Preparing for Colorado’s AI Act: A Practical Guide for Public Agencies

This guide provides a structured framework for agencies to comply with the law while enabling centralized, scalable governance, designed to uphold innovation and continuity of service.

May 14, 2025

Darwin

Overview: Why This Matters

The Colorado Artificial Intelligence Act (SB24-205), effective February 2026, introduces enforceable standards for AI systems used in consequential decision-making. Public agencies deploying AI in domains such as benefits, education, housing, or employment must meet new legal obligations. This guide provides a structured framework for agencies to comply with the law while enabling centralized, scalable governance, designed to uphold innovation and continuity of service.

1. Build a Comprehensive AI Inventory (Section 6-1-1703(2))

Objective: Establish complete visibility into AI tools across the agency.

Actions: Deploy monitoring tools to detect all AI use, including shadow applications; document purpose, deployment context, and user groups; tag each system as high-risk or exempt; update regularly to track changes or new use cases.

Impact: Enables oversight, reduces risk exposure, and creates a foundation for all other governance efforts.

2. Operationalize Policy Enforcement (Section 6-1-1703(2))

Objective: Convert written AI policies into enforceable rules.

Actions: Translate policy into machine-readable formats; configure access and use permissions based on roles; implement technical enforcement via endpoint tools; align with national frameworks such as NIST AI RMF or ISO 42001.

Impact: Ensures real-time policy adherence while minimizing administrative overhead.

3. Implement Required Impact Assessments (Section 6-1-1703(3))

Objective: Comply with legal requirements for AI accountability.

Actions: Conduct baseline assessments for each high-risk AI system before deployment; update assessments annually and after any significant system modification; include system purpose, outputs, risks, mitigation strategies, and appeal processes; retain records for three years.

Impact: Creates a legally defensible governance record and supports proactive risk management.

4. Stand Up a Risk Management Program (Section 6-1-1703(2))

Objective: Maintain an adaptive, centralized oversight mechanism.

Actions: Assign governance leads; implement regular review cycles and incident escalation paths; tailor controls by AI sensitivity and department; align program with recognized risk standards (NIST, ISO/IEC 42001).

Impact: Enables systematic oversight and creates a durable compliance infrastructure.

5. Ensure Consumer Transparency and Redress (Section 6-1-1703(4))

Objective: Meet notification and recourse obligations for individuals.

Actions: Inform individuals when AI is used in decision-making; explain the AI system’s role and data sources in plain language; provide rights to correct data, opt out (where applicable), and request human review; offer disclosures in multiple formats and languages.

Impact: Builds public trust and ensures compliance with transparency provisions.

6. Train and Support Staff at the Point of Use

Objective: Encourage secure and compliant AI usage through behavior.

Actions: Offer real-time prompts and educational nudges during AI use; reduce reliance on annual training by embedding context-aware guidance; track training effectiveness and adjust content accordingly.

Impact: Promotes responsible AI interaction across the organization.

Implementation Roadmap with Legal Alignment

Discovery & Planning

Technical Objective
- Establish observability of AI footprint
Key Actions
- Deploy AI activity detectors; map use cases and risks; classify tools by risk
Legal Reference
- §6-1-1703(2), §6-1-1702(2)

Policy Activation

Technical Objective
- Codify and embed AI use rules
Key Actions
- Define machine-readable policies; integrate endpoint enforcement; test policy impact
Legal Reference
- §6-1-1703(2), §6-1-1702(4)

Assessment Deployment

Technical Objective
- Launch risk and impact controls
Key Actions
- Complete initial impact assessments; implement change detection alerts for modifications
Legal Reference
- §6-1-1703(3)

System Rollout

Technical Objective
- Achieve broad operational governance
Key Actions
- Scale policy enforcement and assessment systems agency-wide; embed real-time disclosures
Legal Reference
- §6-1-1703(4), §6-1-1704

Continuous Oversight

Technical Objective
- Ensure dynamic compliance and performance
Key Actions
- Conduct annual reviews; monitor incident dashboards; adjust controls as needed
Legal Reference
- §6-1-1703(5), §6-1-1706(3)

Final Thoughts: Centralized Guardrails for Resilient Innovation

The Colorado AI Act creates a clear mandate: agencies must bring structure, oversight, and accountability to their use of high-risk AI systems. But it also presents an opportunity. By building centralized systems for governance—ones that integrate with operations rather than disrupt them—agencies can reduce compliance risk while creating the conditions for safe, scalable innovation. The goal isn’t to limit progress; it’s to ensure it happens with clarity, continuity, and public trust.

‍

Darwin Unveils Free Policy Wizard to Simplify AI Governance for Public Sector Agencies

Government

Artificial General Intelligence Is Still a Dream. The Real Work Is Governing the AI We Already Have

Noam Maital

In 1930, John Maynard Keynes warned that the world was heading toward a future of “technological unemployment”—a state where machines would render human labor obsolete. He predicted that within a century, advances in technology could reduce the average workweek to 15 hours, as productivity soared and economies became self-sustaining. Spoiler alert: we’re five years away from his hundred-year horizon, and most of us are still burning through 40–60 hour weeks while texting ChatGPT to summarize our meetings.