{"id":851,"date":"2026-05-01T09:22:11","date_gmt":"2026-05-01T14:22:11","guid":{"rendered":"https:\/\/cmitsolutions.com\/denver-co-1228\/?p=851"},"modified":"2026-05-04T10:29:25","modified_gmt":"2026-05-04T15:29:25","slug":"where-to-start-with-the-colorado-ai-act","status":"publish","type":"post","link":"https:\/\/cmitsolutions.com\/denver-co-1228\/blog\/where-to-start-with-the-colorado-ai-act\/","title":{"rendered":"Where to Start With the Colorado AI Act: A 30-Day Checklist"},"content":{"rendered":"<p><em>This article is part of a<strong>\u00a0series<\/strong> on Colorado\u2019s AI and automated decision-making rules (SB24-205 and the proposed update SB26-189). This is Post 3. In <a href=\"https:\/\/cmitsolutions.com\/denver-co-1228\/blog\/what-is-the-colorado-ai-act\/\" target=\"_blank\" rel=\"noopener\">Post 1<\/a>, I covered what the law is and why it matters. In <a href=\"https:\/\/cmitsolutions.com\/denver-co-1228\/blog\/what-ai-is-covered-under-the-colorado-ai-act\/\" target=\"_blank\" rel=\"noopener\">Post 2<\/a>, I covered what kinds of AI use are most likely to fall into scope. In this post, I want to make it practical. If you are a Colorado business owner wondering what to do first, this is where I would start.<\/em><\/p>\n<hr \/>\n<p><strong>Legislative update (as of May 2026):<\/strong> Colorado lawmakers have introduced <strong>SB26-189<\/strong>, which would <strong>repeal and replace<\/strong> SB24-205 with a framework focused on automated decision-making technology used in consequential decisions. The proposal would shift the effective date to <strong>Jan. 1, 2027<\/strong>. This article is for general information and reflects what is known at the time of writing. If your business uses AI in hiring, housing, lending, insurance, healthcare, or similar decisions, I recommend monitoring this bill\u2019s progress and getting clarity on your tools and vendors now.<\/p>\n<hr \/>\n<p><strong>Quick navigation:<\/strong> <a href=\"#faq\">Skip to FAQ<\/a> | <a href=\"#vendors\">Jump to vendor review<\/a> | <a href=\"#policy\">Jump to AI policy<\/a><\/p>\n<hr \/>\n<h2>If you are wondering where to start, start here<\/h2>\n<p>A lot of business owners freeze when they hear the words \u201cAI compliance.\u201d<\/p>\n<p>Not because they do not care. Usually it is the opposite. They care enough to know they do not want to get this wrong.<\/p>\n<p>I was talking recently with a professional services firm in Greenwood Village. Smart leadership team. Careful people. They had read enough about the Colorado AI Act to know it might matter. But they were stuck on the first question.<\/p>\n<p>\u201cWhat do we actually do now?\u201d<\/p>\n<p>That is the right question.<\/p>\n<p>You do not need to begin with a giant compliance project. You need a sensible first 30 days.<\/p>\n<p>If you run a law firm, advisory firm, consultancy, or other professional services business in Centennial, Littleton, Lone Tree, Highlands Ranch, Greenwood Village, or the Denver Tech Center, this is the practical starting point I would recommend.<\/p>\n<hr \/>\n<h2>What you should have in place in 30 days<\/h2>\n<p>If you want a simple target, aim for this. By the end of the first month, you should have:<\/p>\n<ul>\n<li>A basic inventory of AI tools in use<\/li>\n<li>A short list of likely high-risk workflows<\/li>\n<li>Initial outreach to key vendors for documentation<\/li>\n<li>A simple AI use policy that your team can follow<\/li>\n<li>A named internal owner for next steps<\/li>\n<li>Basic documentation of what you reviewed and decided<\/li>\n<\/ul>\n<p>If you have those six things, you are ahead of most businesses I talk to.<\/p>\n<hr \/>\n<h2>Step 1: Create an AI inventory<\/h2>\n<p>This is the first move because most firms do not actually know where AI is being used.<\/p>\n<p>And I do not mean just ChatGPT.<\/p>\n<p>I mean Microsoft 365 features, HR platforms, CRM tools, practice management software, note-taking apps, analytics tools, customer service tools, and industry-specific platforms that now include AI quietly in the background.<\/p>\n<p>Your inventory does not need to be fancy. A spreadsheet is fine.<\/p>\n<p>Start with these columns:<\/p>\n<ul>\n<li>Tool or platform name<\/li>\n<li>Business owner or team using it<\/li>\n<li>What AI feature is being used<\/li>\n<li>What output it generates<\/li>\n<li>Whether it influences any consequential decision<\/li>\n<li>Whether a vendor is involved<\/li>\n<li>Whether vendor documentation is available<\/li>\n<\/ul>\n<p>This step alone will give you clarity most firms do not have today.