Twenty-five days.
That is how long enterprises operating in Colorado or deploying AI systems that affect Colorado residents have before the first comprehensive US state AI law takes effect.
Colorado's Consumer Protections for Artificial Intelligence Act goes live on June 30, 2026. The law is not theoretical. It is not a pending signature. It is law, it has a compliance date, and that date is less than a month away.
The law requires developers and deployers of high-risk AI systems to protect Colorado residents from algorithmic discrimination across six domains: employment, education, financial services, healthcare, housing, and legal services. If you operate AI systems that make or inform consequential decisions in any of these domains for Colorado residents, the clock is running.
What the Colorado AI Act actually requires
The law distinguishes between two categories of obligation.
AI developers — companies that build high-risk AI systems must provide deployers with documentation about the system's design, data sources, known limitations, and intended uses. This is an AI transparency obligation: if you sell or license an AI system that is used to make consequential decisions about people, you must document what that system is, what it does, and what its limitations are.
AI deployers — companies that use high-risk AI systems to make decisions about Colorado residents must conduct impact assessments, provide notice to individuals when AI is used in consequential decisions, and offer mechanisms for individuals to appeal AI-influenced decisions. This is an AI accountability obligation: if you deploy AI in a context where it affects hiring, lending, health coverage, housing, or legal services, you must be able to explain, document, and allow challenge of those decisions.
The law applies to any organisation making decisions about Colorado residents using high-risk AI regardless of where the organisation is headquartered. A New York financial services firm using an AI credit scoring model that affects Colorado applicants is within scope. A California healthcare insurer using AI to inform coverage decisions for Colorado members is within scope.
The federal collision happening right now
Here is the complication that makes June 30 more uncertain than a straightforward compliance date would suggest.
The Great American AI Act dropped as a discussion draft on June 4, two days ago with a three-year state preemption provision. If this federal legislation passes, it would freeze Colorado's protections and potentially those of the dozen other states with AI legislation in various stages before they can be fully enforced.
This creates a compliance planning tension. The legal risk of not complying with a law that is scheduled to take effect in 25 days is real. The legal landscape that surrounds that law may look different in three to six months depending on how federal legislation progresses.
The appropriate response is not to wait for federal clarity before addressing Colorado compliance. It is to build governance infrastructure that satisfies Colorado's requirements because those requirements are grounded in the same principles that will underpin any federal framework that eventually emerges, regardless of which specific state law applies.
What enterprises need to do in the next 25 days
Identify your high-risk AI systems. The Colorado law's high-risk categories cover the domains where AI has the most consequential impact on individuals. If you use AI in hiring, credit decisioning, clinical decision support, housing applications, or legal proceedings and your system touches Colorado residents, it is likely within scope.
Conduct or update impact assessments. The law requires deployers to assess algorithmic discrimination risk. If you have not conducted an AI impact assessment for your high-risk AI systems, this is the immediate priority.
Establish notice and appeal mechanisms. Individuals affected by high-risk AI decisions must be notified and must have a meaningful mechanism to appeal. If this infrastructure does not exist, it needs to be designed and implemented.
Document your AI supply chain. If you are using AI systems built by a third party, you need the developer documentation the law requires them to provide. If your AI vendors have not proactively provided this, request it now.
Twenty-five days is not much time. But the compliance work it requires is also the governance work that makes AI programs sustainable, trustworthy, and ready for every subsequent regulatory requirement that follows Colorado's lead.
PalTech helps enterprises build the AI governance infrastructure impact assessments, algorithmic transparency documentation, appeal mechanisms, and compliance frameworks that meets Colorado's requirements and every regulatory framework that will follow it.
Top comments (0)