that a deployed high-risk AI system has caused algorithmic discrimination, the deployer must disclose that discovery to the Colorado Attorney General.[4] This obligation runs independently of whether the developer has also reported — both parties carry independent reporting duties when they discover discrimination issues.

    Safe Harbor, Exemptions, and Affirmative Defenses

    Colorado’s AI Act is unusual among US regulations in providing a structured safe harbor pathway — and understanding it is as important as understanding the base obligations, because it fundamentally changes the compliance calculus.

    The NIST AI RMF Safe Harbor

    SB 24-205 creates a rebuttable presumption of compliance — effectively a safe harbor — for developers and deployers that satisfy three conditions simultaneously:[4]

    First, they must be in compliance with the Act’s substantive requirements. Second, they must be in compliance with a nationally or internationally recognized risk management framework for AI systems that the Act or the Attorney General designates. Third, they must take specified measures to discover and correct violations, including through feedback mechanisms, adversarial testing (red-teaming), or internal review processes.

    The NIST AI Risk Management Framework (AI RMF 1.0)[11] is the primary framework expected to qualify for this safe harbor, along with ISO/IEC 42001. The Colorado Attorney General has rulemaking authority to formally designate approved frameworks, but building your compliance program around NIST AI RMF provides the strongest current safe harbor position.

    What makes this safe harbor strategically important: it means Colorado AI Act compliance and EU AI Act compliance share significant substantive overlap when NIST AI RMF is used as the underlying governance framework. Organizations that build to NIST AI RMF standards, layer EU AI Act-specific requirements on top for EU-facing systems, and add Colorado’s specific deployer obligations for Colorado-facing systems can satisfy all three frameworks from a single governance foundation.

    Statutory Exemptions: Who Is Excluded

    Several categories of entities or systems are fully or partially exempt from SB 24-205’s requirements. The most practically significant:

    Insurance sector exemption: Insurers subject to Colorado insurance commissioner regulations that are substantially equivalent or stricter than SB 24-205 are in full compliance with the Act.[4] This is not an automatic exemption — it requires verification that the applicable insurance regulations actually meet the equivalence threshold.

    Banking sector exemption: Banks and credit unions subject to examination by state or federal prudential regulators under published guidance that applies to high-risk AI systems are in full compliance — if that guidance meets specified criteria.[4]

    Federal agency approval exemption: AI systems that have been approved, authorized, certified, cleared, or granted by a federal agency like the FDA or FAA — where those approvals impose substantially equivalent or stricter obligations — are exempt.[8] The Center for Democracy and Technology has flagged this as potentially overly broad, and its boundaries will likely be tested in enforcement.

    Small business partial exemption: Businesses with fewer than 50 employees are partially exempt — but critically, only if they do not use their own proprietary data to train or fine-tune the AI system. Any customization with your own data eliminates this exemption.

    Affirmative Defense: Discovery and Cure

    Even after a violation has occurred, SB 24-205 provides an affirmative defense for developers and deployers who discover and cure the violation before the AG takes enforcement action. To use this defense, the entity must have discovered the violation through feedback, adversarial testing/red-teaming, or an internal review process — and must have been in compliance with a recognized risk management framework at the time.[5]

    This affirmative defense design has an important structural implication: it incentivizes genuine monitoring and testing programs, not just initial compliance efforts. Organizations that run ongoing bias testing and red-teaming are protected even when they find problems — as long as they fix them promptly. Organizations that never test and are surprised by discrimination issues in an enforcement action have no equivalent defense available.

    Enforcement and Penalties: How the AG Will Use This Law

    Understanding Colorado’s enforcement structure helps you prioritize compliance investments. The law’s enforcement architecture creates different risk profiles than most federal enforcement.

    Penalty Structure and Accumulation Risk

    Violations of SB 24-205 are treated as unfair trade practices under Colorado’s Consumer Protection Act, with a maximum penalty of $20,000 per violation.[12] That number sounds manageable — until you consider how violations are counted.

    Violations are counted separately for each affected consumer or transaction. An AI hiring tool that screens out 500 qualified Colorado applicants on discriminatory grounds generates up to $10 million in potential penalties. A credit scoring system that denies loans to 1,000 Colorado consumers on the basis of a protected characteristic generates up to $20 million. The $20,000 per-violation figure is not a ceiling on the case — it’s a per-consumer multiplier that can produce company-threatening liability at scale.

    Before taking enforcement action, the AG must provide notice of a violation and allow the company 60 days to cure the identified deficiency.[12] This cure period is a meaningful protection — but it requires you to have a compliance infrastructure that can actually identify and fix problems within 60 days. Companies that receive notice of violations with no existing documentation, no monitoring program, and no established processes will struggle to cure within that window.

    The Private Right of Action Ambiguity

    One of the most important unresolved questions in Colorado’s AI Act is whether consumers can sue directly. The law gives the Colorado AG exclusive enforcement authority and does not explicitly create a private right of action. However — and this is significant — it also makes violations an unfair trade practice under the Colorado Consumer Protection Act, which does allow private rights of action.[5]

    This ambiguity has not been resolved by the legislature or by court decision. Until it is, companies should plan for the possibility that consumer litigation is available — particularly in employment discrimination cases where plaintiffs’ lawyers are already experienced in testing novel litigation theories against AI systems.

    The 60-Day Cure Period Before Enforcement

    The AG’s obligation to provide a cure period before enforcement is a meaningful protection that distinguishes Colorado’s approach from more aggressive enforcement models. In practice, this means the first wave of Colorado AI Act enforcement will likely target companies that:

    Receive a discrimination complaint or self-report a violation, fail to cure within 60 days, and then face formal enforcement. The 60-day cure period is only useful if you have a functioning compliance program that can diagnose the root cause of a discrimination issue and implement genuine remediation within that window. Companies with no compliance infrastructure face the practical reality that 60 days is very short for diagnosing and fixing an AI discrimination problem that may be embedded in training data or model architecture.

    Practical Compliance Roadmap: What to Do Before June 30, 2026

    With roughly three months to the effective date as of this writing, the question isn’t whether to start — it’s what to prioritize first. The answer differs significantly depending on whether you’re a developer, a deployer, or both.

    If You Are a Developer

    Your primary pre-June 30 priorities are documentation and disclosure. Before your high-risk AI systems are deployed or continue to be deployed in Colorado contexts, you need three things ready.

    First, a bias testing record — documented evidence that you evaluated your system for algorithmic discrimination across protected demographic groups before market placement, with the methodology described and findings disclosed. This doesn’t need to be a perfect record; it needs to be an honest one that demonstrates you took the risk seriously.

    Second, a documentation package for deployers — the model cards, dataset documentation, impact assessment artifacts, and system capability descriptions that deployers need to complete their own impact assessments. If you don’t have this package ready, deployers cannot satisfy their own obligations under the law, and they will be asking for it from you starting June 30.

    Third, a public statement on your website describing the high-risk AI systems you develop and how you manage discrimination risks. This is visible and public — it should be reviewed by legal counsel and kept current.

    If You Are a Deployer

    Deployers face the most immediate operational compliance requirements. Before June 30, 2026, you need three things operational, not just documented.

    First, a risk management policy and program — not a policy document sitting in a shared drive, but a functioning governance process with named owners, defined procedures for identifying and escalating discrimination risks, and a review cadence. This is the requirement that creates the most organizational change for companies new to AI governance.

    Second, a consumer notification workflow — the process, UI elements, and legal language for notifying consumers before consequential AI-influenced decisions and after adverse decisions. This typically requires product changes, and product changes take time. If you haven’t started building this, start immediately.

    Third, a human review appeal pathway — the operational process for consumers to request human review of adverse AI decisions, the qualifications and authority of human reviewers, and the escalation path. This may require staffing changes in addition to process design.

    If You Are Both Developer and Deployer

    Companies that build and use their own high-risk AI carry both sets of obligations. The practical approach: treat your organization as having two distinct compliance functions — a product/engineering function carrying developer obligations, and an operations/HR/legal function carrying deployer obligations — with explicit coordination between them. The documentation you produce as a developer (bias testing, model cards, training data documentation) feeds directly into the impact assessments you complete as a deployer. Build that documentation flow into your development pipeline, not as a separate compliance exercise.