<\/p>\n<p>And if you support <a href=\"https:\/\/cmitsolutions.com\/denver-co-1228\/industries\/legal\/\" target=\"_blank\" rel=\"noopener\">law firms in Denver<\/a>, financial advisory teams, or consultancies, this matters because AI often enters through standard business software, not a formal \u201cAI project.\u201d<\/p>\n<hr \/>\n<h2>Step 2: Identify high-risk use cases<\/h2>\n<p>Once you have the inventory, the next step is to separate the routine from the risky.<\/p>\n<p>The practical question is simple:<\/p>\n<p><strong>Does this AI tool influence a consequential decision?<\/strong><\/p>\n<p>That includes decisions affecting:<\/p>\n<ul>\n<li>Hiring or employment<\/li>\n<li>Housing<\/li>\n<li>Lending or credit<\/li>\n<li>Insurance<\/li>\n<li>Healthcare<\/li>\n<li>Education<\/li>\n<li>Legal services<\/li>\n<li>Government-related access or benefits<\/li>\n<\/ul>\n<p>If the answer is yes, or even maybe, flag it for review.<\/p>\n<p>This is where many South Denver businesses realize the issue is not their visible AI use. It is the AI built into the systems they already trust.<\/p>\n<p>A meeting summary tool is usually low-risk. A resume ranking tool is not. A drafting assistant may be low-risk. A client scoring model that changes eligibility or access may not be.<\/p>\n<p>Do not overcomplicate this step. You are not trying to finish the legal analysis. You are trying to identify which workflows deserve attention.<\/p>\n<hr \/>\n<h2 id=\"vendors\">Step 3: Review your vendors<\/h2>\n<p>If I had to pick one area where businesses are most exposed, it is here.<\/p>\n<p>Many firms assume that if a third-party vendor built the AI, the vendor owns the problem.<\/p>\n<p>That is not how this works.<\/p>\n<p>If your business uses a vendor tool in a high-risk context, you may still have obligations as a deployer. That means you need to know what the vendor can provide.<\/p>\n<p>At minimum, start asking for:<\/p>\n<ul>\n<li>Documentation on how the AI system is intended to be used<\/li>\n<li>Any known limitations or risks<\/li>\n<li>Information about testing, monitoring, or bias mitigation<\/li>\n<li>Any compliance support materials relevant to Colorado or similar laws<\/li>\n<li>A point of contact for follow-up questions<\/li>\n<\/ul>\n<p>You are not looking for perfection on day one. You are looking for visibility.<\/p>\n<p>This matters whether you are providing <a href=\"https:\/\/cmitsolutions.com\/denver-co-1228\/managed-it-services\/\" target=\"_blank\" rel=\"noopener\">managed IT services in South Denver<\/a>, supporting a law office in Greenwood Village, or helping a growing firm in Lone Tree keep pace with security and compliance expectations.<\/p>\n<hr \/>\n<h2 id=\"policy\">Step 4: Put a basic AI use policy in place<\/h2>\n<p>This is the step many firms skip. I think that is a mistake.<\/p>\n<p>An inventory tells you what is happening. A policy tells your people how AI should and should not be used.<\/p>\n<p>Without a policy, each employee is making their own judgment call. Some will be cautious. Some will not. That is not governance. That is drift.<\/p>\n<p>Your first policy does not need to be complicated. It should be usable.<\/p>\n<p>Start with the basics:<\/p>\n<ul>\n<li>Which AI tools are approved<\/li>\n<li>Which tools are prohibited<\/li>\n<li>What kinds of data can and cannot be entered<\/li>\n<li>When human review is required<\/li>\n<li>What kinds of decisions need management approval<\/li>\n<li>Who employees should contact with questions<\/li>\n<\/ul>\n<p>If you do nothing else in the first month, do this. It creates a baseline. It also shows that you are taking reasonable steps to manage risk.<\/p>\n<p>For most small and mid-size businesses in Denver Tech Center, Centennial, and Littleton, a basic policy goes further than people think. It reduces confusion, limits ad hoc tool adoption, and gives leadership something concrete to enforce.<\/p>\n<hr \/>\n<h2>Step 5: Assign ownership<\/h2>\n<p>One of the fastest ways for AI risk to grow is for nobody to own it.<\/p>\n<p>That does not mean you need a Chief AI Officer. Most firms are nowhere near that scale.<\/p>\n<p>But someone should be responsible for coordinating the inventory, gathering vendor information, maintaining the policy, and escalating questions when a use case looks high-risk.