Colorado AI Act: 73 Days Until the June 30, 2026 Insurance Deadline

From reviewing Colorado DOI filings where life insurers documented external data model decisions under Regulation 10-1-1, the safe harbor's edges show up well before the Colorado AI Act's operative date. As of April 18, 2026, carriers have 73 days until the Colorado Artificial Intelligence Act (SB 24-205) goes live on June 30, 2026, after the five-month delay enacted through SB 25B-004 in August 2025. The statute's §10-3-1104.9 carve-out for insurers using algorithms and predictive models in compliance with existing DOI rules reads like a complete shield. In practice, it covers a narrow slice of carrier AI activity, and the gap between what Reg 10-1-1 already documents and what CAIA now demands is where compliance failures will surface.

This article maps the current state of the Colorado AI Act as it applies to insurance carriers: the revised effective date, the July 1, 2026 first annual compliance report deadline for auto and health benefit plan insurers, the actual scope of the §10-3-1104.9 safe harbor, the small deployer exemption, and the pending replacement framework proposed by the Colorado AI Policy Work Group in March 2026. It also walks through the three places the safe harbor does not reach, affiliated non-insurer entities, third-party model vendors, and AI use cases outside the DOI's existing rulemaking, which is where most carrier compliance programs need targeted work before June 30.

Where the Deadline Stands: From February 1 to June 30, 2026

Colorado enacted SB 24-205 in May 2024, making it the first state in the country to pass a broad, risk-based artificial intelligence statute applicable to private sector developers and deployers. The original text set February 1, 2026 as the principal operative date for the act's substantive requirements on high-risk AI systems.

That date did not hold. In August 2025, Colorado enacted SB 25B-004, moving the effective date to June 30, 2026. The Baker Botts September 2025 alert tracking the delay described it as a stopgap to give the legislature and the Colorado AI Policy Work Group more time to refine definitions and carve-outs before the operative date triggered enforcement by the Colorado Attorney General. The five-month extension was not a pause on compliance work; it was an extension of the runway.

As of April 18, 2026, the revised operative date sits 73 days out. Insurers operating in Colorado or that have Colorado residents among their customer base have that window to complete the compliance steps the act requires of deployers of high-risk AI systems: impact assessments, risk management programs, consumer disclosures, and documentation sufficient to establish a rebuttable presumption against the algorithmic discrimination claim the act creates.

The First Annual Compliance Report: July 1, 2026

A detail that has received less attention than the CAIA effective date is the July 1, 2026 first annual compliance report deadline for auto and health benefit plan insurers under the separate rulemaking track at the Colorado Division of Insurance. This deadline comes from the DOI's quantitative testing regulations for external consumer data and information sources (ECDIS) and algorithms and predictive models (APMs), implemented under SB 21-169.

The July 1, 2026 filing is the first annual compliance report under Regulations 10-1-1 (governance and risk management), 10-1-2 (life insurance testing), and the parallel auto insurance regulation. For life insurers using ECDIS in underwriting, the 2026 filing reports on calendar year 2025 practices: what data sources were used, what testing was performed, what disparate outcome results were observed, and what corrective actions were taken. For auto insurers, the annual report covers similar ground focused on rating algorithms and risk classification models.

The practical compression is severe. Insurers filing the July 1, 2026 report are doing so one day after the Colorado AI Act's June 30 effective date. Any structural gap between DOI-regulated AI activity (where Reg 10-1-1 documentation exists) and the broader universe of AI-driven business decisions inside the carrier organization (where it may not) becomes visible simultaneously to two different regulatory surfaces.

The §10-3-1104.9 Safe Harbor: What It Covers

Section 10-3-1104.9 of the Colorado Revised Statutes, added by SB 24-205, is the insurance safe harbor. The statutory text exempts an insurer from the Colorado AI Act's deployer obligations if the insurer is using an algorithm or predictive model in a manner consistent with rules promulgated by the Commissioner of Insurance governing the use of external consumer data, algorithms, and predictive models in insurance practices.

Put simply, if an insurer is already doing what Colorado DOI Reg 10-1-1 requires, the insurer does not additionally have to perform the impact assessments, risk management program documentation, and consumer notices that CAIA imposes on other high-risk AI deployers. The safe harbor treats DOI oversight as the functional equivalent of CAIA oversight for the specific AI activity that DOI rulemaking has addressed.