    Colorado AI Act Compliance Readiness Checklist

    ✓ Colorado AI Act Compliance Readiness Checklist (Pre-June 30, 2026)

    Scope Assessment (Both Developers and Deployers)

    • ☐ AI systems inventory completed — all AI systems identified across organization
    • ☐ High-risk classification analysis completed per consequential decision test
    • ☐ Colorado-affecting deployments identified — which systems affect Colorado residents
    • ☐ Developer vs. deployer status determined for each high-risk system
    • ☐ Applicable exemptions assessed and documented (insurance, banking, federal approval, small business)

    Developer Requirements

    • ☐ Algorithmic discrimination bias testing completed and documented for each high-risk system
    • ☐ Deployer documentation package prepared: model cards, dataset documentation, impact assessment artifacts
    • ☐ Public website statement drafted, reviewed by legal, and published
    • ☐ 90-day AG reporting escalation process established
    • ☐ Developer agreements updated to address documentation disclosure obligations

    Deployer Requirements

    • ☐ Risk management policy and program document created with named process owners
    • ☐ Initial impact assessment completed for each high-risk system
    • ☐ Annual impact assessment schedule established (or delegated to third party)
    • ☐ Consumer pre-decision notification workflow built and tested
    • ☐ Consumer post-adverse-decision notification process established
    • ☐ Human review appeal pathway operational with qualified reviewers
    • ☐ 90-day discrimination reporting process to AG documented and owned
    • ☐ Impact assessment records retention schedule established (3-year minimum)

    Safe Harbor Positioning

    • ☐ NIST AI RMF (or ISO/IEC 42001) alignment documented for each high-risk system
    • ☐ Adversarial testing / red-teaming program established to support affirmative defense
    • ☐ Internal review process for violations documented and tested

    What Colorado Signals About the Future of US Federal AI Regulation

    The strategic reason to care about Colorado’s AI Act extends beyond Colorado itself. With the federal government actively stepping back from comprehensive AI regulation in 2025–2026, Colorado has become the de facto laboratory for US AI governance. What happens there will shape what comes next — either by inspiring replication across other states, or by generating enforcement precedents that influence how the federal government eventually acts.

    The “Brussels Effect” Applied to Colorado

    The EU AI Act created what scholars call the “Brussels Effect” — the phenomenon where stringent regulations in one jurisdiction force global companies to upgrade their practices everywhere, because building jurisdiction-specific AI versions is operationally infeasible for most products. A similar “Denver Effect” is already observable.

    Companies deploying AI in employment, credit, housing, and healthcare across the US are choosing to build Colorado-compliant systems rather than maintaining separate Colorado and non-Colorado versions of their AI tools. When your risk management program, bias testing methodology, and consumer notification workflows are built to Colorado standards, they apply to all your users — not just those in Colorado. This voluntary extension of Colorado standards beyond Colorado borders creates a de facto national floor even without federal legislation.

    The National Association of Attorneys General noted directly that Colorado’s law “may impact the behavior of developers and deployers across state lines.”[3] That prediction is already proving accurate.

    The Realistic Path to Federal AI Regulation

    Two scenarios dominate the realistic near-term outlook for US federal AI regulation, and Colorado figures prominently in both.

    Scenario A: State proliferation forces federal action. As more states enact AI laws — Connecticut’s proposed law is closely modeled on Colorado’s, and several other states have active bills — the compliance complexity for multistate businesses becomes untenable. The Chamber of Commerce and major tech industry groups who lobbied against Colorado’s law have simultaneously been the loudest voices calling for a federal preemptive standard, precisely to avoid a 50-state compliance patchwork. If that argument gains political traction, federal legislation may emerge — but it would likely be modeled substantially on Colorado’s framework, since that’s now the established template. Companies that built Colorado-compliant programs will find the transition significantly easier.

    Scenario B: Federal preemption without replacement. The current administration’s preferred approach appears to be challenging state AI laws through the DOJ AI Litigation Task Force while not enacting comprehensive federal AI requirements. If federal preemption succeeds legally, state AI laws could be invalidated — but this requires years of litigation with uncertain outcomes, as noted in our companion guide on EU AI Act vs. US AI Policy. Companies building Colorado-compliant programs are not wasting resources either way: if preemption fails, they’re compliant; if preemption succeeds and is replaced by federal law, their governance infrastructure translates directly.

    Either way, Colorado’s law is not a compliance detour. It’s early positioning for wherever US AI governance lands.

    Frequently Asked Questions: Colorado AI Act

    When does the Colorado AI Act take effect?

    June 30, 2026. The original effective date was February 1, 2026, but Governor Polis signed SB 25B-004 on August 28, 2025, delaying implementation to June 30, 2026.[13] The 2026 regular legislative session is considering further amendments, but the June 30, 2026 deadline remains in force as of March 2026. Monitor leg.colorado.gov for any changes before the deadline.

    What is a “high-risk AI system” under the Colorado AI Act?

    Any AI system that makes or is a substantial factor in making a consequential decision about a Colorado consumer. A consequential decision is one with a material legal or similarly significant effect on whether a consumer receives education, employment, financial services, government services, healthcare, housing, insurance, or legal services — or on the cost or terms of those services.[4] The key test is decision impact on individual consumers — not simply whether the AI is used in one of the eight sectors.

    Does the Colorado AI Act apply to out-of-state companies?

    Yes. The Act applies to any person “doing business in Colorado” who develops or deploys high-risk AI affecting Colorado consumers, regardless of company headquarters. If your AI makes consequential decisions about Colorado residents, you are in scope — whether you’re based in New York, California, or Berlin. The territorial test is consumer-facing, not company-location-based.

    What is the penalty for violating the Colorado AI Act?

    Up to $20,000 per violation, counted separately for each affected consumer.[12] This per-consumer counting means aggregate penalties can be severe for AI systems affecting large numbers of Colorado consumers. Before enforcement, the AG must provide a notice and a 60-day cure period. There is no private right of action explicitly authorized — though the Consumer Protection Act framing creates legal ambiguity about this.

    What is the safe harbor under the Colorado AI Act?

    A rebuttable presumption of compliance for companies following NIST AI RMF or another designated framework. The safe harbor requires: (1) substantive compliance with the Act’s requirements; (2) alignment with a recognized risk management framework such as NIST AI RMF or ISO/IEC 42001; and (3) active measures to discover and correct violations, including through testing, feedback mechanisms, or internal review. The safe harbor makes NIST AI RMF alignment the strategic foundation of any Colorado AI Act compliance program.[4]

    What is an impact assessment under the Colorado AI Act?

    An annual assessment that deployers must complete for each high-risk AI system, covering the system’s purpose and deployment context, data used, discrimination risk evaluation, mitigation measures taken, consumer categories affected, and — per the failed amendment that signaled policy direction — whether the system poses risks of limiting accessibility for certain individuals. Assessments must be completed before first deployment and annually thereafter. Three years of records must be retained following the system’s final deployment.[10]

