On May 17, 2024, lawmakers in Colorado established the Colorado AI Act, making the state a front-runner in shaping governance around artificial intelligence (AI) alongside California and New York. The new legislation will take effect on February 1, 2026.

How can board members, general counsel, CISOs and other senior leaders make the most of the intervening months? Guidance follows, starting with critical context on the Act’s purpose and objectives.

For busy tech and leadership teams eager to streamline their 

 efforts, one initial question may be: Will policies and practices developed to comply with the EI AI Act satisfy requirements for new requirements on the other side of the Atlantic?

The purpose of the Colorado AI Act is broadly aligned with many governance frameworks emerging worldwide. It aims to protect consumers from potential harm caused by AI systems. Like the 

, central focus areas are risk, transparency and accountability, with 

The two frameworks do diverge, however, when it comes to the details. While the EU AI Act outlines four levels of AI risk across a wide range of areas, the Colorado AI Act concentrates its regulatory effect on “high-risk AI systems.” These are 

 as any system that makes or is a substantial factor in a "consequential decision” — that is, decisions exerting a significant impact on education, employment, essential government services, healthcare, housing, insurance and legal services.

Within this purview, the Colorado AI Act 

 even further to “algorithmic discrimination,” where use of a high-risk AI system results in “unlawful differential treatment or impact that disfavors an individual or group of individuals on the basis of their actual or perceived age, color, disability, ethnicity, genetic information, limited proficiency in the English language, national origin, race, religion, reproductive health, sex, veteran status or other classification protected under [Colorado] or federal law.”

Another important parameter of the law involves application: individuals, corporations and other legal or commercial entities “doing business in Colorado.” While this exact phrase is not defined in the Act, international law firm 

 suggests it applies to parties “who solicit business and receive orders from Colorado residents by any means,” adding that the firm’s lawyers “expect the phrasing to be interpreted broadly.”

Stay ahead of regulation with our global AI regulation guide. Learn how countries are shaping AI's future.

Get the full picture

Requirements for developers and users of AI systems

In keeping with the Act’s objectives of ensuring transparency and accountability, parties who’ve developed or “intentionally and substantially modified” a high-risk AI system will be required to:

Document what data is used to train each AI system

Describe known risks of discrimination and actions taken to address these risks

For their part, organizations deploying these high-risk AI systems must implement, with regular review and updates, a risk management policy that aligns with standards, including the 

National Institute of Standards and Technology (NIST) AI Risk Management Framework

International Organization for Standardization's ISO 42001

They will also be required to release an annual impact statement detailing:

The system’s purpose, intended use, deployment context and benefits

The system’s data output and the data it uses for input

An analysis of the system’s risks related to algorithmic discrimination

Transparency measures, including post-deployment monitoring and user safeguards

Deployers can enlist a third party to complete these assessments and may conduct group assessments for similar systems or laws into one undertaking. They must store their findings for at least three years.

When the AI system contributes to a negative or adverse decision, the Colorado AI Act requires that the system’s deployer send affected individuals an accessible, “plain language” notice. The notice must:

Disclose how the system contributed to the decision, including the types of data it processed and where the data were sourced

Provide an opportunity to correct inaccurate personal data that factored into the decision

Provide an opportunity to appeal the adverse decision, with time for human review

Colorado AI Act monitoring, enforcement and exemptions

, with which organizations must be prepared to demonstrate compliance upon request from the office of the Colorado Attorney General.

Violations are considered unfair trade practices under Colorado state statute, with punishments including fines or injunctive relief.

The Colorado AI Act notes several exceptions, including for businesses with fewer than 50 employees, businesses that don’t use their own data in AI training, entities already beholden to strict federal standards and federally contracted projects and research not used in high-risk areas like employments and housing.

Getting your business ready for what’s next

The Colorado AI Act should be high on your compliance agenda, despite the 14-month window before it takes effect and even if your company does not currently do business in Colorado. The law is most important for its role as a major precedent: “The Act represents the first comprehensive AI legislation in the U.S., and other states are likely to follow suit if the federal government cannot move quickly to pass a comprehensive nationwide AI bill,” 

Thoroughly reviewing AI systems, policies and practices

Documenting the data used to train AI systems and measures taken to prevent discrimination, in compliance-ready comprehensive detail

Continuously testing AI systems for bias and proactively correcting any issues you detect

Stay ahead with the latest in AI oversight, compliance and more

Another important next step for the Colorado AI Act and other evolving AI legislation: educating practitioners, directors and leadership in your organization. Set clear expectations, with training sessions treated as business-as-usual for employees involved in AI development and deployment. For those involved in big-picture decisions, equip them with the skills to capitalize on valuable opportunities while applying responsible, strategic oversight.

Improve the quality of your work by employing pre-existing, purpose-built resources like the AI learning track that is part of our 

 in the Diligent One Platform. It offers an introduction to AI along with educational material on risk management, ethics, governance, board oversight and more.

Diligent AI Ethics & Board Oversight Certification

 offers a more comprehensive decision-making toolkit for AI governance and oversight. Developed in partnership with the Volkov Law Group, its four constituent courses — 15 hours in total — cover the basics of AI ethics and compliance programs, different governance and oversight models, team collaboration and other areas of understanding that are essential for long-term AI strategy and compliance.

