Menu

Colorado AI Act: What to Ask Your Vendors

This article is part of a series on Colorado’s AI and automated decision-making rules (SB24-205 and the proposed update SB26-189). This is Post 4. In Post 1, I covered what the law is and why it matters. In Post 2, I covered what kinds of AI use are most likely to fall into scope. In Post 3, I laid out a practical first-30-days plan. In this post, I want to focus on the place where most businesses are going to feel this first: your vendors.

Legislative update (as of May 2026): Colorado lawmakers have introduced SB26-189, which would repeal and replace SB24-205 with a framework focused on automated decision-making technology used in consequential decisions. The proposal would shift the effective date to Jan. 1, 2027. SB26-189 also puts more emphasis on developer documentation and deployer oversight, which is why vendor answers matter. This article is for general information and reflects what is known at the time of writing. If your business uses AI in hiring, housing, lending, insurance, healthcare, or similar decisions, I recommend monitoring this bill’s progress and getting clarity on your tools and vendors now.

Quick navigation: Skip to FAQ | Jump to vendor checklist | Jump to red flags

AI did not enter your business through a strategy meeting

I see this all over South Denver.

A firm in Greenwood Village buys a new HR platform. A law firm in the Denver Tech Center upgrades its client intake tool. An advisory team in Centennial turns on a feature in their CRM.

Nobody called it “AI adoption.” It was just a software decision.

Then, six months later, someone asks a very reasonable question:

“Are we exposed, and who is responsible if this tool gets something wrong?”

That is what this post is about. Not panic. Just clarity and ownership.

You cannot outsource responsibility to a vendor

If a vendor tool influences a consequential decision, you cannot wave it away with, “the vendor handles that.”

You can and should lean on the vendor for documentation, controls, and support. But you still need to be able to answer basic business questions:

  • Where is AI being used in our firm?
  • What decisions does it influence?
  • What data does it touch?
  • What controls and oversight do we have?
  • What happens when it is wrong?

This is not just AI compliance. It is the same discipline I talk about when we do IT support in South Denver and vendor security reviews. If it matters to client trust, it deserves a real answer.

Start by prioritizing the right vendors

You do not need to review every vendor at once.

Start with a shortlist of the vendors most likely to matter, especially if you are a professional services firm using Microsoft 365 and cloud tools.

  • HR and recruiting platforms
  • Background check, screening, and verification services
  • CRM and sales platforms with scoring or recommendations
  • Client intake tools that route, score, or rank people
  • Customer service platforms with AI-driven routing or triage
  • Practice management or case management tools that provide “recommendations”
  • Microsoft 365 features if Copilot-style tools are enabled

If you are not sure where to start, pick your top five vendors by business impact and start there. That is enough to learn a lot quickly.

The vendor due diligence checklist (plain English)

This is the checklist I use for most small and mid-size firms in Centennial, Littleton, Greenwood Village, Lone Tree, Highlands Ranch, and the Denver Tech Center.

It is not meant to be a legal interrogation. It is meant to help you understand what you are buying, what it touches, and what you can control.

1) Confirm what AI features are actually in the product

  • Which features use AI?
  • Are those features on by default?
  • Can we turn them off, or limit them to certain users?
  • Do you provide admin controls for AI features?

2) Clarify intended use and known limitations

  • What is the intended use for the AI feature?
  • What should it not be used for?
  • What are the known limitations or failure modes?
  • Do you provide guidance on human review and oversight?

3) Understand the data inputs and data handling

  • What data is used to generate outputs?
  • Is any customer data used to train models or improve the service?
  • Is there an opt-out for training or retention?
  • Where is data stored, and for how long?
  • Who are your subprocessors, and what data do they receive?

4) Ask about updates and change control

  • How often are models or AI features updated?
  • How do you test updates before release?
  • Do you provide release notes that explain AI behavior changes?
  • Can we be notified when AI functionality materially changes?

5) Ask what testing and monitoring exists

  • How do you test for accuracy and reliability?
  • Do you test for bias or uneven outcomes? How?
  • Do you monitor for drift over time?
  • What metrics do you track, and can we access them?

6) Confirm security and response expectations

  • Do you provide SOC 2, ISO 27001, or equivalent security documentation?
  • What is your incident response process and notification timing?
  • What is your process for AI-related issues (bad outputs, harmful recommendations)?
  • Who do we contact when something needs to be escalated?

7) Confirm human review and auditability

  • Can we see why the system recommended something, at least at a high level?
  • Can we require a human review step before action is taken?
  • Can we override the AI output easily, and is that logged?
  • Can we export decision logs if needed?