    📚 References and Sources

    1. Epstein Becker Green, “Colorado’s Historic SB 24-205 Concerning Consumer Protections in Interactions with AI Signed Into Law.” References Governor Polis signing statement expressing hope for amendments before effective date. workforcebulletin.com
    2. STACK Cybersecurity, “Colorado AI Act (SB 24-205) Compliance Guide,” January 30, 2026. Comprehensive developer/deployer obligations guide; cites ABA November 2025 finding that “nothing fundamental changed” despite special session lobbying. stackcyber.com
    3. National Association of Attorneys General, “A Deep Dive into Colorado’s Artificial Intelligence Act,” October 2024. Analysis of CAIA architecture and national implications. naag.org
    4. Colorado SB 24-205, “Consumer Protections for Artificial Intelligence” (formally: “An Act Concerning Consumer Protections for Interactions with Artificial Intelligence”), signed May 17, 2024; effective June 30, 2026. Colorado General Assembly. leg.colorado.gov | Full text: content.leg.colorado.gov
    5. Ogletree Deakins, “Colorado’s Artificial Intelligence Act: What Employers Need to Know,” May 2024. Analysis of developer/deployer distinction, affirmative defenses, and NIST AI RMF safe harbor. ogletree.com
    6. Glacis.io, “Colorado AI Act (SB 24-205) Compliance Guide,” December 2025. Notes secondary effective date of February 1, 2027 for certain deployer-specific provisions. glacis.io
    7. Pacific AI, “Colorado AI Act Compliance Guide for Developers and Deployers,” January 2026. Practical guidance including “decision-first” classification approach. pacific.ai
    8. Center for Democracy and Technology, “FAQ on Colorado’s Consumer Artificial Intelligence Act (SB 24-205),” December 2024. Critical analysis of exemptions and enforcement provisions. cdt.org | Also: coloradosb205.com, exemptions overview.
    9. TrustArc, “Complying With Colorado’s AI Law: Your SB24-205 Compliance Guide,” October 2025. Small business exemption analysis; impact assessment requirements. trustarc.com
    10. American Bar Association, “Colorado Enacts Law Regulating High-Risk Artificial Intelligence Systems,” July 2024. Comprehensive legal analysis; impact assessment record retention requirements (3 years). americanbar.org
    11. National Institute of Standards and Technology (NIST), “AI Risk Management Framework (AI RMF 1.0),” NIST AI 100-1, January 26, 2023. Primary framework supporting Colorado AI Act safe harbor. nist.gov
    12. ALM Corp, “The Colorado AI Act (SB 24-205): Complete Compliance Guide for Developers and Deployers,” February 3, 2026. Penalty analysis; 60-day cure period; AG enforcement authority. almcorp.com
    13. Akin Gump, “Colorado Postpones Implementation of Colorado AI Act, SB 24-205,” August 2025. Analysis of SB 25B-004 delay provisions. akingump.com | Also: GovTech, “Colorado Passes Bill Amending Current AI Legislation,” September 3, 2025. govtech.com
    14. Epstein Becker Green / Healthlaw Advisor, “Will Colorado’s Historic AI Law Go Live in 2026? Its Fate Hangs in the Balance in 2025.” Detailed analysis of failed SB 25-318 amendments and special session outcomes. healthlawadvisor.com

    All sources verified as of March 2026. Colorado AI Act is subject to ongoing 2026 legislative session amendment activity — monitor leg.colorado.gov for updates before the June 30, 2026 effective date. This article does not constitute legal advice. Consult qualified Colorado employment and consumer protection counsel for organization-specific compliance guidance.

    Also relevant for your Colorado AI Act compliance program:

    → EU AI Act vs. US AI Policy in 2026
    How Colorado’s Act compares to the EU AI Act — compliance dividend, key divergences, and dual-market strategy for multinational teams.

     

    Get the Colorado AI Act Compliance Template Pack

    Pre-structured templates for Colorado SB 24-205 compliance — including the Impact Assessment Template, Risk Management Policy Framework, Consumer Notification Language Library, and NIST AI RMF safe harbor mapping guide.

    Built specifically for HR technology, fintech, healthcare AI, and insurtech teams deploying high-risk AI systems with Colorado resident exposure. Includes EU AI Act cross-reference for dual-market teams.

    Download Colorado AI Act Template Pack →


  • EU AI Act vs. US AI Policy: Key Differences Every Multinational Business Must Understand

    EU AI Act vs. US AI Policy: Key Differences Every Multinational Business Must Understand

    Here’s the conversation I keep seeing in boardrooms and compliance meetings in early 2026: “We’ve sorted out our EU AI Act compliance program. Are we done?”

    The short answer is no. Not if you operate in the United States too.

    The EU and US are running two completely different experiments in AI governance right now — different in philosophy, different in legal structure, different in enforcement mechanisms, and different in what they actually require from your compliance team. What satisfies Brussels won’t necessarily satisfy Denver, Sacramento, or Chicago. And what’s fine in Texas might get you a €15 million fine in Frankfurt.

    This isn’t just a legal technicality. For any business deploying AI across both markets, this divergence creates a real operational challenge: how do you build a compliance program that works for both without building two entirely separate programs?

    “The EU AI Act establishes a comprehensive, binding framework. The United States, by contrast, has no equivalent federal law. The result is a transatlantic compliance asymmetry that multinational businesses are only beginning to navigate.”

    — Baker Botts LLP, U.S. Artificial Intelligence Law Update, January 2026

    This guide breaks down that asymmetry in practical terms. I’ll cover the structural differences between the EU and US approaches, walk through the key state-level laws that matter in 2026, identify where the two frameworks genuinely overlap (there’s more than you’d think), explain where they fundamentally diverge, and give you a framework for building a dual-market compliance architecture.

    This article is part of our EU AI Act Compliance Guide cluster. If you haven’t yet classified your AI systems under the EU AI Act, start with our EU AI Act Classification Guide. For documentation requirements, see our Annex IV Documentation Guide.

    Let’s start with the most important thing to understand: the fundamental difference in what kind of regulation each jurisdiction has actually created.

    The Structural Difference: One Binding Law vs. a Patchwork

    Before comparing specific requirements, you need to understand the deeper structural difference between these two regulatory environments. It’s not just that the EU has stricter rules — it’s that the EU and US have fundamentally different conceptions of what AI governance should look like and who should be doing it.


    The EU Approach: Binding, Comprehensive, Centralized

    The EU AI Act[1] is a single, directly applicable regulation that applies uniformly across all 27 EU member states. When it says high-risk AI systems must have an Annex IV technical dossier, that requirement applies whether you’re deploying in Germany, Spain, or Estonia. When it sets a fine of up to €15 million for non-compliance, that figure is the same in every jurisdiction.

    This centralization has enormous practical value for multinational companies. One compliance program covers 450 million consumers across a single regulatory framework. The EU AI Act also has a well-defined scope, clear categorization logic, and — unlike US approaches — mandatory obligations that don’t require interpretation of case-by-case agency enforcement postures.

    The tradeoff is rigidity and specificity. The EU AI Act is a detailed technical regulation with concrete documentation requirements, conformity assessment procedures, and registration obligations. Complying with it is not cheap, not fast, and not optional if you’re serving EU markets.

    The US Approach: Fragmented, Innovation-First, State-Led

    The United States has no comprehensive federal AI law.[2] Full stop. What exists at the federal level in 2026 is a combination of executive orders (which guide federal agencies but don’t directly regulate private companies), enforcement actions by existing agencies applying pre-AI laws to AI use cases, and voluntary standards frameworks.

    On January 20, 2025, President Trump revoked Biden’s Executive Order 14110 on AI safety and replaced it with EO 14179, “Removing Barriers to American Leadership in Artificial Intelligence.”[3] The current administration’s posture is explicit: innovation-first, minimal regulation, deregulatory wherever possible.

    Into this federal vacuum, states moved aggressively. Colorado, California, Illinois, Texas, New York City, and a growing number of other jurisdictions have enacted or are enforcing AI-specific laws covering specific use cases, demographics, and sectors. The result, as the December 2025 federal executive order itself acknowledged, is a “patchwork of 50 different regulatory regimes”[4] — a compliance environment that is simultaneously less demanding than the EU AI Act and, in some respects, more operationally complex because of its fragmentation.

    The Federal Preemption Battle: What’s Actually Happening

    On December 11, 2025, President Trump signed an executive order titled “Ensuring a National Policy Framework for Artificial Intelligence,”[4] directing federal agencies to challenge state AI laws deemed inconsistent with the administration’s innovation-first policy. The order established an AI Litigation Task Force within the Department of Justice, directed the Secretary of Commerce to evaluate and publish a list of “onerous” state AI laws by March 11, 2026, and authorized conditioning federal grant funding on states’ compliance with federal AI policy.

    Here’s what this executive order does not do: it does not actually repeal or invalidate any state AI law. Executive orders cannot override state laws — that requires either an act of Congress or a successful court ruling on preemption grounds.[5]

    The practical implication is significant: all existing state AI laws remain enforceable today, and your company must continue to comply with them regardless of federal executive action. The Colorado AI Act delayed its own effective date from February 1, 2026 to June 30, 2026 through a separate state legislative process — not because of federal pressure.[6] Legal challenges to state AI laws will take years to resolve, and the outcome is far from certain.

