The first comprehensive US state AI law targets high-risk systems in credit and financial services — effective June 30, 2026.
Colorado SB 24-205 stands as the first comprehensive AI regulation enacted by any US state, making it a watershed moment for financial institutions across the country. Originally scheduled to take effect on February 1, 2026, the law received a five-month extension through SB 25B-004 and now becomes effective on June 30, 2026. Rather than imposing blanket restrictions on all AI systems, the law targets "high-risk AI systems," those that have the reasonable potential to meaningfully impact civil liberties or civil rights, as well as systems making consequential decisions in specific high-stakes domains. For banks and BFSI firms, the law applies directly to AI systems used for credit decisions, risk pricing, loan approvals, and other financial services that determine whether someone gains or is denied access to financial products or services.
The Colorado law represents a distinctly American approach to AI regulation, falling somewhere between the European Union's comprehensive AI Act and the hands-off approach of other jurisdictions. It rejects the notion that all AI requires the same treatment, instead creating a framework that focuses regulatory burden where it matters most — on systems that actually affect people's fundamental interests in credit, employment, housing, and insurance.
The Colorado law makes a crucial distinction between two roles: developers and deployers. A developer creates an AI system, while a deployer buys or implements it to make decisions. For most banks and financial institutions, this means you are the deployer. This distinction is important because it clarifies that responsibility falls on the entity making the actual business decision using the AI system, not primarily on the software vendor who created it.
Financial institutions deploying AI for credit decisions, risk assessment, loan approvals, or pricing are squarely in scope as deployers. The law does not require that a bank build its own AI (many will use third-party models and platforms). What matters is that when that AI system makes or substantially influences a consequential decision in financial services, your institution bears the obligation to comply with the law's requirements. If you use a vendor's AI system to make lending decisions, you are deploying a high-risk AI system under Colorado law, regardless of whether the vendor built it or licensed it from another party.
Colorado's approach centers on concrete, implementable requirements that banks should view as reasonable operational practices rather than burdensome compliance overlays. First, banks must establish and maintain a documented risk management policy that applies to all high-risk AI systems. This policy should articulate how the institution identifies high-risk systems, assesses their impacts, and monitors them over time. The policy need not be exotic; it should reflect the bank's governance approach and integrate with existing risk management frameworks.
Before deploying any high-risk AI system in Colorado, banks must conduct an impact assessment that evaluates the system's potential effects on civil rights, civil liberties, and other protected interests. This assessment should examine whether the system could produce disparate outcomes across different demographic groups, whether it might perpetuate or amplify existing biases, and what mechanisms exist to catch and correct errors. The assessment is not a one-time checkbox; the law requires annual updates for systems already in use. These assessments should be documented and retained for regulatory inspection, typically for at least three years.
When a bank's AI system makes or materially influences a decision that has a significant or reasonably foreseeable negative impact on a consumer, such as a credit denial, the law requires that the bank notify the affected consumer that artificial intelligence was used in the decision. This notification obligation is surprisingly close to existing adverse action notice requirements under the Fair Credit Reporting Act, with the additional element of making clear that an algorithm, not just a human decision-maker, played a role. Banks must also provide consumers with a mechanism for human review or appeal of the AI-made decision, ensuring that no person remains stuck with a purely algorithmic outcome if they choose to challenge it.
Record-keeping is the final major operational requirement. Banks must maintain records related to the development, testing, and deployment of high-risk AI systems, as well as records of complaints and appeals. These records must be available for inspection by Colorado's Attorney General and state regulators. Additionally, banks should prepare to make public compliance statements (brief declarations that the institution has a risk management policy compliant with the law), though the specifics of what must be public versus what remains confidential are still being clarified through regulatory guidance.
The Colorado law includes a provision that dramatically changes the compliance calculus. If a deployer can demonstrate that it has implemented the National Institute of Standards and Technology's AI Risk Management Framework (NIST AI RMF) or ISO 42001, there is a rebuttable presumption that the institution exercised "reasonable care" in developing and deploying its high-risk AI system. This safe harbor is not absolute immunity (attorneys general could still challenge compliance if they believe the framework was implemented poorly or in bad faith), yet it provides a clear, nationally recognized path to compliance that is also aligned with other regulatory frameworks.
The NIST AI RMF approach has the added benefit of being voluntary, scientifically grounded, and design-agnostic. It does not require banks to use specific tools or technologies but instead provides a governance model encompassing risk identification, measurement, and mitigation across the AI system lifecycle. Because NIST has invested significant effort in making the framework compatible with existing financial services risk management approaches, adopting it does not require wholesale overhaul of current compliance infrastructure. For banks already engaged with NIST standards in other contexts, extending that work to AI systems is a natural extension.
The law also includes an affirmative defense. If a bank discovers a violation of Colorado's requirements through its own internal testing, red-teaming, or other quality assurance processes, and it remedies the issue before regulators discover it independently, the bank may have a defense against enforcement action. This provision explicitly incentivizes banks to audit their own systems rigorously rather than hoping regulators don't notice problems. Combined with the safe harbor for NIST AI RMF compliance, these provisions create a framework that rewards diligent institutions and reserves enforcement for those that are negligent or reckless.
