What Businesses Need to Know: Colorado’s First-in-the-Nation AI Act Diverges From Federal Approach to Disparate Impact
Recently, Colorado lawmakers made headlines by delaying the implementation of the Colorado Artificial Intelligence Act (CAIA) until June 30, 2026, extending the timeline beyond its original start date of February 2026. This delay provides businesses with a crucial opportunity to prepare for the upcoming regulations, which mandate the establishment of governance programs and regular impact assessments for high-risk AI systems.
I. Understanding CAIA: Liability for Unintentional Discrimination
The CAIA imposes liability on both developers and deployers of AI systems that produce discriminatory outcomes, even when there is no intent to discriminate. It explicitly defines algorithmic discrimination to encompass disparate impacts resulting from AI usage in significant areas such as employment, housing, credit, education, health care, insurance, legal services, and essential government services.
The Role of Impact Assessments Under CAIA
Central to CAIA’s regulatory framework are the impact assessments that deployers of high-risk AI systems must conduct. These assessments are required to be completed before the system is first used, repeated at least annually, and conducted within 90 days after any substantial modifications. Each impact assessment must include:
- A description of the system’s purpose, intended use, and context of deployment;
- The categories of input data and the nature of the system’s outputs;
- An overview of the categories of data used for customization or retraining;
- The performance metrics used to evaluate accuracy and fairness, along with known limitations;
- An analysis of potential risks of algorithmic discrimination;
- The steps taken to mitigate those risks;
- Transparency and oversight measures, including consumer notifications about AI usage;
- Post-deployment monitoring procedures to identify operational issues.
These assessments must be documented and retained for at least three years, creating an ongoing obligation for companies to validate the fairness of their AI systems.
CAIA’s Safe Harbors and Enforcement
CAIA does provide some safe harbor protections for compliant businesses. Companies that maintain a risk management program and complete the required impact assessments will benefit from a rebuttable presumption of compliance. Additionally, an affirmative defense is available if a violation is discovered and remedied while adhering to a recognized risk framework. Enforcement authority resides with the Colorado Attorney General, who must be notified within 90 days of any discovered algorithmic discrimination.
II. Federal Approach: Liability for Intentional Discrimination Only
In contrast to CAIA, the federal government, under Executive Order 14281, limits liability for AI systems to cases of intentional discrimination. This directive has led federal agencies to abandon disparate impact analysis in rulemaking and enforcement, significantly reducing compliance burdens for businesses.
While this shift lowers the risk of liability under federal oversight, it does not eliminate all risk. Private plaintiffs can still pursue disparate impact claims under federal statutes such as the Title VII of the Civil Rights Act or the Fair Housing Act. Additionally, state-level enforcement, such as CAIA, remains unaffected by federal policy changes.
III. Practical Implications of State and Federal Divergence
The divergence between Colorado’s CAIA and the federal approach creates a complex regulatory environment for businesses. Colorado’s regulation emphasizes liability for unintentional discrimination and mandates recurring impact assessments, while the federal approach narrows liability to intentional discrimination, effectively minimizing oversight.
This presents a two-track compliance landscape where companies operating nationally must reconcile these contrasting standards. Federal regulators suggest that companies need not conduct disparate impact testing, whereas Colorado requires ongoing assessments to identify and mitigate potential discriminatory outcomes.
Companies focusing solely on federal standards risk non-compliance in Colorado and similar states that may adopt CAIA-like regulations. Conversely, businesses that develop governance strategies aligned with CAIA’s higher standards—including annual assessments, consumer disclosures, and reported protocols—will be well-prepared to navigate both regulatory frameworks.
Conclusion
As businesses prepare for the evolving landscape of AI regulation, they must recognize the stark differences between state and federal approaches. Colorado’s CAIA holds companies accountable for unintentional discrimination through robust compliance measures, while federal guidelines limit liability to intentional acts. By maintaining comprehensive risk management programs, conducting regular impact assessments, and documenting mitigating steps, businesses can access safe harbors under CAIA, ensuring they are not only compliant but also protected against potential liabilities.