<\/p>\n<p>In some firms, that will be operations. In others, compliance, HR, legal, or IT. In smaller firms, it may simply be one senior leader with support from an outside advisor.<\/p>\n<p>The title matters less than the ownership.<\/p>\n<p>If everyone thinks someone else is handling AI, nobody is handling AI.<\/p>\n<hr \/>\n<h2>Step 6: Document what you learn<\/h2>\n<p>You do not need a giant compliance binder. But you do need a record.<\/p>\n<p>Keep notes on:<\/p>\n<ul>\n<li>Which tools you reviewed<\/li>\n<li>Which ones were flagged as potentially high-risk<\/li>\n<li>What vendor information you requested and received<\/li>\n<li>What policy decisions you made<\/li>\n<li>Who owns next steps<\/li>\n<\/ul>\n<p>This helps you run the work coherently, and it helps you show what you did and why if you ever need to.<\/p>\n<p>That is one of the recurring themes in cybersecurity services in Denver and compliance work generally. Reasonable care is easier to demonstrate when you have records.<\/p>\n<hr \/>\n<h2>What not to do in the first 30 days<\/h2>\n<p>Let me be just as clear about what I would not do.<\/p>\n<ul>\n<li>Do not wait for the law to become perfectly settled before doing anything<\/li>\n<li>Do not assume your vendors have everything handled<\/li>\n<li>Do not treat \u201cinternal use\u201d as automatically safe<\/li>\n<li>Do not write a bloated policy nobody will read<\/li>\n<li>Do not turn this into a panic project<\/li>\n<\/ul>\n<p>The goal is not to solve everything in a month. The goal is to get visibility, reduce obvious risk, and create enough structure that you can make smarter decisions going forward.<\/p>\n<hr \/>\n<h2>How we can help<\/h2>\n<p>I work with professional services firms across South Denver that want a practical way to get started. Not theory. Not fear. Just a clear assessment of what is in use, where the risk sits, and what to do next.<\/p>\n<p>If your firm needs help building an AI inventory, reviewing vendor tools, or putting a usable AI policy in place, we can help.<\/p>\n<p>We provide AI assessments and policy workshops designed for Colorado businesses that need clarity and momentum, not complexity.<\/p>\n<p style=\"text-align: center;margin: 30px 0\"><a style=\"background: #002f44;color: #fff;padding: 14px 32px;border-radius: 8px;text-decoration: none;font-weight: bold;font-size: 16px\" href=\"https:\/\/cmitsolutions.com\/denver-co-1228\/contact-us\/\" target=\"_blank\" rel=\"noopener\">Book an AI Assessment and Policy Workshop \u2192<\/a><\/p>\n<hr \/>\n<div id=\"faq\" style=\"padding: 70px 0;background: #f4f8fa\">\n<div style=\"max-width: 980px;margin: 0 auto;padding: 0 20px\">\n<h2 style=\"font-size: 30px;color: #002f44;text-align: center;margin: 0 0 28px;font-weight: bold\">Frequently Asked Questions About Your First 30 Days of AI Compliance<\/h2>\n<div style=\"background: #fff;border-radius: 16px;padding: 22px;border: 1px solid #d0dadf\">\n<details style=\"border: 1px solid #d0dadf;border-radius: 14px;margin: 14px 0;overflow: hidden;background: #fff;text-align: left\">\n<summary style=\"cursor: pointer;padding: 18px;font-weight: bold;color: #002f44\">Do we need a formal AI compliance program in the first 30 days?<span style=\"float: right;width: 22px;text-align: center;font-weight: 800;line-height: 1;color: #ef3f37\" aria-hidden=\"true\">+<\/span><\/summary>\n<div style=\"padding: 16px 18px 18px;color: #2b3b44;line-height: 1.7;background: #f4f8fa;border-top: 1px solid #d0dadf\">\n<p style=\"margin: 0 0 12px\">No. The first 30 days should be about getting visibility and creating a basic structure. Start with an inventory, identify likely high-risk use cases, review key vendors, assign ownership, and put a simple policy in place.<\/p>\n<\/div>\n<\/details>\n<details style=\"border: 1px solid #d0dadf;border-radius: 14px;margin: 14px 0;overflow: hidden;background: #fff;text-align: left\">\n<summary style=\"cursor: pointer;padding: 18px;font-weight: bold;color: #002f44\">What should go into an AI inventory?<span style=\"float: right;width: 22px;text-align: center;font-weight: 800;line-height: 1;color: #ef3f37\" aria-hidden=\"true\">+<\/span><\/summary>\n<div style=\"padding: 16px 18px 18px;color: #2b3b44;line-height: 1.7;background: #f4f8fa;border-top: 1px solid #d0dadf\">\n<p style=\"margin: 0 0 12px\">At a minimum, list the tool name, who uses it, what AI feature is involved, what output it generates, whether it affects consequential decisions, whether a vendor is involved, and whether vendor documentation is available.