    The Senate’s 99–1 vote to strip a proposed 10-year moratorium on state AI law enforcement from the “One Big Beautiful Bill” budget reconciliation package tells you something important about the political durability of state AI regulation.[7] For compliance planning purposes, assume state AI laws will continue to be enforceable for the foreseeable future.

    🕑 Key planning assumption for 2026

    The federal preemption effort is real but legally uncertain and slow-moving. Your 2026 compliance roadmap should assume that all currently effective and pending state AI laws remain enforceable. Monitor the DOJ AI Litigation Task Force actions and the Commerce Department evaluation (due March 11, 2026) as leading indicators — but don’t build your compliance program around federal preemption happening on any specific timeline.

    The US State-Level Landscape: What Actually Applies in 2026

    For a multinational business operating across US markets, the practical compliance question isn’t about federal policy — it’s about which state laws already apply and what they require. Here’s the landscape as of March 2026.


    Colorado AI Act (SB 24-205): The Closest US Equivalent to the EU AI Act

    Colorado’s AI Act is the most structurally significant state AI law in the US right now — not because it’s the most widely applicable, but because it’s the only US law that attempts something close to the EU AI Act’s comprehensive, risk-based governance framework.

    Signed into law on May 17, 2024 and now effective June 30, 2026 (delayed from February 1, 2026),[6] Colorado’s Act applies to businesses that develop or deploy “high-risk AI systems” affecting Colorado residents. The law’s primary objective is protecting consumers from algorithmic discrimination — unlawful differential treatment or disparate impact based on protected characteristics including race, color, age, disability, religion, sex, and veteran status.

    Under the Act, developers of high-risk AI systems must: use reasonable care to prevent known or foreseeable algorithmic discrimination risks; provide deployers with documentation necessary to conduct impact assessments; publish publicly available statements about their high-risk systems; and report discovered algorithmic discrimination to the Colorado Attorney General within 90 days.[8]

    Deployers must implement a risk management policy and program; complete annual impact assessments; notify consumers when a high-risk AI system makes a consequential decision about them; provide consumers the right to appeal adverse decisions via human review where technically feasible; and disclose discovered algorithmic discrimination to the Attorney General within 90 days.[8]

    Enforcement sits exclusively with the Colorado Attorney General — no private right of action. Maximum penalty: $20,000 per violation, counted separately for each affected consumer or transaction.[9] An AI system that discriminates against 100 consumers could therefore generate up to $2 million in penalties.

    Amendment activity is already underway. The 2026 Colorado regular legislative session has seen multiple bills introduced seeking to modify SB 24-205’s scope and requirements — a pattern common with first-generation AI laws as implementation realities emerge.[8b] Watch for potential narrowing of the “high-risk” definition, expansion of exemptions for specific sectors, and possible shifts in the developer/deployer responsibility balance.

    California: Multiple Targeted Laws, No Single Framework

    California has taken a markedly different approach from both Colorado and the EU: rather than a single comprehensive AI law, California has enacted multiple targeted statutes addressing specific AI use cases and sectors. As of early 2026, several California AI laws are in effect.

    California’s primary frontier AI law is SB 53 (signed September 29, 2025, effective January 1, 2026),[10c] which replaced the more ambitious (and vetoed) SB 1047. SB 53 requires developers of covered frontier AI models to implement safety and security protocols, publish plain-language summaries of their safety frameworks, and update them annually. It targets large-scale foundation model developers — not application-level deployers.

    California also enacted AB 2013, which requires developers of generative AI systems — specifically those capable of generating text, images, audio, or video — trained on data containing personal information to publish documentation about the training data used.[10] This applies narrowly to generative AI, not all AI systems. Additionally, SB 942 (California AI Transparency Act) requires AI systems with more than one million monthly users to provide AI detection tools, and several separate laws address AI specifically in employment decisions. These laws have different scope definitions, covered entities, and compliance requirements — multiplying the compliance burden for California-facing businesses.

    Illinois, Texas, and Other Key State Laws

    Several other states have enacted targeted AI laws relevant to specific sectors in 2026.

    Illinois amended its Human Rights Act (HB 3773, effective January 1, 2026) to prohibit employer use of AI that discriminates against protected classes.[10] This applies to any employer using AI in hiring, promotion, or termination decisions affecting Illinois residents. Unlike Colorado’s law, Illinois’ amendment doesn’t require specific documentation or impact assessments — it prohibits discriminatory outcomes and creates civil rights liability for AI-driven discrimination.

    Texas enacted the Texas Responsible Artificial Intelligence Governance Act (TRAIGA, HB 149), signed by Governor Greg Abbott on June 22, 2025 and effective January 1, 2026.[10b] TRAIGA is notably the most business-friendly of the major state AI laws — significantly scaled back from an original draft modeled on the EU AI Act and Colorado’s Act. The final law focuses primarily on prohibiting specific harmful practices (social scoring, intentional discrimination, behavioral manipulation) using an intent-based liability standard rather than imposing affirmative documentation or impact assessment obligations on private companies. Private sector obligations are limited: companies must not intentionally develop or deploy AI for prohibited purposes, and benefit from safe harbor protection if they follow a recognized risk management framework such as NIST AI RMF. Government agencies face stronger disclosure and oversight requirements under the law.

    New York City Local Law 144, which has been in effect since July 2023, requires employers and employment agencies using automated employment decision tools to conduct annual bias audits and notify candidates when such tools are used.[11] This is one of the more mature AI laws in the US, and its enforcement has provided useful precedent for how AI-specific regulations function in practice.

    Federal Laws That Do Apply to AI (Even Without a Federal AI Act)

    The absence of a federal AI-specific law doesn’t mean the federal government has no role in AI governance. Several existing federal laws are actively being applied to AI systems by their respective enforcement agencies.

    The FTC Act (Section 5) prohibits unfair or deceptive acts and practices — the FTC has applied this to AI systems that generate false or misleading outputs and to discriminatory AI in consumer-facing contexts. The Equal Employment Opportunity laws (Title VII, ADA, ADEA) apply to AI-driven hiring and employment decisions — the EEOC has issued guidance making clear that AI tools used in employment are subject to existing anti-discrimination law regardless of whether a human makes the final decision. The Fair Housing Act and Equal Credit Opportunity Act apply to AI used in housing and credit decisions. HIPAA applies to AI systems processing protected health information.[12]

    This means that even for businesses operating only in US markets where no state AI law applies, AI-driven decisions in regulated domains carry federal enforcement risk under existing law. The compliance question is not simply “is there a state AI law here?” but also “does this AI application touch a regulated domain where existing federal law applies?”

    EU AI Act vs. US AI Regulation: Side-by-Side Comparison

    Let’s put the frameworks directly next to each other. Given the fragmentation on the US side, I’ve structured these comparisons at three levels: EU AI Act vs. the overall US landscape, and EU AI Act vs. Colorado’s Act specifically (as the most directly comparable US law).


    Master Comparison Table: 12 Key Dimensions

    Dimension EU AI Act US Federal Level Key US State (Colorado)
    Legal type Binding regulation — directly enforceable law No comprehensive federal AI law; EOs guide agencies only Binding state statute
    Geographic scope All 27 EU member states — 450M+ consumers Nationwide (where applicable law applies) Colorado residents only
    Extraterritorial reach Yes — applies to non-EU companies serving EU users Varies by agency/law Applies to businesses “doing business in Colorado”
    Core framework Risk-based tiers: prohibited / high-risk / limited / minimal Sector-specific agency enforcement under existing law Risk-based: high-risk AI in consequential decisions
    Prohibited AI Yes — 8 specific prohibited practices (Article 5) No explicit prohibited AI categories No explicit prohibited AI categories
    Documentation required Extensive — Annex IV technical dossier, IFU, logs, DoC No mandatory documentation framework Impact assessments, risk management documentation, developer disclosures
    Bias/discrimination focus Part of data governance and performance requirements Existing civil rights law applied to AI outcomes Primary focus — “reasonable care” standard for algorithmic discrimination
    Human oversight Mandatory for all high-risk AI — Article 14 Not mandated by federal law; encouraged in voluntary frameworks Consumer right to appeal adverse decisions via human review (where technically feasible)
    Maximum financial penalty €35M or 7% global turnover (prohibited AI); €15M or 3% (high-risk non-compliance) Varies — FTC can seek significant penalties under Section 5 $20,000 per violation / per affected consumer
    Private right of action No direct private right; AI Liability Directive under development Yes, under civil rights laws (Title VII, FHA, ECOA) No — enforcement exclusively by Colorado AG
    Conformity assessment Required before market placement for high-risk AI Not required Annual impact assessments required for deployers
    GPAI/foundation model rules Yes — specific GPAI category with systemic risk obligations Voluntary — NIST AI RMF, OSTP guidance only No specific foundation model rules

    The 12-dimension table above shows the landscape at the macro level. But for practical compliance planning, the most important comparison isn’t EU AI Act vs. “US” (which doesn’t exist as a unified thing) — it’s EU AI Act vs. the specific US law most similar in structure and ambition. That’s Colorado’s AI Act. Here’s where those two frameworks are closest, and where they diverge most sharply.

