How to Comply With Colorado’s AI Act (SB24-205) for High-Risk AI in Hiring: Lawyer Checklist
Colorado’s AI Act (SB24-205) requires deployers of “high-risk” AI used in hiring to implement a risk management program, conduct impact assessments, give notices, and allow appeals for adverse decisions. The law targets algorithmic discrimination and adds new compliance duties for employers and vendors using automated hiring tools. This article provides a lawyer-ready checklist focused on Colorado hiring workflows, contracts, documentation, and enforcement risk.
Colorado’s AI Act (SB24-205) and why hiring tools are in the crosshairs
Colorado’s AI Act—commonly referred to as SB24-205—creates statewide compliance obligations for organizations that develop or deploy certain “high-risk” artificial intelligence systems. For most employers, the most immediate exposure is recruiting and employment screening: resume scoring, automated interview analysis, candidate ranking, “knockout” questionnaires, background-screening decision engines, and similar tools that can meaningfully affect who advances in the process.
The law’s central policy goal is to reduce “algorithmic discrimination,” meaning unlawful or unfair differential treatment caused by AI outputs, data, or design. For employers, the practical takeaway is that high-risk AI in hiring is no longer just an HR or vendor-management issue—it’s a compliance program with documentation, notices, and individual rights similar in feel to privacy and consumer protection regimes.
Who must comply: “developers” vs. “deployers” (employers are usually deployers)
SB24-205 distinguishes between two roles:
Deployers (typically employers)
A “deployer” is the organization using a high-risk AI system to make, or be a substantial factor in making, decisions in covered areas. In hiring, most employers fall into this bucket because they are using a vendor’s tool (or an internal model) to screen, rank, or select candidates.
Developers (typically vendors, but sometimes in-house teams)
A “developer” is the organization that creates or substantially modifies the AI system. If your company’s data science team builds or materially fine-tunes a hiring model (beyond mere configuration), you may have developer obligations in addition to deployer obligations.
Why the distinction matters: The statute allocates specific duties to each role, but deployers cannot “contract out” of responsibility. Even if a vendor promises compliance, the employer still needs its own program and evidence that it is reasonably relying on appropriate developer information.
Step 1: Confirm whether your hiring AI is “high-risk” under Colorado law
Compliance starts with scoping. SB24-205 focuses on AI systems used to make, or that are a substantial factor in making, “consequential decisions” in certain contexts—commonly including employment-related decisions. Many mainstream hiring products can qualify when they materially influence hiring outcomes.
Practical indicators your tool is likely high-risk in hiring
Consider the tool high-risk (or treat it as such) if it does any of the following:
- Automatically advances or rejects candidates based on scoring thresholds (“auto-disposition”).
- Produces rankings or “fit scores” that recruiters follow as a primary workflow.
- Analyzes video/audio interviews (tone, sentiment, facial movements) to score candidates.
- Uses assessments (cognitive, personality, integrity) that drive selection decisions.
- Integrates into ATS systems in a way that materially changes human review order or visibility.
Edge case: If the AI is purely administrative (e.g., scheduling interviews) and not a substantial factor in selection, it may fall outside high-risk. Document your reasoning either way.
Step 2: Build a written risk management program (what attorneys should insist on)
SB24-205 expects deployers to implement a risk management program tailored to high-risk use. For employers, that means a documented governance process for hiring AI—before procurement, during deployment, and throughout monitoring.
Core components of a defensible program
Attorneys advising HR and compliance teams should ensure the program includes:
- Ownership and accountability: Identify a responsible business owner (HR/TA), a compliance owner (Legal/Privacy/Compliance), and an escalation channel for complaints.
- System inventory: A living list of AI-enabled hiring tools, their purpose, vendors, data sources, and decision points influenced.
- Use policy and guardrails: Prohibit use for protected-class inference, “shadow scoring,” or re-purposing beyond validated hiring objectives.
- Human oversight: Define when human review is required, what “meaningful review” entails, and how overrides are handled.
- Training: Role-based training for recruiters and hiring managers on proper reliance, limitations, and bias risks.
- Incident response: A process to pause a tool, preserve logs, and investigate if discrimination or errors are suspected.
