State legislatures moved faster than Congress. Colorado and California now impose concrete duties on organizations that deploy AI in consequential decisions — employment, housing, healthcare, and more. If your agents touch Colorado or California residents, state law may apply even when federal AI legislation does not.
Colorado AI Act (deployer focus)
Deployers of high-risk AI systems must exercise reasonable care to protect consumers from algorithmic discrimination. Key obligations include:
- Impact assessments — documented analysis of purpose, data, risks, and mitigation before deployment
- Consumer notice — when high-risk AI makes or substantially factors into consequential decisions
- Appeal rights — human review pathways where required
- Incident response — discovery of algorithmic discrimination triggers duty to cure and notify
California developments
California has advanced transparency requirements for AI-generated content and safety-related obligations for large frontier model developers. Deployers must track which models power their agents, document training-data exclusions where relevant, and prepare for disclosure duties that affect customer-facing AI outputs.
Governance workflow mapping
Colorado impact assessments map directly to openRegal's Assess stage: intake captures purpose and data; Regal AI produces risk tier and recommended controls; GRC reviews and approves. California transparency duties attach to runtime policy — what the agent may generate, log, and disclose.
Evidence for state auditors
State attorneys general will ask for records — not intentions. Store impact assessments, approval timestamps, test results, and runtime logs in one audit trail. Deploy gates ensure no high-risk system ships without completed intake and assessment.