Preparing for the Colorado AI Act: A Guide for Banks and Credit Unions

What the Colorado AI Act Actually Does

Colorado Senate Bill 24-205, known as the Colorado AI Act, is the first broadly applicable state law in the United States that directly regulates AI systems used to make "consequential decisions." That phrase is the one that matters. The Act targets any automated system that substantially influences decisions about credit, lending, employment, housing, insurance, healthcare, education, legal services, or essential government services.

For banks and credit unions, the scope is obvious. Credit decisions, lending approvals, pricing, and any AI used in underwriting fall inside the definition. Unlike voluntary federal guidance, the Act carries enforcement authority, with the Colorado Attorney General empowered to bring actions.

Here is what the law actually requires of institutions deploying high-risk AI systems:

1. Risk management program: documented, regularly updated controls around the development, deployment, and monitoring of any high-risk AI system.
2. Impact assessments: documented evaluations of each system's purpose, data, performance, and foreseeable risks of discrimination or harm.
3. Consumer notice: clear disclosure to consumers when an AI system is used in a consequential decision that affects them, including the right to an explanation and the right to appeal.
4. Bias and discrimination controls: reasonable care to avoid algorithmic discrimination, backed by testing and ongoing monitoring.
5. Disclosure to the Attorney General: reporting of discovered discrimination within ninety days.

Why Banks Are Squarely in Scope

Of all the industries the Colorado AI Act covers, banking has the most direct exposure. Nearly every meaningful AI use case in a bank touches a decision that meets the consequential-decision standard. Credit decisions. Pricing decisions. Eligibility for products. Fair lending exposure. Even service-side AI agents that suggest product offerings can fall inside the scope depending on how they are deployed.

That exposure is compounded by the regulatory environment banks already operate in. The OCC, CFPB, FDIC, Federal Reserve, and NCUA have each made clear that existing fair lending, model risk (SR 11-7), and consumer protection rules apply to AI systems the same way they apply to traditional models. The Colorado AI Act does not replace any of that. It adds state-level enforcement on top of federal supervisory expectations.

Federal bank regulators have already told institutions that existing rules apply to AI. Colorado just added teeth and a deadline.

The hard questions any bank needs to answer before June 30:

• Do we know which of our AI systems, including Copilot agents and vendor models, meet the high-risk standard?
• Do we have documented impact assessments for the models already in production?
• Can our data lineage and documentation survive a regulatory request without a scramble?
• Who inside the bank is accountable when an AI system produces a consequential decision?

These are the questions the Act is going to force every bank to answer with documentation rather than assurances.

The Five Capabilities Banks Need Before June 30, 2026

Most banks will not be caught off guard by the concept of the Colorado AI Act. They will be caught off guard by how specific the documentation has to be. These five capabilities separate the banks that are ready from the banks that are not.

1. Unified Identity and Data Lineage

Every AI-assisted decision needs to be traceable from output back to its inputs. That is only possible when customer, product, and transaction data share a common identity across systems. Fragmented data is the single biggest reason banks cannot produce the audit trail regulators now expect.

• Example: A commercial credit decision influenced by a Copilot-generated briefing should be linkable to the underlying data the briefing was built from.
• Business impact: Documentation becomes a byproduct of the workflow rather than a scramble when an audit request lands.

2. Documented Impact Assessments

Every high-risk AI system needs a living document that describes its purpose, data sources, known limitations, and discrimination risk. These are not one-time writeups. They get updated as the model changes.

• Example: The bank's loan origination AI has an impact assessment refreshed any time the training data or model version changes.
• Business impact: Regulators get their answer in a week, not a quarter, when they ask.

3. Human-in-the-Loop Checkpoints

For any AI output that influences a credit, pricing, or eligibility decision, there needs to be a human decision-maker with clear accountability, not a rubber stamp. The Act does not ban automated decisions, but it requires that consequential ones come with meaningful human review and an appeal pathway.

• Example: AI-drafted credit memos get final review from a credit officer, documented in the system of record.
• Business impact: The bank retains defensible decision authority while still capturing the efficiency benefit of AI.

4. Consumer Notice and Explanation Pathways

Consumers affected by a consequential AI decision have rights under the Act: to know the system was used, to receive a plain-language explanation of the key factors, and to appeal the decision. That has to be built into the customer-facing workflow, not attached at the end.

• Example: A denied loan applicant receives a clear notice that AI was used in the decision, what the key factors were, and how to appeal.
• Business impact: Legal exposure shrinks, and so does reputational risk from complaint escalations.

5. Bias Testing and Monitoring

Reasonable care to avoid algorithmic discrimination requires documented testing before deployment and ongoing monitoring in production. This is where most banks struggle, because the monitoring cadence is new even for institutions with mature model risk frameworks.

• Example: Fair lending disparate-impact testing runs against the AI-assisted decision set on the same cadence as traditional model validation.
• Business impact: Discovered issues get flagged and corrected before they surface in a regulator's exam.

Where Governance Breaks Down in Most Banks

The gap between what the Act requires and what most banks actually have in place is not a legal gap. It is an infrastructure gap. Banks operating on a fragmented stack (separate core, separate CRM, separate loan origination, separate marketing data) cannot produce the lineage, the impact assessments, or the real-time monitoring regulators are about to require. The fix is harder to retrofit than it is to build in.

Execution matters as much as strategy here. Most of the failure modes we see are not about the technology. They are about the organization of the work.

What banks that handle this well tend to do:

• Centralize AI oversight with clear accountability at the executive level, not scattered across business units.
• Make documentation a deliverable of deployment, not a project after deployment.
• Use defined environments (development, test, production) for AI workloads so that changes can be traced.
• Apply data loss prevention and data governance policies to Power Platform connectors and external model calls.
• Treat consumer notice and explanation as a product requirement rather than a legal afterthought.

Banks that skip this planning end up in one of two places: the AI investments stall because risk and compliance cannot clear them, or they go live without documentation and scramble when the first regulatory inquiry arrives. Neither outcome is recoverable cheaply.

Key Takeaways

• The Colorado AI Act is effective June 30, 2026, and lending and credit decisions are squarely in scope.
• The Act applies to any bank serving Colorado customers, not only Colorado-chartered institutions.
• Compliance requires documented risk management, impact assessments, consumer notice, bias testing, and human oversight for consequential decisions.
• Governance capability is an infrastructure question as much as a policy question. A fragmented stack makes compliance far harder.
• Banks that build governance into the stack now will be ready for the wave of state and federal AI rules that follow.

Where to Go From Here

The practical task in front of every bank right now is to inventory its AI systems, map them against the Colorado standard, and close the gaps in lineage, documentation, and human oversight before the June 30, 2026 deadline. The institutions that treat this as a strategic project rather than a legal checkbox are the ones that will be able to scale AI investment after the Act takes effect instead of hitting the brakes.

TrellisPoint works with banks and credit unions to modernize on the Microsoft platform with governance built in from day one, through Dynamics 365 implementation, Power Platform controls, and the unified data foundation that makes documented, defensible AI possible. If you want the full picture of where governance fits into the broader modernization sequence, read our whitepaper on the modern bank tech stack.