The scope of DOI rulemaking as of April 2026 covers:

Regulation 10-1-1 (Governance and Risk Management Framework): Applies to all Colorado-authorized life insurers using ECDIS or APMs in any insurance practice with direct impact on consumers. Requires a documented governance and risk management framework, designated senior accountable officer, ongoing monitoring, and documented testing.
Regulation 10-1-2 (Life Insurance Quantitative Testing): Requires life insurers using ECDIS or APMs in underwriting to perform annual quantitative testing for unfairly discriminatory outcomes across race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, and gender expression. Includes specified statistical methodologies and remediation obligations where disparate outcomes are identified.
Auto insurance rulemaking (in progress through 2025-2026): Parallel framework for auto insurers covering rating algorithms and classification models. The rule text has gone through multiple drafts; the annual reporting obligation for auto insurers ties into the same July 1 filing cadence.

A life insurer writing individual life business in Colorado that uses an external credit-based mortality score in underwriting, and that has a documented Reg 10-1-1 governance framework, an annual quantitative testing program under Reg 10-1-2, and a remediation process for any identified disparate outcomes, is squarely inside the §10-3-1104.9 safe harbor for that specific activity. The carrier does not owe CAIA impact assessments, a duplicative risk management program, or CAIA-specific consumer notices for the credit-based mortality score use case.

Where the Safe Harbor Breaks

From reviewing Colorado DOI filings where life insurers documented external data model decisions under Reg 10-1-1, three categories of AI activity routinely fall outside the safe harbor even at carriers that are otherwise fully compliant with DOI rules.

1. AI Used by Affiliated Non-Insurer Entities

Holding company structures create a gap. The safe harbor applies to insurers, meaning entities licensed as insurers by the Colorado Commissioner of Insurance. Many carriers operate affiliated entities that perform work upstream or downstream of the insurance contract: managing general agents, third-party administrators, data analytics subsidiaries, captives, and specialty service companies. When AI is deployed inside those affiliated entities rather than inside the licensed insurance entity, DOI rulemaking does not reach it, and neither does §10-3-1104.9.

Consider an agency pre-sale tool that scores prospective applicants using an AI model to suggest which products to quote. If the tool sits in an affiliated MGA rather than the licensed insurer, the MGA is a deployer under CAIA in its own right and receives no safe harbor. The Mayer Brown March 2026 analysis of the Work Group proposal explicitly identified this structural mismatch as one of the open issues the Work Group was trying to address, but the current statute does not resolve it.

2. Third-Party AI Vendors Supplying the Insurer

The safe harbor protects the insurer; it does not automatically protect the vendor. A third-party AI vendor whose model is embedded in the insurer's underwriting workflow may itself qualify as a developer or deployer of a high-risk AI system under CAIA, triggering separate obligations for the vendor around documentation, impact assessment support, and known risk disclosure to the insurer-customer.

This parallels the direction the NAIC Third-Party AI Vendor Registry framework is moving at the federal-level coordination layer. Colorado reaches the same result through a different mechanism: the vendor is independently regulated under CAIA even when its insurer customer is inside the §10-3-1104.9 safe harbor. Carriers relying heavily on vendor-supplied AI for underwriting or claims cannot assume that vendor compliance will automatically travel with the carrier's own safe harbor posture.

3. AI Use Cases Outside DOI Rulemaking

DOI Regulations 10-1-1 and 10-1-2 focus on insurance practices with direct consumer impact, primarily underwriting, pricing, and related rating decisions. The carrier enterprise deploys AI in many other contexts that have either no direct consumer impact or only indirect impact: internal HR tools, fraud investigation triage, claims workflow automation that informs but does not determine outcomes, agent productivity analytics, marketing segmentation for existing customers, and internal model validation workbenches.

Some of these fall outside CAIA entirely (low-risk uses); others qualify as high-risk AI systems under CAIA but sit outside the DOI safe harbor because DOI rulemaking does not address them. A claims fraud triage model that scores incoming claims for investigation priority may not rate or underwrite anyone, but if it influences the speed, depth, or outcome of claim settlement in a way that can be characterized as a consequential decision, it lands inside CAIA's high-risk system definition without the benefit of the Reg 10-1-1 safe harbor. Carriers that have mapped their AI inventory primarily to the DOI disclosure forms miss this category.