Drafting tip: Treat the program like a hybrid of EEO compliance, vendor risk management, and privacy impact assessment—because in an enforcement posture, regulators will ask for contemporaneous documentation showing you identified and managed risk.
Step 3: Conduct and document impact assessments for hiring AI
One of the most important practical duties is performing an assessment (often called an impact assessment) that evaluates foreseeable risks of algorithmic discrimination and other harms, and documents mitigation steps.
What to include in a hiring AI impact assessment
For a hiring context, a strong assessment typically covers:
- Purpose and necessity: What hiring step the AI supports and why AI is needed versus a non-AI process.
- Decision mapping: Where the AI output enters the process (screening, ranking, interview selection, offer decisions).
- Data inputs: Resume fields, assessment items, interview signals, background data; identify any proxies for protected characteristics.
- Testing and validation: Pre-deployment testing for disparate impact; ongoing monitoring cadence.
- Risk controls: Threshold settings, human review, adverse action workflows, and limitations on use.
- Accessibility considerations: How the tool handles disabilities (e.g., speech patterns, video requirements) and accommodations.
- Recordkeeping: What logs are retained (scores, explanations, reviewer notes) and for how long.
Example: resume screener with knockout rules
If an AI tool rejects candidates who lack certain credentials, assess whether those criteria correlate with protected classes (e.g., degree requirements not job-related and consistent with business necessity). Mitigation may include alternative pathways (skills tests), periodic audits, and disabling auto-reject features.
Step 4: Provide required notices and transparency in the hiring workflow
SB24-205 contains transparency expectations that, in practice, require employers to communicate when high-risk AI is used and how applicants can seek review or appeal. In hiring, notices should be timed and written so applicants can understand the role the tool plays.
Where notices typically belong
- Job posting or application portal: A clear statement that AI may be used in screening or evaluation.
- Assessment/interview invitation: If a specific AI assessment is used (e.g., automated video scoring), disclose before the candidate participates.
- Adverse decision communication: If a decision was materially influenced by AI, provide instructions for requesting human review or appealing.
Drafting tip for counsel: Align AI notices with existing background check/adverse action and EEO communications, but avoid misleading boilerplate. Regulators tend to scrutinize vague notices that do not reflect the actual decision flow.
Step 5: Create an appeal / human review process for adverse outcomes
High-risk AI regimes generally require mechanisms for individuals to challenge or seek review of adverse decisions. For hiring, employers should implement an internal process so applicants can request reconsideration by a qualified human reviewer.
Minimum operational elements
- Intake channel: Email/web form and mailing address; ensure accessibility.
- Identity verification: Prevent unauthorized access while keeping friction reasonable.
- Reviewer qualifications: Train reviewers to interpret AI outputs and recognize model limitations.
- Documentation: Record the request, what was reviewed, whether the AI output was overridden, and rationale.
- Timelines: Set internal service levels (e.g., acknowledge within days; resolve within a defined period).
Practical constraint: Hiring moves fast. Build a triage approach: prioritize roles still open, and preserve evidence for roles closed to protect against later disputes.
Step 6: Negotiate vendor contracts to obtain the information Colorado expects
Most employers rely on third-party hiring vendors. SB24-205 makes vendor contracting a key compliance lever because deployers need sufficient information to assess and monitor risk.
Contract terms attorneys should push for
- Model and data disclosures: Documentation describing intended use, training approach at a high level, known limitations, and appropriate use constraints.
- Testing support: Vendor cooperation for bias testing and validation (including providing necessary output data and methodology summaries).
- Change management: Notice before material model updates, new features, or data source changes; right to re-assess.
- Audit rights: Reasonable audit provisions (or independent audit reports) to confirm compliance claims.
- Indemnity and allocation of risk: Tailored indemnities for algorithmic discrimination claims tied to vendor defects, plus limits consistent with risk.
- Data governance: Restrictions on using applicant data to train vendor models unless expressly approved; clear retention/deletion duties.
- Subprocessor controls: Flow-down obligations to subcontractors providing AI components.
Procurement reality:





