Learn more about making AI governance part of your board’s continuing education agenda, for the Colorado AI Act and beyond. 

The Colorado AI Act: What you need to know now

Organizations today face an increasingly complex cyber risk landscape, where threats are evolving rapidly, and regulatory requirements are becoming more stringent. Traditional approaches to risk management, often fragmented across departments, can no longer keep pace with these demands.

To build resilience and maintain compliance, organizations are turning to integrated Governance, Risk, and Compliance (GRC) technology to streamline processes, centralize risk data and provide actionable, board-ready insights.

 — a global event that brought together more than 4,500 practitioners, executives and board directors — an expert panel of CISOs and risk management professionals shared their experiences in leveraging GRC tools to enhance visibility, automate compliance and improve decision-making at all levels.

Breaking down silos for greater risk visibility

James Wade, Chief Information Security Officer at property services provider, MCS, described how his organization faced significant challenges due to siloed risk management practices. “We were a very siloed company,” Wade explained. “We had different business units in the property preservation space, the commercial space, and now in the government space, each doing their own thing. They weren’t reporting back on the software they were using or the risks they were encountering.”

By implementing a centralized GRC software solution — the 

 — MCS was able to unify its risk data. “We really had to pull the reins back and put an actual GRC program in place,” Wade noted. “It helped us bridge the silos, ensure everyone was aligned, and provide executives with a holistic view of our risk posture.”

“GRC tools allow us to categorize risks into clear buckets so we can prioritize them effectively."



Navigating regulatory complexity with automation

For multinational organizations, regulatory compliance is a constant challenge. Deana Robinson, Governance, Risk, and Compliance Manager at Sonoco Products, highlighted how her company leverages GRC tools to stay ahead of regulatory changes. “We frequently receive regulatory updates from different regions,” Robinson explained. “Sometimes, a local jurisdiction sends a new compliance requirement to one of our plants, and it’s the first time we’re hearing about it. Managing these across a global company is a challenge.”

By leveraging GRC automation, Sonoco Products now receives regulatory alerts in real time, categorizes them efficiently, and initiates compliance workflows immediately. “Instead of scrambling to address compliance letters from local jurisdictions, we now have a structured system in place that alerts us proactively,” Robinson said. “It’s reduced our response time and improved our ability to demonstrate compliance to auditors.”

Driving board engagement through actionable insights

A key challenge in cybersecurity is translating technical risks into business priorities. Parrish Gunnels, CISO of Sunflower Bank, emphasized the role of GRC dashboards in bridging this gap. “There are many assessments being done across various areas, and pulling that information together to identify common threads is difficult,” Gunnels noted. “GRC tools allow us to categorize risks into clear buckets so we can prioritize them effectively.”

Similarly, Viktor Culjak, Director of Consulting at Diligent, highlighted the importance of traceability in board reporting. “Executives and board members don’t want to wade through technical jargon — they need a clear narrative that connects cyber risks to business impact,” Culjak explained.

“One of the worst-case scenarios is when you present risk data, and a board member asks how you came up with it — and you can’t explain the delta. GRC platforms like the Diligent One Platform provide that traceability and confidence in the data.”

Moving from reactive to proactive risk management

GRC technology is not just about compliance; it enables organizations to anticipate and address risks before they escalate. Wade described how his organization integrates external threat intelligence into its GRC system for continuous monitoring. “We’ve been able to automate risk assessment questionnaires and integrate them into a dashboard,” he said. “It’s eye-opening how conversations started happening across different teams once they could see how their risks impacted other parts of the organization.”

Gunnels echoed the sentiment, highlighting how automation is shifting the focus from manual data collection to strategic risk mitigation. “We’re not spending our time chasing down compliance checkboxes — we’re actively analyzing trends and making decisions that reduce risk at scale,” he said. “It allows us to focus on what really matters.”

The future: AI and data-driven decision making

Looking ahead, artificial intelligence (AI) is expected to reshape cyber risk management. Robinson cautioned, however, that AI’s effectiveness depends on strong data governance. “AI can only be as effective as the data it processes,” she said. “Organizations need to ensure their data is clean, secure, and well-managed before relying on AI-driven insights.”

As risks evolve, so must risk management strategies. The consensus among industry leaders is clear: Organizations that invest in AI-powered GRC platforms today — both to streamline cyber risk management and to defend against an increasingly AI-driven threat landscape — will be far better equipped to navigate future challenges, strengthen security and improve decision-making.

 solutions – integrated with the Diligent One Platform – give leaders real-time visibility, streamlined compliance and clear board-ready insights. 

 to see how GRC technology can drive smarter cyber governance.

Cyber risk isn’t just an IT issue — it’s a leadership challenge. Learn how CISOs, GCs & boards can align for smarter risk management and oversight, while building cyber resilience


Diligent

Blog

The Colorado AI Act: What you need to know now

"We’re not just checking boxes": CISOs share how GRC technology is reshaping cyber risk management

Solutions

Resources

Company

Your Data Matters

Diligent

Blog

The Colorado AI Act: What you need to know now

"We’re not just checking boxes": CISOs share how GRC technology is reshaping cyber risk management

SolutionsSolutions

ResourcesResources

CompanyCompany

Your Data Matters

Solutions

Resources

Company