Impact Assessment, Risk Management Program, and Consumer Notice Obligations

Where the safe harbor does not apply, the CAIA deployer obligations kick in. The statute requires a deployer of a high-risk AI system to:

Implement a risk management policy and program that is an iterative, documented process identifying, documenting, and mitigating known or reasonably foreseeable risks of algorithmic discrimination. The policy must specify the principles, processes, and personnel the deployer uses.
Complete an impact assessment for each high-risk AI system annually and within 90 days after any intentional and substantial modification. The assessment covers the system's purpose, benefits, uses, categories of data processed, outputs produced, and the results of any reasonably foreseeable misuse or abuse analysis.
Notify consumers when a high-risk AI system is deployed to make or is a substantial factor in making a consequential decision concerning the consumer. The notice must be provided at or before the time of the decision and describe the system's purpose and the nature of the consequential decision.
Disclose to the Attorney General the discovery of algorithmic discrimination arising from the high-risk AI system within 90 days of discovery.
Provide a statement describing the categories of high-risk AI systems the deployer uses and how the deployer manages known or reasonably foreseeable risks. The statement is publicly posted.

The Moore & Van Allen compliance analysis emphasizes that the risk management program and the impact assessment are not the same document. The risk management program is the ongoing organizational function. The impact assessment is the point-in-time artifact produced for a specific system. Carriers that conflate the two produce assessments that read like policy summaries and policies that read like assessment narratives, neither of which satisfies the statute.

The consumer notice obligation is particularly consequential for carriers with AI embedded in claims workflows. A consumer affected by an adverse consequential decision has the right to an explanation, to correct inaccurate personal data, and to appeal the decision to human review where technically feasible. Building those rights into an existing claims workflow requires either a pre-decision notice at claim intake or a re-tooled adverse-action pipeline that surfaces AI involvement when a claim outcome is communicated.

The Small Deployer Exemption: Narrow in Insurance

CAIA includes a small deployer carve-out for businesses with fewer than 50 full-time employees that do not use the deployer's own data to train the high-risk AI system. The exemption is designed to spare small businesses that integrate off-the-shelf AI tools into their operations without meaningful customization.

For insurance carriers, the exemption is narrow for two reasons. First, most Colorado-admitted carriers and their affiliates exceed the 50-employee threshold at the group level. Second, the exemption disappears where the deployer uses its own data to customize or retrain the AI system, which is a near-universal practice for carriers using vendor models in underwriting and claims. A carrier providing its own claims history to retrain a vendor fraud detection model has disqualified itself from the small deployer exemption for that system.

Independent agency and MGA affiliates may qualify more often than the carrier itself, but those entities are still deployers of high-risk AI systems and still need to evaluate the exemption against their actual data use. The default assumption that any carrier-affiliated entity has reached safe harbor through the small deployer exemption is almost always wrong.

The Colorado AI Policy Work Group's March 2026 Replacement Framework

In March 2026, the Colorado AI Policy Work Group (established in August 2025 as part of SB 25B-004) released a proposed replacement framework. The Mayer Brown analysis identifies several meaningful structural changes under consideration:

A narrower definition of "substantial factor" in consequential decisions, reducing the range of AI involvement that triggers high-risk classification.
A tightened scope of covered decision types, potentially removing some categories that commenters argued were outside the legislature's original intent.
A clarified safe harbor structure with explicit coverage for third-party vendors of insurers that are themselves within a DOI safe harbor.
A recalibrated small deployer exemption with a higher employee threshold and revised treatment of carrier-affiliated data use.

The Work Group proposal is a proposal. It has not been introduced as a bill, and even if introduced during the 2026 legislative session, the normal path would not produce a signed law before the June 30, 2026 effective date. The practical effect is that the existing CAIA text is the compliance baseline carriers must meet on June 30, with the Work Group framework representing the most likely shape of 2027 amendments rather than a near-term substitute.

The probability that the Work Group framework fully replaces the current act before June 30 is low. The probability that it passes in a modified form during the 2026 legislative session and becomes effective January 1, 2027 is moderate. The probability that some version of the framework is eventually enacted is high, based on the composition of the Work Group (balanced industry, consumer, and civil rights representation) and the governor's stated support for targeted revisions.

Overlap With the NAIC Framework

Colorado is not operating in a vacuum. Three parallel NAIC initiatives create a layered regulatory environment for insurer AI:

Initiative	Status as of April 2026	Interaction With CAIA
NAIC AI Model Bulletin	Adopted by ~24 states plus DC; guidance-based	Colorado has adopted the Model Bulletin through its own rulemaking. The governance expectations overlap substantially with CAIA risk management requirements, but CAIA extends beyond Model Bulletin scope to cover non-insurance affiliates and non-underwriting use cases.
NAIC AI Systems Evaluation Tool Pilot	12-state pilot running March to September 2026	Colorado is not currently a pilot state. Carriers operating across pilot and non-pilot states must manage CAIA documentation separately from Evaluation Tool documentation even though the underlying evidence overlaps.
NAIC Third-Party AI Vendor Registry (Proposed)	Exposure draft; Spring 2026 refinement	If adopted, would create a registry at the NAIC level that complements CAIA's vendor-as-independent-deployer structure. Vendors serving Colorado carriers would face both Colorado CAIA obligations and NAIC registry obligations, though the documentation could be substantially shared.