The Colorado law grants exclusive enforcement authority to the state's Attorney General. No private right of action exists, meaning consumers cannot sue directly under the law, though they may retain other avenues such as disparate impact claims under existing fair lending law. Violations carry significant teeth: the Attorney General can seek civil penalties of up to $20,000 per violation per affected consumer. For a large financial institution that makes thousands of credit decisions monthly using a biased AI system, penalties could accumulate rapidly. However, the law provides a 60-day cure period after notice, allowing institutions to remediate violations before enforcement actions are filed. This cure window incentivizes rapid response to regulator concerns and reflects an approach that values compliance over punishment.
Colorado is not alone. As of March 2026, the United States is experiencing a wave of state-level AI legislation that creates a complex compliance landscape for any bank operating across multiple states. Understanding the broader picture helps clarify why a coordinated approach — such as implementing NIST AI RMF — is the most cost-effective strategy.
Texas enacted the Responsible AI in Government Act (RAIGA, HB 149), effective January 1, 2026. RAIGA is narrower than Colorado's approach, focusing primarily on prohibited uses of AI by government entities rather than imposing general framework requirements. However, RAIGA also creates an AI regulatory sandbox that allows companies to test new AI systems under regulatory flexibility, which may become relevant for banks exploring novel applications.
California has enacted multiple AI-related statutes, reflecting the state's position as a technology hub with competing priorities. AB 853 establishes a California AI Transparency Act focused on disclosure obligations. SB 53 addresses frontier AI safety, and AB 316 creates AI liability frameworks. While none of these has the comprehensive scope of Colorado's SB 24-205, collectively they establish California as a state with real AI oversight.
Illinois's Biometric Information Privacy Act (BIPA) has become notorious in financial services as one of the most plaintiff-friendly privacy laws in the nation, with private rights of action that have generated billions in class action settlements. However, there is an important exemption: BIPA explicitly carves out financial institutions subject to regulation under the Gramm-Leach-Bliley Act, which includes most banks. This carve-out has prevented many of the massive settlements seen in other industries, though it also means banks relying on BIPA's exemption must carefully monitor whether the Illinois legislature narrows or repeals it.
Connecticut's SB 2 is worth close attention because it rivals Colorado in scope and represents a comprehensive approach comparable to the European Union's AI Act. The law applies to AI systems making decisions affecting legal rights and obligations and imposes requirements around transparency, explainability, and bias assessment. For banks operating in Connecticut, SB 2 creates obligations similar to those under Colorado law, reinforcing that a NIST AI RMF-based approach covers multiple state regimes simultaneously.
New York's Local Law 144 focuses specifically on bias audits for automated employment decision tools used in hiring and promotion. Banks with recruitment AI systems must conduct annual audits and submit results to the city. Massachusetts has not enacted a comprehensive AI law but earned headlines when the state's Attorney General secured a $2.5 million settlement against Earnest over discriminatory AI lending practices in 2025. This demonstrates that existing consumer protection law, applied aggressively, can function as AI regulation.
As of March 2026, 36 state Attorneys General have formally opposed federal preemption of state AI laws, signaling that the states intend to retain regulatory authority even if Congress enacts a uniform federal framework. This makes clear that banks should not count on federal preemption to simplify the compliance landscape. Multi-state institutions face potential obligations under 50 or more different regulatory regimes, each with subtly different definitions and requirements.
The fragmented landscape creates several imperatives for banking institutions. First, remaining compliant across multiple states requires a comprehensive, documented approach that can satisfy the most demanding requirements. If a bank implements a NIST AI RMF-based governance model that satisfies Colorado and Connecticut, it will largely satisfy requirements in less stringent jurisdictions as well. Conversely, institutions cannot afford a state-by-state approach, as the compliance burden and cost would be unsustainable.
Second, financial institutions should recognize that documentation and impact assessment are not optional. Every state regime that has been enacted requires banks to document their AI governance approach, conduct impact assessments before deployment, and maintain records for regulatory inspection. Banks that treat these requirements as compliance theater rather than substantive practices expose themselves to enforcement risk and operational failure.
Third, the Colorado law's safe harbor for NIST AI RMF compliance should drive concrete action in 2026. The five-month extension to June 30, 2026, gives banks a window to prepare, though institutions have already lost time. Adopting NIST AI RMF is not instantaneous, particularly in larger organizations with complex AI systems and fragmented risk management structures. The process requires identifying all high-risk AI systems, conducting baseline assessments, and integrating the framework into governance structures. Institutions that move quickly gain first-mover advantages in demonstrating compliance to regulators.
Corvair.ai provides AI governance platforms purpose-built for financial services institutions managing high-risk AI systems. By automating impact assessments, maintaining compliant documentation, and integrating with existing risk management systems, Corvair helps banks satisfy Colorado, Connecticut, and multi-state requirements without duplicating effort. For institutions deploying AI-driven lending, credit decisioning, or risk pricing, Corvair's platform reduces the friction of compliance while strengthening the quality of AI governance.
Schedule a BriefingHow SEC, FTC, CFPB, and EEOC apply existing law to AI in financial services.
Read guidePresidential executive orders shaping the federal AI policy landscape for financial institutions.
Read guideSide-by-side analysis of US federal and state AI governance frameworks.
View comparison