    EU AI Act vs. Colorado AI Act: Detailed Comparison

    Colorado’s AI Act is the best US comparator to the EU AI Act, and examining their differences shows exactly where a multinational compliance program needs to do different things for each market.

    Element EU AI Act Colorado AI Act (SB 24-205)
    Modeled on Risk-based governance framework; GDPR precedent Partly modeled on EU AI Act, but narrower scope
    Primary objective Safety, transparency, and accountability across all high-risk AI Preventing algorithmic discrimination in consequential decisions
    High-risk definition 8 specific Annex III sectors + Annex I regulated products AI systems used in “consequential decisions” (employment, housing, healthcare, education, credit, insurance)
    Developer obligations Annex IV technical dossier, IFU, conformity assessment, registration Reasonable care, documentation to deployers, public statements, 90-day discrimination reporting
    Deployer obligations Deploy within intended purpose, human oversight, logs, monitoring Risk management policy, annual impact assessment, consumer notification, appeal rights
    Bias testing required Yes — performance disaggregated by demographic in Annex IV Yes — algorithmic discrimination assessment required
    Consumer rights Right to explanation, human oversight; AI Liability Directive pending Right to notice, right to appeal adverse decisions via human review
    Conformity assessment Formal — self-assessment or notified body, CE marking Annual impact assessment — not a formal conformity assessment
    Maximum penalty €35M / 7% turnover (prohibited); €15M / 3% (high-risk non-compliance) $20,000 per violation / per consumer (no cap)
    Private lawsuits No direct private right under the Act No private right of action — AG enforcement only
    Safe harbor No explicit safe harbor; conformity assessment creates rebuttable presumption Rebuttable presumption of compliance if using a recognized risk management framework (e.g., NIST AI RMF)
    Effective for US companies Applies to any US company with EU-facing AI systems Applies to businesses “doing business in Colorado” with Colorado residents

    Where the Frameworks Overlap: The Compliance Dividend

    Here’s the good news for multinational compliance teams: investing in EU AI Act compliance doesn’t just cover Europe. A meaningful proportion of that work directly satisfies or substantially advances US compliance obligations too.

    The “compliance dividend” defined: The compliance dividend is the measurable return on your EU AI Act investment that appears in your US compliance posture — the work you’ve already done for EU requirements that simultaneously satisfies or substantially advances US state law and federal agency obligations, without additional investment. For most multinational companies deploying AI in both markets, this dividend covers 50–70% of the substantive compliance work needed for US requirements.

    Six Areas Where EU Compliance Helps You in the US

    1. Bias and algorithmic discrimination testing. The EU AI Act’s requirement for disaggregated performance metrics across demographic subgroups in Annex IV (Section 4) directly addresses what Colorado’s Act calls “reasonable care to prevent algorithmic discrimination.” If you’ve done the demographic performance analysis required for EU compliance, you have the substance of what Colorado needs — though Colorado’s impact assessment format requires specific documentation structures that differ from Annex IV.

    2. Risk management systems. The EU AI Act’s Article 9 risk management system, documented in Annex IV Section 5, covers substantially the same ground as Colorado’s required risk management policy and program. Companies complying with Article 9 are well-positioned to satisfy Colorado’s risk management obligations with relatively minor adaptations.

    3. Human oversight design. EU AI Act Article 14 requires technical features enabling human oversight, intervention, and override. Colorado’s Act requires deployers to provide consumers the right to appeal adverse decisions via human review where technically feasible. Designing your AI workflows to satisfy Article 14 creates the technical foundation for satisfying Colorado’s human review obligation as well.

    4. Documentation culture and litigation defense. The disciplined documentation culture required by Annex IV — version control, living documentation, update triggers, bias assessment records — is exactly what US state laws, federal agency enforcement actions, and civil litigation all benefit from. But the value is even more specific than that.

    If you face an FTC enforcement inquiry about AI-driven deception, your Annex IV technical dossier demonstrates you had a documented risk management system and conducted genuine bias testing. If you face an employment discrimination class action over an AI-driven hiring tool, your documented demographic performance disaggregation and human oversight records are your primary defense. If you face a Colorado AG investigation, your impact assessment draws directly from your Annex IV data governance and performance sections. In US enforcement contexts — regulatory and litigation alike — documentation that was built proactively for EU compliance carries significantly more credibility than documentation assembled reactively after an issue surfaces.

    5. Transparency and disclosure capabilities. EU AI Act requirements for Instructions for Use and consumer-facing transparency create the technical and process infrastructure for meeting various state-level disclosure requirements — California’s SB 53 transparency obligations, Colorado’s consumer notification requirements, and New York City’s bias audit disclosure rules.

    6. Incident monitoring and 90-day reporting infrastructure. The post-market monitoring plan required under EU AI Act Article 72 creates an incident detection and reporting system that directly supports US reporting obligations. This is more than a documentation exercise — it requires building actual monitoring infrastructure: data flows from deployer environments, performance threshold alerts, incident intake processes, and escalation paths.

    That same infrastructure supports Colorado’s 90-day algorithmic discrimination reporting obligation, which requires you to report to the Attorney General within 90 days of discovering discriminatory AI behavior. It also positions you for the FTC’s increasing expectation that AI companies have internal incident response programs. Companies without this infrastructure — which many smaller US companies currently lack — face a real vulnerability when AI incidents occur. EU AI Act compliance requirements essentially force you to build it.

    NIST AI RMF: The Bridge Between Both Markets

    The NIST AI Risk Management Framework (AI RMF 1.0, January 2023)[13] is the closest thing the US has to a unified AI governance standard — and it serves as an important bridge between EU and US compliance programs.

    Why does this matter? Colorado’s AI Act includes a specific safe harbor provision: a rebuttable presumption of compliance exists for developers and deployers that are in compliance with a nationally or internationally recognized risk management framework designated by the Act or the Attorney General.[8] NIST AI RMF is widely expected to qualify as such a framework. Building your compliance program around NIST AI RMF therefore creates potential safe harbor protection under Colorado law.

    Additionally, NIST AI RMF aligns meaningfully with EU AI Act requirements. Both emphasize risk identification and mitigation throughout the AI lifecycle, transparency and documentation, governance structures with clear accountability, and performance monitoring. Companies that align their compliance programs with NIST AI RMF create a foundation that maps well to both EU AI Act Annex IV requirements and US state law compliance.

    💡 Compliance Strategy Insight

    Build your core AI governance program around NIST AI RMF, then layer EU AI Act-specific requirements (Annex IV documentation, conformity assessment, CE marking, database registration) on top for EU-facing systems, and Colorado/California/Illinois-specific requirements on top for US-facing systems. This avoids building three separate programs and maximizes the compliance dividend from each investment.

    Where the Frameworks Diverge: The Compliance Gaps You Must Close

    The compliance dividend is real — but so are the gaps. There are four areas where EU AI Act compliance genuinely does not transfer to US compliance requirements, and where US obligations create entirely different — sometimes more operationally complex — compliance challenges.

    Prohibited AI: No US Equivalent to Article 5

    The EU AI Act bans eight specific categories of AI practices outright under Article 5[1] — including real-time biometric surveillance in public spaces, social scoring by public authorities, and AI exploiting psychological vulnerabilities. These prohibitions apply regardless of how beneficial or commercially valuable the AI might be in other contexts.

