Skip to content
shadowiq
Regulation · Colorado AI Act (SB 24-205)

Colorado AI Act readiness. Built for the Feb 2026 effective date.

Colorado is first. Texas, California, Connecticut, and Illinois are close behind. ShadowIQ ships the risk management program, impact assessments, and consumer notices required under SB 205.

Get a Colorado AI Act readiness planPlatform overview
What this is

Summary

The Colorado AI Act (SB 24-205, effective February 1, 2026) requires developers and deployers of high-risk AI systems to implement a risk management program, complete algorithmic discrimination impact assessments, and provide consumer notices. ShadowIQ provides pre-mapped controls and cryptographic evidence.

How it fits · explainer

The crosswalk: article → control → signed evidence.

COLORADO AI ACT · ARTICLEREQUIREMENTSHADOWIQ CONTROLSIGNED EVIDENCE§6-1-1703Risk management policyPolicy-as-code + registrySigned policy records§6-1-1703(2)(b)Consumer noticeNotice workflow + delivery logSigned notice events§6-1-1703(3)Impact assessmentAuto-DPIA engineSigned impact assessment§6-1-1704Consumer rights / appealAppeal workflow + audit trailSigned appeal recordsCROSSWALK · 4 SHOWN · FULL MAP IN /DOCS/COMPLIANCE · SIGNED ED25519
Where it hurts

You've heard this one before.

  • Effective date moved up; legal doesn't have an operational plan.
  • Impact assessment requirement with no template.
  • Attorney General can investigate; you need audit-ready evidence.
  • No clarity on 'consequential decision' scope for your products.
What we do about it

Three moves.

  1. 1
    Risk management program, shipped.

    SB 205 §6-1-1703 aligned policies, procedures, and controls — pre-mapped to ShadowIQ evidence.

  2. 2
    Impact assessments on demand.

    Algorithmic discrimination impact template, DPIA-style, tied to live production data. Signed on approval.

  3. 3
    Consumer notice workflow.

    §6-1-1703(2)(b) consumer notice integrated into product UX with delivery log.

Outcomes

Numbers, not adjectives.

Feb 1, 2026
effective date
reasonable care
affirmative defense · evidenced
3
states incoming · shared evidence
Full crosswalk

Colorado AI Act article → ShadowIQ control → signed evidence.

Article
Requirement
ShadowIQ control
Signed evidence
§6-1-1703
Risk management policy
Policy-as-code + registry
Signed policy records
§6-1-1703(2)(b)
Consumer notice
Notice workflow + delivery log
Signed notice events
§6-1-1703(3)
Impact assessment
Auto-DPIA engine
Signed impact assessment
§6-1-1704
Consumer rights / appeal
Appeal workflow + audit trail
Signed appeal records
Frequently asked

Asked, answered, sourced.

An AI system that makes, or is a substantial factor in making, a consequential decision regarding education, employment, financial services, government services, healthcare, housing, insurance, or legal services.

The Colorado Attorney General. Violations are treated as deceptive trade practices under the Colorado Consumer Protection Act. There is a 60-day cure period before enforcement action.

Yes. Developers and deployers who comply with a nationally recognized AI risk management framework (e.g., NIST AI RMF) and the Act's specific duties get an affirmative defense. ShadowIQ evidence establishes this defense with cryptographic rigor.

Related

Keep going.

Regulation
NIST AI RMF
Regulation
NYC LL-144
Ready to see the signet in motion?

Your 30-minute demo. A signed audit trail by the end of it.

We'll wire ShadowIQ into one live workload, block a prompt injection in real time, and hand you a cryptographic receipt — before the meeting ends.

Schedule a 30-minute walkthroughReview pricing