On June 30, 2026, Colorado becomes the first U.S. state to enforce a comprehensive law regulating high-risk artificial intelligence systems. The Colorado AI Act, Senate Bill 24-205, has been on the books since 2024. This week, it becomes real.
The law targets AI systems that make consequential decisions about people in areas like employment, housing, education, and healthcare. Companies deploying such systems in Colorado must now conduct risk assessments, notify consumers when AI is being used to make decisions about them, and offer a process for appealing those decisions. For businesses that have been watching AI regulation from a safe distance, that distance has closed.
What the law actually requires
The Colorado Act places obligations on two groups: developers who build high-risk AI systems and deployers who use them. Developers must publish documentation about their systems’ intended use cases and provide deployers with information to conduct their own risk management. Deployers, in turn, must establish programs to manage algorithmic bias, conduct annual impact assessments, and notify the state attorney general of any known or suspected discrimination.
The definition of “high-risk” is specific. A system qualifies if it makes or substantially influences a consequential decision affecting a consumer’s access to, or the cost of, education, employment, credit, insurance, housing, or healthcare. That scope covers a wide range of tools already in use. HR screening software, credit underwriting models, tenant screening platforms, and clinical decision support tools all sit within the law’s reach.
Federal action on a different front
Two days before the Colorado deadline, on June 28, the White House issued a new executive order on AI titled “Promoting Advanced Artificial Intelligence Innovation and Security.” The order establishes a voluntary framework allowing developers of advanced AI models to submit their systems to the federal government for cybersecurity and national security assessments before public release.
The order also directs multiple agencies to strengthen federal cyber defenses and creates an AI cybersecurity clearinghouse, a shared repository of information about AI systems that present heightened security risks. It is the third major AI executive order of the current administration, and its tone is noticeably different from its predecessors, which focused on eliminating regulatory barriers and asserting federal preemption of state AI laws. This one acknowledges that frontier AI capabilities present genuine national security concerns that require active management.
The federal-state tension
Legal analysts at White & Case noted this week that the executive order’s shift in emphasis creates new complexity for companies navigating the patchwork of state and federal rules. Earlier orders under the current administration had signaled that federal law would preempt state AI regulations, giving businesses reason to expect a single national standard. The new order does not reverse that signal explicitly, but it does suggest the federal government is no longer treating AI regulation as solely a matter of clearing obstacles to innovation.
California’s AI Transparency Act, which requires watermarks and detection tools for AI-generated content, takes effect August 2. Other states including Texas, Illinois, and New York have active AI legislation moving through their legislatures. The picture for businesses is one of accelerating complexity, not simplification.
What companies are doing about it
Law firms including Baker Donelson and Holland & Knight have published detailed compliance guides in recent weeks as clients prepare for the Colorado deadline. The common advice: don’t wait for enforcement to start the work. The risk assessment and documentation requirements take time to build properly, and the attorney general’s office has signaled it intends to use its oversight authority.
The practical challenge is that many companies deploying AI systems have incomplete documentation of how those systems make decisions. The era of deploying a vendor’s model and treating it as a black box is becoming legally uncomfortable. That pressure, from Colorado and soon from other states, is likely to push more rigorous AI governance up the corporate priority list faster than voluntary guidance ever did. For more coverage of AI and the law, visit Mylistingo.
