In May, Colorado became the first state to pass legislation governing the use of AI and protecting consumers against algorithmic discrimination.
The Colorado AI Act, SB 24-205, governs how AI can be used in the workplace, but also in settings such as education, financial services, and healthcare. It is set to take effect on February 1, 2026.
“HR is right in the center of the bullseye for this law,” said John Rood, founder and president of Proceptual, an AI compliance consultancy. “If your company is using AI-powered software to help make decisions about job candidates for promotion or dismissal, all the things that we use it for now, within our ATS, within our HRIS, that’s right in the center of the law.”
The law identifies certain areas of use as “high risk” and outlines procedures and requirements when employers use the tools in these settings. High risk areas include instances such as hiring, promotion and compensation, performance evaluation, and termination.
“The key focus for Colorado is this concept of algorithmic discrimination,” Rood said.
Any employer doing business in the state of Colorado with more than 50 employees will have specific obligations when AI is a factor in the decision-making processes that affect personnel, according to Philip L. Gordon, a shareholder with the labor and employment firm Littler Mendelson. Gordon co-chairs the privacy and data security practice group.
“If the AI is going to be used to contribute to decision-making regarding hiring, retention, promotion, [then] you’re getting into an area where use of the AI tool is going to be higher risk and has a greater potential to get your company into trouble, because preexisting anti-discrimination laws continue to apply to this new technology,” Gordon told HR Brew.
If an AI tool is used to make decisions in these “high-risk” areas, employers must publicly disclose that. There are additional requirements to disclose its use to individuals, and in cases of “adverse decisions” the employer must disclose how the tool contributed, Gordon said.
Additionally, any “deployer,” defined by the law as any “person doing business in this state that deploys a high-risk artificial intelligence system,” must develop a “risk-management policy and program” outlining the processes and people involved in mitigating any algorithmic discrimination. Deployers must also conduct an “impact assessment.”
Quick-to-read HR news & insights
From recruiting and retention to company culture and the latest in HR tech, HR Brew delivers up-to-date industry news and tips to help HR pros stay nimble in today’s fast-changing business environment.
The state regulating the use of AI in a variety of settings—including the workplace—fills a legislative vacuum from the federal government. The US Congress has not addressed AI, and the only federal guidance overseeing the use of the technology has come from the Biden administration.
What’s HR to do? As more companies leverage AI-powered technologies in the workplace, navigating a fluid regulatory landscape can be difficult, but Rood said there are a few steps HR pros can take to be prepared for compliance.
“As HR leaders think about figuring out how to comply with this law, it seems kind of daunting,” he said. “Towards the end of the law, it says if you have complied with one of either the NIST risk management framework for AI or the new ISO AI regulation, or another international standard—implying, to me at least, the EU AI Act—that you are presumed to have been complete to comply with the Colorado law; and I think we’re going to see a lot of this.”
Rood said working on becoming compliant is not a “pants-on-fire emergency today” for employers, but it is important for HR teams to get started.
“The way to start thinking about this from the HR perspective is to make sure you understand what [your AI is] doing under the hood,” he said. “How is it making those decisions? And how do you know, both as an employer and as a vendor, that it’s making those decisions fairly?”
HR can develop the procedures around continual audits of the AI-made decisions, he said, adding that HR can begin to identify the persons responsible for monitoring those audits on a regular basis and to make continual improvements in the system to remain compliant.
Additionally, Gordon told HR Brew he expects the law to be amended in the next legislative session, following a request from Governor Jared Polis to do so. Additionally, more guidance could come from the state’s attorney general.