<\/p>\n<\/div>\n<\/details>\n<details style=\"border: 1px solid #d0dadf;border-radius: 14px;margin: 14px 0;overflow: hidden;background: #fff;text-align: left\">\n<summary style=\"cursor: pointer;padding: 18px;font-weight: bold;color: #002f44\">Do small businesses really need an AI use policy?<span style=\"float: right;width: 22px;text-align: center;font-weight: 800;line-height: 1;color: #ef3f37\" aria-hidden=\"true\">+<\/span><\/summary>\n<div style=\"padding: 16px 18px 18px;color: #2b3b44;line-height: 1.7;background: #f4f8fa;border-top: 1px solid #d0dadf\">\n<p style=\"margin: 0 0 12px\">Yes. A basic policy helps prevent ad hoc use, reduces confusion, and gives your team guardrails. It does not need to be long. It just needs to be clear enough that employees know what tools are approved, what data can be used, and when human review is required.<\/p>\n<\/div>\n<\/details>\n<details style=\"border: 1px solid #d0dadf;border-radius: 14px;margin: 14px 0;overflow: hidden;background: #fff;text-align: left\">\n<summary style=\"cursor: pointer;padding: 18px;font-weight: bold;color: #002f44\">What if we do not know whether a workflow is high-risk?<span style=\"float: right;width: 22px;text-align: center;font-weight: 800;line-height: 1;color: #ef3f37\" aria-hidden=\"true\">+<\/span><\/summary>\n<div style=\"padding: 16px 18px 18px;color: #2b3b44;line-height: 1.7;background: #f4f8fa;border-top: 1px solid #d0dadf\">\n<p style=\"margin: 0 0 12px\">Flag it for review. In the first 30 days, you are not trying to answer every legal question perfectly. You are trying to identify the workflows that deserve closer attention so they can be reviewed with counsel or a qualified advisor.<\/p>\n<\/div>\n<\/details>\n<details style=\"border: 1px solid #d0dadf;border-radius: 14px;margin: 14px 0;overflow: hidden;background: #fff;text-align: left\">\n<summary style=\"cursor: pointer;padding: 18px;font-weight: bold;color: #002f44\">Should we wait until the law is finalized before doing this work?<span style=\"float: right;width: 22px;text-align: center;font-weight: 800;line-height: 1;color: #ef3f37\" aria-hidden=\"true\">+<\/span><\/summary>\n<div style=\"padding: 16px 18px 18px;color: #2b3b44;line-height: 1.7;background: #f4f8fa;border-top: 1px solid #d0dadf\">\n<p style=\"margin: 0 0 12px\">No. The law may change around the edges, but the core business steps still make sense. Knowing where AI is used, reviewing vendors, setting rules, and assigning ownership are good governance steps whether the final law changes or not.<\/p>\n<\/div>\n<\/details>\n<\/div>\n<\/div>\n<\/div>\n<hr \/>\n<p><em>Disclaimer: This article is provided for general informational purposes only and is not legal advice. Businesses should consult qualified legal counsel regarding their specific compliance obligations under SB 24-205 or any other applicable law.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article is part of a\u00a0series on Colorado\u2019s AI and automated decision-making&#8230;<\/p>\n","protected":false},"author":1064,"featured_media":279,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17,16,1],"tags":[],"class_list":["post-851","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai-regulation","category-artificial-intelligence-ai","category-local-it"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cmitsolutions.com\/denver-co-1228\/wp-json\/wp\/v2\/posts\/851","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cmitsolutions.com\/denver-co-1228\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cmitsolutions.com\/denver-co-1228\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/denver-co-1228\/wp-json\/wp\/v2\/users\/1064"}],"replies":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/denver-co-1228\/wp-json\/wp\/v2\/comments?post=851"}],"version-history":[{"count":0,"href":"https:\/\/cmitsolutions.com\/denver-co-1228\/wp-json\/wp\/v2\/posts\/851\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/denver-co-1228\/wp-json\/wp\/v2\/media\/279"}],"wp:attachment":[{"href":"https:\/\/cmitsolutions.com\/denver-co-1228\/wp-json\/wp\/v2\/media?parent=851"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cmitsolutions.com\/denver-co-1228\/wp-json\/wp\/v2\/categories?post=851"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cmitsolutions.com\/denver-co-1228\/wp-json\/wp\/v2\/tags?post=851"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}