Colorado AI Act: Impact Assessment
Enforce annual impact assessment requirements for deployers of high-risk AI systems under Sec. 6-1-1703(3).
About This Policy Template
Policy for the Colorado AI Act impact assessment obligation. Section 6-1-1703(3) requires deployers to complete impact assessments annually and within 90 days of any substantial modification to a high-risk AI system. Assessments must cover purpose, intended use, deployed context, data categories, outputs, transparency measures, and monitoring. Records must be maintained for at least three years following final deployment. This policy detects AI system modifications without updated impact assessments, missing assessment documentation, and gaps in the assessment lifecycle. Note: insurers regulated under the Colorado Division of Insurance are subject to separate AI governance requirements and are generally exempt from these provisions. Deployers with fewer than 50 employees that do not use their own fine-tuned models may qualify for small deployer exemptions under Sec. 6-1-1703(6).
Policy Rules(3)
High Severity
(1)Substantial Modification Without Updated Assessment
Detect substantial modifications to high-risk AI systems without updated impact assessment (90-day requirement)
Medium Severity
(2)AI System With Outdated Assessment
Flag references to impact assessments older than one year (annual requirement)
Incomplete Impact Assessment
Detect impact assessments missing required fields (purpose, use, context, data categories, outputs, transparency, monitoring)
Enforcement by Integration
What happens when a violation is detected, based on the enforcement mode and integration type.
| Integration | Block | Approval | Warn | Monitor |
|---|---|---|---|---|
Version Control GitHub, GitLab, Bitbucket | Fail check run / merge request status | Pending check run — held for review | Neutral check run / comment on PR | Pass check run (silent) |
Email — Gmail Gmail | Quarantine label; + violation label (outbound) | Quarantine label — held for review | Add warning label | Log only |
Email — Outlook Outlook | Move to quarantine folder; + flag (outbound) | Move to quarantine — held for review | Flag + categorize | Log only |
Messaging Slack, Teams | Post violation warning in channel | Post 'held for review' warning | Post warning in channel | Log only |
Storage Google Drive, Dropbox, OneDrive | Move file to quarantine folder | Quarantine file — held for review | Log only | Log only |
AI Proxy OpenAI, Anthropic, Gemini, MCP, Agent | Block request (return 403) | Hold request — return review ID | Allow request + audit trail | Log only |
API REST API | Return BLOCK outcome (client decides) | Return APPROVAL_REQUIRED + poll URL | Return WARN outcome | Log only |
Version History
1 version published
Initial release
Colorado vendor assessment?
Answer with SB 24-205 controls Aguardic enforces
Ready to Install Colorado AI Act: Impact Assessment?
Get started with pre-built governance policies in minutes.