    The US has no equivalent federal prohibition list. Real-time facial recognition in public spaces, for instance, is not federally prohibited in the US, though a small number of cities (San Francisco, Boston) have banned its use by government entities. Social scoring systems face no federal prohibition. AI that uses psychological profiling for commercial targeting operates in a regulatory space governed by existing consumer protection law — which prohibits deceptive practices but doesn’t categorically ban entire AI modalities.

    This divergence creates a specific compliance planning requirement: if you’ve built AI capabilities that comply with US law but would violate EU AI Act Article 5 prohibitions, you need separate product versions or deployment restrictions for EU markets. This is not simply a policy difference — it’s a binary legal line that separates what you can and cannot deploy in the EU, regardless of US acceptability.

    Documentation: Annex IV Has No US Counterpart

    The EU AI Act’s Annex IV technical dossier requirement — 10 structured sections, 10-year retention, formal Declaration of Conformity, EU database registration — has no direct equivalent in any US law or regulation currently in force. What US law does require for specific sectors is different in both structure and purpose.

    Colorado requires impact assessments and risk management documentation, but the format, depth, and legal function of those documents differ significantly from Annex IV. California requires training data documentation under AB 2013, but only for generative AI systems with a narrower scope. Federal agency enforcement actions can require document production in litigation, but there’s no proactive mandatory dossier requirement.

    The practical implication: EU AI Act documentation obligations create a documentation burden that has no US analog. Conversely, US compliance in some sectors requires documentation types — particularly employment discrimination audit records, fair lending analysis documentation, and HIPAA-related AI records — that don’t directly map to Annex IV structure.

    A dual-market documentation program therefore needs to maintain both the Annex IV dossier for EU compliance and a separate set of sector-specific documentation records for US regulatory and litigation purposes. These can be linked and cross-referenced, but they can’t simply substitute for each other.

    Enforcement: Hard Law vs. Soft Pressure and Civil Litigation

    EU AI Act enforcement is administrative — national competent authorities investigate, issue findings, and impose fines within a defined regulatory framework. The penalties are large, the framework is clear, and the enforcement process is structured.

    US AI enforcement in 2026 operates through three very different mechanisms, each with distinct dynamics. First, state attorney general enforcement under state AI laws (Colorado, California) — structured but limited in penalty scale. Second, federal agency enforcement under existing law (FTC, EEOC, CFPB, HHS) — more powerful but subject to enforcement priority shifts with changing administrations. Third, and often most impactful for US companies, private civil litigation under employment discrimination laws, fair housing laws, and consumer protection statutes — where private plaintiffs can sue directly and class actions can create massive exposure.

    The implication for compliance strategy is different for each enforcement mechanism. EU AI Act compliance primarily protects against regulatory fines from defined authorities. US compliance must simultaneously manage regulatory risk, agency enforcement risk, and private litigation risk — three overlapping but distinct threat profiles that require different mitigation approaches.

    GPAI and Foundation Models: No US Equivalent

    The EU AI Act’s General Purpose AI (GPAI) category[1] — with its specific documentation, copyright compliance, and systemic risk assessment obligations for large foundation models — has no direct US equivalent. US federal policy on foundation models in 2026 is limited to voluntary guidelines. No state AI law specifically addresses GPAI model developers in the same way.

    For companies developing or deploying large language models and other foundation models, GPAI compliance is an entirely EU-specific obligation that creates no offsetting compliance benefit in the US market. The red-teaming, incident reporting, and energy consumption reporting required for systemic-risk GPAI models under the EU AI Act are EU-only requirements.

    Where the Compliance Burden Falls: Provider vs. Deployer

    This is the divergence that most directly affects how you structure your compliance organization — and it’s the one that gets least attention in comparison articles.

    Under the EU AI Act, the heaviest compliance obligations rest with providers — the organizations that develop, train, or place AI systems on the EU market. The Annex IV technical dossier, conformity assessment, CE marking, EU database registration, Instructions for Use — all of these are primary provider obligations. Deployers carry lighter obligations: use the system within its intended purpose, maintain human oversight, keep logs, monitor for issues. The compliance budget and the compliance program leadership therefore sits primarily with AI product teams and the organizations building the AI.

    US state law flips this balance in important ways. Colorado’s Act places deployer obligations at its center — annual impact assessments, consumer notifications, appeal rights, 90-day discrimination reporting — rather than developer obligations. Many US businesses that are purely deployers of third-party AI (using Salesforce AI, Microsoft Copilot, or other vendor-built systems in their operations) find that US law creates significant obligations for them even when they didn’t build the AI. Illinois’ Human Rights Act amendment imposes employer liability for discriminatory AI outcomes regardless of whether the employer or a third-party vendor built the tool.

    This structural difference has real organizational implications. Your EU AI Act compliance lead might sit in the product or engineering organization because the heaviest obligations are on the builder side. Your US compliance lead might need to sit in HR, legal, or operations because the heaviest obligations are on the deployer/employer side. Building a compliance program that treats both markets through a single organizational lens can create ownership gaps in one or both jurisdictions.

    Building a Dual-Market AI Compliance Strategy

    The question I hear most often from multinational compliance teams is some version of: “Can we build one compliance program that covers both, or do we need two separate programs?” The honest answer: neither, exactly. You need one program architecture with two implementation layers.


    Start with the EU AI Act as Your Baseline

    If your AI systems touch both EU and US markets, start by building your compliance program to satisfy EU AI Act requirements. Here’s why this is the right direction even for US-headquartered companies: EU requirements are more comprehensive, more prescriptive, and more demanding than anything currently required in the US. Building to EU standards gives you a compliance program with documented risk management, bias testing, technical documentation, and governance infrastructure that substantially exceeds what US law requires. You won’t need to rebuild it when US requirements evolve — and they will evolve.

    This is a strategic posture that pays dividends over time. State AI laws in California, Colorado, and elsewhere are clearly trending toward more comprehensive requirements. Federal law, if it ever materializes in a Biden-style framework, will likely look more like the EU than the current executive order approach. Building to EU standards today means you’re ahead of the curve for US regulation, not just compliant with it.

    Layer US-Specific Requirements on Top

    Once your EU AI Act baseline program is established, add the US-specific requirements that aren’t covered by EU compliance. There are five main additions for most multinationals.

    Impact assessments for Colorado and California. Colorado’s annual impact assessment requirement for deployers has a specific structure and disclosure format that differs from Annex IV documentation. Create a templated impact assessment process that meets Colorado’s requirements and can be adapted for California’s specific laws — but link it to your Annex IV documentation to avoid duplication of effort.

    Consumer notification workflows. Colorado requires specific consumer notifications when high-risk AI makes a consequential decision, with explicit language about the AI’s role and appeal rights. California has similar but distinct disclosure requirements. Build consumer notification workflows that satisfy both states’ specific language and timing requirements, layered on top of your EU-standard transparency infrastructure.

    Civil rights compliance documentation. US civil rights law (Title VII, ADA, FHA, ECOA) creates litigation exposure that EU AI Act compliance doesn’t address. Maintain adverse impact analyses and disparate impact testing documentation specifically formatted for employment and lending compliance — these differ from Annex IV bias documentation in legally important ways.

    Attorney General disclosure readiness. Both Colorado and California require disclosure to state AGs within 90 days of discovering algorithmic discrimination. Build an internal escalation process that automatically triggers AG disclosure preparation when your monitoring systems identify potential algorithmic discrimination — connecting your EU AI Act monitoring infrastructure to your US disclosure obligations.

    Private litigation defense records. Unlike the EU, the US creates significant private litigation exposure for AI-driven discrimination. Maintain litigation-ready documentation of your bias testing methodology, results, and remediation actions — separately from your Annex IV technical documentation, structured for US discovery rules and admissibility standards.

