By Grace Boudjalis
BLOG OVERVIEW: Colorado's landmark AI Act (SB 24-205) faces a potential overhaul as Governor Polis' AI Policy Working Group has developed the KILO draft, a proposed replacement framework that shifts from prescriptive governance requirements to a disclosure-and-transparency model focused on consumer notice, plain-language disclosures, human review, and recordkeeping. With two deadlines now in play—the current law taking effect June 30, 2026, and the proposed framework targeting January 1, 2027 if passed—employers and federal contractors should closely monitor these developments as the compliance landscape remains uncertain.
On May 17, 2024, Colorado became the first US state to enact comprehensive artificial intelligence (AI) legislation. SB 24-205 covers "high-risk" AI systems used to make or substantially influence decisions across employment, housing, lending, education, healthcare, insurance, and government services. The law imposes a duty of reasonable care on developers and deployers to prevent algorithmic discrimination and requires disclosure of any known violations to the Attorney General (AG) within 90 days. Core compliance obligations include a risk management policy and program, annual impact assessments for high-risk systems, and consumer notices before and after consequential decisions. It also establishes an affirmative defense for organizations that proactively identify and remediate violations and can demonstrate alignment with recognized AI risk management frameworks. For a full breakdown, see DCI's original blog post on SB 24-205.
Given the breadth of its requirements, the Colorado AI Act has faced stakeholder concerns that it may be overly complex, burdensome for businesses, and potentially limiting to innovation. After failed attempts to amend the law during the 2025 legislative session, lawmakers delayed the effective date from February 1, 2026, to June 30, 2026, and Governor Jared Polis convened a working group to develop a replacement framework.
Proposed KILO Draft
As a result, Governor Polis' AI Policy Working Group developed a new legislative draft, codenamed the KILO draft. This draft represents a fundamental rewrite of Colorado's AI regulations.
While the Colorado AI Act imposed affirmative governance obligations closer in spirit to the European Union AI Act, the KILO draft shifts to a disclosure-and-transparency model more consistent with state data privacy laws. The risk management policy, annual impact assessments, and AG reporting requirements would largely be removed or replaced with less prescriptive transparency and documentation requirements.
Under the proposed framework, deployers of covered automated decision-making technology (ADMT) would be required to post a consumer notice of AI use, provide plain-language disclosures within 30 days of an adverse outcome, offer the opportunity to request human review, and retain compliance records for three years.
Developers would be required to provide deployers with technical documentation covering intended uses, known limitations, and training data categories. A 90-day cure period before the AG can seek civil penalties, which is not present in the current law, would also be introduced.
Employment decisions remain covered under both frameworks, and the sector exemptions available to insurers and healthcare entities generally do not extend to employment-related use cases under either law.
Key Takeaways
Two deadlines are now in play. The current Colorado AI Act takes effect June 30, 2026. If the KILO draft passes, that deadline would shift to January 1, 2027, and the compliance landscape would change significantly. However, the KILO draft has not yet been formally introduced in the General Assembly, and its passage is not certain.
DCI will continue to monitor the Colorado AI Act and the KILO draft along with any related legislative developments or guidance that may emerge. Stay tuned to DCI Blogs for updates.