8) Make sure you can get real support

  • Do you offer a named contact for compliance and risk questions?
  • Can you provide written responses to due diligence questions?
  • Do you have a plan for supporting Colorado requirements?

If a vendor cannot answer basic questions like these, that does not automatically mean you must cancel the vendor tomorrow.

But it does tell you where the risk sits. And it tells you where you need stronger internal guardrails.

Vendor red flags I would not ignore

If you want a quick list of warning signs, here are the ones that consistently matter.

  • “We do not use AI” when the product clearly includes rankings, recommendations, or automated decisions
  • No ability to disable or limit AI for certain users or workflows
  • Vague answers about data retention, training, or subprocessors
  • No documentation on intended use and limitations
  • No audit trail for key outputs that influence decisions
  • No clear escalation path for AI-related issues
  • “Trust us” posture instead of evidence, testing, and controls

In professional services, this matters because it touches reputation.

If a tool influences hiring, intake, eligibility, or client outcomes, you want more than marketing language. You want something you can stand behind.

What to do if you do not have leverage with vendors

I understand the reality for small and mid-size businesses. You do not always get to dictate terms to a big software company.

So here is what I recommend when a vendor is slow, vague, or simply not helpful.

  • Limit usage: restrict AI features to a small group of trained users
  • Require human review: do not allow AI outputs to be used without a second set of eyes
  • Keep a decision log: capture when AI influenced a decision and who approved it
  • Reduce data exposure: minimize sensitive data shared with the tool
  • Use compensating controls: training, checklists, and clear escalation paths
  • Plan alternatives: know what you would switch to if you had to

The goal is not perfection. The goal is to be able to say, calmly and truthfully:

“We have this handled. We understand what the tool does. We control how it is used. And we can show our work.”

What to document (so you can prove you did the work)

This does not need to be complicated.

Create a folder or a single record per vendor and store:

  • Which AI features are enabled and who can use them
  • Vendor documentation and any written responses you received
  • Notes on intended use and internal rules
  • Any controls you implemented (human review, logs, restrictions)
  • Dates of review and who participated

That is enough to create a defensible record. It also reduces the mental load on leadership. You are not trying to remember what was decided a year from now.

How we can help

I work with professional services firms across South Denver that want practical governance without drama.

If you need help identifying which vendors are AI-enabled, creating a vendor questionnaire, or setting up a review process your team can actually follow, we can help.

This also ties naturally into the work we already do around Managed IT Services in South Denver, Microsoft 365 security in Denver, and vendor risk management. The goal is simple. Predictable operations, protected client data, and clear ownership.

Book a Vendor AI Review →

Frequently Asked Questions About AI Vendor Due Diligence

Do we need a vendor questionnaire for every tool?

No. Start with the tools that influence consequential decisions or produce rankings, scores, recommendations, or routing that your team relies on. For most businesses, the top five vendors by impact is a good starting point.

What if a vendor refuses to answer our questions?

Treat that as a risk signal. If you cannot get documentation, implement compensating controls. Limit who can use the feature, require human review, reduce sensitive data shared with the tool, and document the steps you took.

Do we need SOC 2 for every AI vendor?

Not always, but you should have a consistent way to evaluate vendor security. For higher-impact vendors, SOC 2 or equivalent documentation is a common baseline. The key is to understand how data is handled and what protections exist.

Is “human review” enough to reduce AI risk?

Human review helps, but only if it is real. If staff rubber-stamp AI outputs, the risk remains. Review should include clear criteria, training, and the ability to override outputs, with logs when it matters.

What should we do first if we have no vendor review process today?

Start with an AI inventory and prioritize the top five vendors by business impact. Then send a short set of questions focused on AI features, data handling, controls, and support. Document what you receive and implement compensating controls where answers are weak.

Disclaimer: This article is provided for general informational purposes only and is not legal advice. Businesses should consult qualified legal counsel regarding their specific compliance obligations under SB24-205, proposed SB26-189, or any other applicable law. Vendor and contract terms should be reviewed with qualified counsel.

Back to Blog

Share:

Related Posts

Project manager reviewing digital blueprints for a Denver jobsite.

Cybersecurity for Construction in South Denver: That $10.5 Trillion Threat Is Targeting Your Job Sites

October is Cybersecurity Awareness Month This October, Cybersecurity Awareness Month. there’s a…

Read More

Cybersecurity for Law Firms in South Denver: Don’t Let a Digital Flat Tire Derail Your Practice

October is Cybersecurity Awareness Month A funny thing happened on the way…

Read More
Employees in a South Denver office participating in cybersecurity awareness training session.

Security Awareness Training in South Denver: Empower Your Team, Protect Your Business

October is Cybersecurity Awareness Month Here in South Denver, we are surrounded…

Read More