    The State Law Tracker Your Team Needs

    The US state AI law landscape is changing faster than any compliance team can track manually. As of March 2026, the following states have active AI laws or upcoming effective dates that multinational companies should monitor:

    State / Jurisdiction Law / Requirement Effective Date Primary Focus Key Compliance Action
    Colorado SB 24-205 (Colorado AI Act) June 30, 2026 Algorithmic discrimination in consequential decisions Impact assessments, risk management policy, consumer notification, 90-day AG disclosure
    California SB 53 (frontier AI) + AB 2013 (generative AI data) + SB 942 (AI transparency) + employment AI laws January 1, 2026 (various) Frontier model safety protocols; generative AI training data disclosure; AI detection tools Safety and security protocols for frontier model developers; training data documentation for generative AI; AI detection tools for large-scale systems
    Illinois HB 3773 (Human Rights Act amendment) January 1, 2026 AI discrimination in employment Audit employment AI for disparate impact; no specific documentation format required
    Texas TRAIGA (HB 149) — Texas Responsible AI Governance Act January 1, 2026 Prohibited AI practices (intent-based); government agency AI transparency Assess whether AI systems could be used for prohibited purposes; minimal private sector affirmative obligations; safe harbor via NIST AI RMF alignment
    New York City Local Law 144 July 5, 2023 (in force) Automated employment decision tools Annual independent bias audits; candidate notification; public summary
    Federal (FTC) FTC Act Section 5 + policy statement expected March 11, 2026 Ongoing + March 2026 Deceptive/unfair AI practices Monitor FTC policy statement on AI; ensure outputs aren’t deceptive

    Assign someone on your compliance team to monitor two specific developments in the near term: the Commerce Department evaluation of state AI laws (due March 11, 2026) and the FTC policy statement on AI (also due March 11, 2026). Both will clarify the federal-state dynamic and potentially shift compliance priorities.

    Case Study: One Company’s Dual-Market Compliance Approach

    Case Study: B2B HR Technology Platform — Dual-Market Compliance Architecture

    Illustrative scenario based on common compliance patterns

    A B2B HR technology platform serving enterprise clients in both Europe and the United States — with CV screening and performance evaluation AI deployed across both markets — faced the dual compliance problem in late 2025. Their EU clients were asking for EU AI Act compliance documentation. Their Colorado-based clients were asking about Colorado AI Act readiness. And their California clients were asking about SB 53 and AB 2013.

    Their solution was a three-layer compliance architecture. First, they built their core AI governance program around NIST AI RMF, which gave them a documented risk management foundation recognized in both markets. Second, they prepared a full Annex IV technical dossier for their EU-facing systems — covering all 10 required sections, with particular depth on Section 4 (disaggregated performance metrics by demographic group) that also directly addressed Colorado’s algorithmic discrimination requirements. Third, they prepared a Colorado-specific impact assessment template and consumer notification workflow that drew from their Annex IV bias documentation but formatted it per Colorado’s statutory requirements.

    The outcome: Their single bias testing methodology satisfied EU Annex IV requirements, Colorado’s reasonable care standard, NYC Local Law 144’s independent bias audit requirement, and Illinois’ anti-discrimination requirements — four different legal frameworks from one testing process. The documentation formats differed, but the underlying work was done once. Their compliance counsel estimated this saved approximately 60% of the cost compared to building separate programs for each jurisdiction.

    Frequently Asked Questions: EU AI Act vs. US AI Regulation

    These come up in almost every dual-market compliance discussion I’m part of. I’ve answered each as directly as the genuinely complex situation allows.

    Does the EU AI Act apply to US companies?

    Yes — and this is one of the most common compliance misconceptions I see. The EU AI Act applies to any company, regardless of its country of incorporation, if its AI systems are placed on the EU market or used by individuals in EU member states.[1] This follows the same extraterritorial logic as GDPR. If you have European customers whose lives are affected by your AI systems — even if your company is headquartered in San Francisco and your servers are in Virginia — you are in scope.

    The implication is that “we’re a US company” is not a compliance defense under the EU AI Act. Your EU market exposure determines your EU AI Act obligations, not your corporate address.

    Is there a US equivalent of the EU AI Act?

    No — and the gap is significant. As of March 2026, the United States has no comprehensive federal AI law equivalent to the EU AI Act.[2] Colorado’s AI Act (SB 24-205) is the closest approximation at state level — risk-based, covers both developers and deployers, targets high-risk AI in consequential decisions — but it applies only to Colorado residents and focuses narrowly on algorithmic discrimination rather than the EU AI Act’s broader safety and governance framework.

    The Senate’s 99–1 vote against a proposed 10-year moratorium on state AI laws suggests that state-level regulation will continue to fill this federal void. Don’t expect a comprehensive federal AI law in the near term — plan your compliance architecture around the current patchwork reality.

    What is the biggest compliance difference between the EU AI Act and US AI regulation?

    Legal structure — the difference between binding law and advisory guidance. The EU AI Act is a directly applicable regulation with mandatory requirements, defined penalties, and a centralized enforcement structure covering 27 countries. US AI governance at the federal level consists primarily of executive orders (which don’t directly regulate private companies), voluntary frameworks, and existing agency enforcement under pre-AI laws.

    This means EU compliance is a defined target you can build a program toward. US “compliance” at the federal level is more about managing relationships with enforcement agencies, anticipating enforcement priorities, and maintaining documentation that supports litigation defense — a meaningfully different compliance posture.

    Do I need to comply with both the EU AI Act and US state AI laws?

    Potentially yes, and they run in parallel. If your AI system affects EU residents, EU AI Act compliance is required. If it affects Colorado residents in high-risk AI contexts, Colorado AI Act compliance is required. If it affects Illinois employees, Illinois Human Rights Act compliance is required. None of these obligations satisfies any of the others — they apply simultaneously based on the geographic location of the affected individuals, not your company’s location.

    The good news: there is meaningful substantive overlap, particularly between EU AI Act requirements and Colorado’s Act, that allows a single underlying compliance program to satisfy multiple frameworks with different documentation formats on top.

    How does the Colorado AI Act compare to the EU AI Act?

    Similar philosophy, narrower scope, lighter obligations, smaller penalties. Both use a risk-based approach targeting AI that makes consequential decisions about individuals. Both require developer and deployer obligations. Both focus heavily on bias prevention and transparency. The differences: Colorado focuses specifically on algorithmic discrimination (not a full safety framework), applies only to Colorado residents, doesn’t require formal conformity assessment or a technical dossier of EU depth, and carries maximum penalties of $20,000 per violation versus EU fines up to €35 million.[9]

    Colorado also provides a safe harbor for companies following recognized risk management frameworks like NIST AI RMF — the EU AI Act has no equivalent blanket safe harbor.

    Can the Trump administration’s executive orders eliminate state AI laws?

    Not directly and not immediately. Executive orders cannot override state laws — that requires an act of Congress or a successful court ruling on preemption grounds. The December 2025 executive order establishes mechanisms to challenge state laws (the DOJ AI Litigation Task Force) and conditions on federal funding, but these must work through legal processes that will take years to resolve, with uncertain outcomes.[5]

    Until those legal challenges succeed — which is far from guaranteed — existing state AI laws remain fully enforceable. Companies must continue complying with all effective state AI requirements. Plan for the current patchwork reality, not the possible preempted future.

    Next Steps for Multinational Teams

    If You’re Just Starting Your Compliance Program

    Begin with a market mapping exercise. For each AI system you deploy, identify every jurisdiction where affected individuals are located — not where your company is headquartered, not where your servers are, but where the people your AI touches are. That map determines your compliance obligations.

    If you have EU-facing AI, EU AI Act compliance is your highest-priority obligation and your best starting point. Build your core AI governance program to EU standards, then assess what additional requirements apply in each US state where you operate. This sequencing maximizes the compliance dividend from each investment.

    If You Already Have EU AI Act Compliance Underway

    Audit your existing compliance work against the US state laws relevant to your business. Start with Colorado, California, and Illinois — the three states with the most comprehensive current AI requirements. For each state law that applies, identify what additional documentation, process, or disclosure work is needed beyond your EU compliance program. In most cases, this is incremental work on top of a solid foundation, not a new program from scratch.