From tracking the interaction between Colorado rulemaking and NAIC activity across the past three years, a consistent pattern emerges: Colorado tends to act first with a broad, risk-based approach; the NAIC responds with a narrower, insurance-specific framework; then Colorado's own rulemaking refines around the insurance-specific approach. The §10-3-1104.9 safe harbor is the first iteration of that pattern applied to AI regulation. The Work Group framework is the likely second iteration.

Compliance Checklist for Insurers: Next 73 Days

Based on the structural gaps described above, carriers operating in Colorado should be using the remaining runway to June 30, 2026 to complete the following:

Complete the enterprise AI inventory. Map every AI system in use by the Colorado-admitted entity and by every affiliated entity that has contact with Colorado consumers. For each system, identify whether it makes or is a substantial factor in a consequential decision concerning a consumer. This is the foundation for every subsequent compliance decision.
Classify each system against the §10-3-1104.9 safe harbor. For each high-risk system, determine whether the DOI has promulgated rules governing its use (Reg 10-1-1, Reg 10-1-2, auto rulemaking). For systems within safe harbor scope, confirm that documentation already produced for Reg 10-1-1 is sufficient to establish safe harbor. For systems outside safe harbor scope, initiate CAIA-specific impact assessments.
Reconcile the July 1, 2026 annual compliance report with CAIA obligations. The DOI report and the CAIA impact assessments share underlying evidence. Build a single documentation architecture that serves both filings rather than two parallel processes. Carriers that duplicate effort will miss the deadline on one or both sides.
Address the affiliated non-insurer gap. Inventory AI systems at MGAs, TPAs, data analytics affiliates, and captive service companies. These entities are direct CAIA deployers; they do not inherit the §10-3-1104.9 safe harbor from the licensed insurer affiliate. Build deployer obligations (risk management program, impact assessments, consumer notices) into their operations before June 30.
Engage third-party AI vendors on CAIA compliance. Send vendor questionnaires confirming vendor status as developer or deployer under CAIA, the vendor's own risk management program, and the vendor's commitment to provide information needed for the carrier's impact assessments. Vendors unable to produce this documentation represent compliance risk that needs to be priced or remediated.
Finalize consumer notice language and delivery mechanisms. Draft CAIA-specific consumer notices for each consequential-decision context, integrate them into existing workflows (application, claims intake, appeals), and test delivery against the at-or-before-the-decision timing requirement. Retrofit claims adverse-action communications to surface AI involvement where applicable.
Designate the senior accountable officer. Reg 10-1-1 already requires a designated senior accountable officer for AI governance in regulated insurance functions. Extend the designation to cover CAIA obligations across all affiliates, or designate additional accountable officers for the non-insurer entities. Document the governance structure in the CAIA risk management policy.
Build the 90-day AG disclosure pipeline. Define the internal trigger that requires notification to the Attorney General when algorithmic discrimination is discovered. Integrate the trigger into existing complaint tracking, DOI complaint handling, and model performance monitoring so that the 90-day clock is identifiable from the date of discovery.

What the Next Six Months Will Show

The Colorado AI Act is the first US state law that puts carrier AI compliance on a statute-based footing rather than a guidance-and-examination footing. The §10-3-1104.9 safe harbor is a genuine concession to insurance regulatory primacy, but only for activity DOI has actually regulated. The structural question facing every carrier is not whether DOI rules cover its core underwriting models; those are well-documented by now. The question is whether the carrier's AI inventory reaches into affiliated entities, third-party vendors, and claims or operational use cases that DOI has not touched, and whether the compliance program addresses those systems under CAIA directly.

Between June 30 and December 31, 2026, the Colorado Attorney General will make early decisions about enforcement priorities. The first set of AG actions will signal whether the AG treats the safe harbor narrowly or expansively, whether good-faith compliance efforts receive a first-violation remediation period, and whether consumer private right of action (the act creates one) drives the caseload more than AG enforcement. Carriers that have invested in the inventory, the documentation, and the vendor engagement ahead of June 30 will be positioned to survive that first wave of enforcement regardless of how the posture settles. Those that relied on a reading of the safe harbor that treats all carrier AI activity as DOI-regulated by default will find the boundaries the hard way.

The Work Group framework is the most likely path to legislative amendment, but its timeline almost certainly extends past the June 30 effective date. Planning for compliance under the Work Group framework rather than the current statute is a bet on legislative timing that the calendar no longer supports.