    ✓ US Compliance Gap Analysis Checklist (for EU-compliant organizations)

    Run this against each US state where you deploy high-risk AI systems affecting residents:

    • Colorado (effective June 30, 2026): Are you a “developer” or “deployer” under SB 24-205? Does your system make “consequential decisions” for Colorado residents? → Annual impact assessment template prepared? Consumer notification workflow built? 90-day AG disclosure process documented?
    • California (effective January 1, 2026): Do you develop frontier AI models? → SB 53 safety protocol published? Do you develop generative AI trained on personal data? → AB 2013 training data documentation published? Does your AI system have 1M+ monthly users? → SB 942 AI detection tool available?
    • Illinois (effective January 1, 2026): Do you use AI in employment decisions affecting Illinois residents? → Adverse impact audit completed for employment AI? Civil rights documentation prepared?
    • Texas — TRAIGA (effective January 1, 2026): Does any AI system you deploy for Texas consumers fall within TRAIGA’s prohibited practices (intentional discrimination, social scoring, behavioral manipulation)? → Documented review completed?
    • New York City (in force since July 2023): Do you use automated employment decision tools affecting NYC candidates or employees? → Annual independent bias audit conducted? Candidate notification process in place?
    • Federal (all jurisdictions): Does any AI system touch employment, housing, credit, or healthcare? → EEOC, FTC, CFPB, or HHS enforcement risk assessed? Adverse impact documentation maintained in US litigation-ready format?
    • Organizational structure: Is your EU AI Act compliance lead (likely in product/engineering) coordinating with your US deployer compliance lead (likely in HR/legal/operations)? Are both programs formally connected?
    • State law monitoring: Is someone on your team assigned to track Colorado 2026 session amendments, DOJ AI Litigation Task Force actions, and FTC policy statement (due March 11, 2026)?

    Key Dates to Keep on Your Radar

    📅 Dual-Market Compliance Calendar — 2026

    • March 11, 2026: Commerce Dept evaluation of “onerous” state AI laws due (watch for impact on Colorado, California)[4]
    • March 11, 2026: FTC policy statement on AI and state law preemption due[4]
    • June 30, 2026: Colorado AI Act (SB 24-205) effective date[6]
    • August 2, 2026: EU AI Act Annex III high-risk compliance deadline (unless Digital Omnibus adopted)[1]
    • Ongoing 2026: Colorado 2026 legislative session may amend AI Act — monitor for changes to high-risk definition and deployer obligations
    • Ongoing 2026: Federal-state AI law preemption litigation developments — monitor DOJ AI Litigation Task Force actions
    • 2027: EU AI Act Annex III transition period ends for systems deployed before August 2026; EU AI Act Annex I deadline for regulated products[1]

    The transatlantic divergence in AI regulation is not going to resolve itself quickly. For the foreseeable future, multinational businesses deploying AI will need to maintain dual compliance architectures — one anchored in the EU’s binding, comprehensive framework and one navigating the US patchwork of state laws, agency enforcement, and litigation risk.

    The companies that handle this well aren’t building two programs. They’re building one governance foundation — ideally NIST AI RMF-aligned — and layering jurisdiction-specific requirements efficiently on top. The upfront investment is real. But the alternative — reactive compliance sprints as enforcement actions materialize — is significantly more expensive.

    For the complete EU AI Act compliance requirements, deadlines, and documentation program guidance, return to our EU AI Act Compliance Pillar Guide.

    Next in this cluster series: Colorado AI Act 2026: What It Means for US Companies and the Path to Federal AI Regulation — a deep dive into SB 24-205 compliance requirements and what Colorado’s law signals about where US federal regulation is heading.

    Two other topics directly connected to dual-market compliance: if your organization is concerned about unauthorized AI tool use creating unmonitored compliance exposure in both the EU and US markets simultaneously, see our Shadow AI compliance guide. And if your deployment falls within Article 27’s FRIA obligation or Colorado’s annual impact assessment requirement, our AI Impact Assessment guide covers both with a dual-market template design.

    📚 References and Sources

    1. EU AI Act — Regulation (EU) 2024/1689. Regulation of the European Parliament and of the Council on Artificial Intelligence. Official Journal of the European Union, L 2024/1689, 12 July 2024. eur-lex.europa.eu
    2. Baker Botts LLP, “U.S. Artificial Intelligence Law Update: Navigating the Evolving State and Federal Regulatory Landscape,” January 2026. bakerbotts.com
    3. Executive Order 14179, “Removing Barriers to American Leadership in Artificial Intelligence,” January 20, 2025. Revoked Executive Order 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (Biden, October 2023). whitehouse.gov
    4. Executive Order, “Ensuring a National Policy Framework for Artificial Intelligence,” December 11, 2025. Establishes AI Litigation Task Force; directs Commerce Dept evaluation of state AI laws (due March 11, 2026) and FTC policy statement (due March 11, 2026). whitehouse.gov
    5. Gunderson Dettmer, “2026 AI Laws Update: Key Regulations and Practical Guidance,” and Ropes & Gray, “Examining the Landscape and Limitations of the Federal Push to Override State AI Regulation,” March 2026. Both sources confirm EO cannot directly invalidate state laws. gunder.com | ropesgray.com
    6. Colorado SB 24-205 (“Consumer Protections for Artificial Intelligence”), signed May 17, 2024. Effective date delayed to June 30, 2026 via SB 25B-004, signed by Governor Polis August 28, 2025. leg.colorado.gov
    7. Pillsbury Winthrop, “New Executive Order Seeks to Ensure a National Policy Framework for Artificial Intelligence.” References Senate 99–1 vote against state AI law moratorium. pillsburylaw.com
    8. Colorado SB 24-205 — developer and deployer obligations, safe harbor provisions. Colorado General Assembly. leg.colorado.gov | Full text: content.leg.colorado.gov
    9. Colorado AI Act penalty structure — $20,000 per violation per consumer. ALM Corp, “The Colorado AI Act (SB 24-205): Complete Compliance Guide,” February 3, 2026; TrustArc, “Complying With Colorado’s AI Law.” almcorp.com
    10. King & Spalding, “New State AI Laws Are Effective on January 1, 2026, But a New Executive Order Signals Disruption.” References California SB 53, Texas TRAIGA, Illinois HB 3773 effective dates and requirements. kslaw.com
    11. Texas HB 149, Texas Responsible Artificial Intelligence Governance Act (TRAIGA), signed by Governor Greg Abbott June 22, 2025, effective January 1, 2026. Baker Botts, “Texas Enacts Responsible AI Governance Act: What Companies Need to Know,” July 2025; DLA Piper, “Texas Adopts the Responsible AI Governance Act,” June 2025; K&L Gates, “Pared Back Version of the Texas Responsible Artificial Intelligence Governance Act Signed Into Law,” June 2025. bakerbotts.com | dlapiper.com
    12. California SB 53, signed by Governor Newsom September 29, 2025, effective January 1, 2026. Establishes safety and security protocol obligations for covered frontier AI model developers. Swept AI, “State AI Regulations in 2026: Colorado, Texas, California, and What’s Coming,” March 2026. swept.ai
    13. Colorado 2026 legislative session — amendment activity. Swept AI, “State AI Regulations in 2026,” March 2026; ALM Corp, “Colorado AI Act (SB 24-205): Complete Compliance Guide,” February 2026. Multiple bills introduced in 2026 session seeking amendments to SB 24-205 scope and requirements. almcorp.com
    14. New York City Local Law 144 of 2021 — Automated Employment Decision Tools, effective July 5, 2023. Requires annual bias audits and candidate notification for automated employment decision tools. nyc.gov
    15. Drata, “Artificial Intelligence Regulations: State and Federal AI Laws 2026.” Overview of federal agency enforcement of AI under existing law (FTC, EEOC, CFPB, HHS). drata.com
    16. National Institute of Standards and Technology (NIST), “AI Risk Management Framework (AI RMF 1.0),” NIST AI 100-1, January 26, 2023. nist.gov

    Sources verified as of March 2026. US AI policy and state law landscape is evolving rapidly — monitor primary sources for updates. This article does not constitute legal advice. Consult qualified legal counsel for jurisdiction-specific compliance guidance.

    Get the Dual-Market AI Compliance Checklist

    A side-by-side compliance checklist covering both EU AI Act and key US state law (Colorado, California, Illinois, NYC) requirements — organized by compliance activity so your team can work across both markets from a single program.

    Includes: Market Mapping Template, Jurisdiction Overlap Analysis, State Law Monitoring Tracker, and NIST AI RMF Alignment Guide. Built for multinational compliance teams managing both regulatory environments simultaneously.

    Download the Dual-Market Compliance Checklist →