What Happened
Last week, Colorado lawmakers held a special session that culminated in a decision to delay the implementation of the Colorado Artificial Intelligence Act (CAIA) until June 30, 2026, extending the timeline beyond its original February 2026 start date. That delay gives businesses a brief window to prepare, but the law remains in effect, requiring companies to build governance programs and perform regular impact assessments of high-risk AI systems.
With CAIA still slated to take effect next year, two very different approaches to AI liability are emerging. At the federal level, Executive Order 14281 directs agencies to abandon disparate impact analysis and limit liability to intentional discrimination, as detailed below. As the first comprehensive AI regulation at the state level, CAIA represents an entirely different approach, making companies responsible for disparate impacts even when there is no evidence of intent to discriminate.
For businesses, this creates a divided regulatory landscape. One path expands liability and imposes proactive compliance obligations, while the other narrows liability and reduces oversight requirements. The challenge is to design or deploy an AI governance approach that complies with these starkly contrasting standards.
I. CAIA: Liability for Unintentional Discrimination
CAIA establishes liability for both developers and deployers of AI if their systems produce discriminatory outcomes, even without intent. The act defines algorithmic discrimination to include disparate impacts caused by AI in consequential decisions, and it classifies as “high-risk” those systems that influence decisions in areas such as employment, housing, credit, education, health care, insurance, legal services, and essential government services.
The Role of Impact Assessments Under CAIA
“Impact assessments” are a central component of CAIA’s new regulatory requirements for AI in the state. Deployers of these high-risk AI systems must complete an impact assessment before the system is first used, repeat the assessment at least annually, and conduct a new one within 90 days of any substantial modification, such as a retraining the model or making a major change in inputs or outputs.
Each impact assessment must include:
- A description of the system’s purpose, intended use, and context of deployment;
- The categories of input data and the nature of the system’s outputs;
- An overview of the categories of data that the deployer used to customize or retrain the system.
- The performance metrics used to evaluate accuracy and fairness, along with known limitations;
- An analysis of potential risks of algorithmic discrimination;
- The steps taken to mitigate those risks;
- The transparency and oversight measures in place, including whether consumers are informed of AI use; and
- Post-deployment monitoring procedures to catch issues as the system operates.
Impact assessments must be documented and retained for at least three years. As noted above, these assessments create an ongoing obligation for companies to continually test and validate the fairness of their systems in order to prevent disparate impacts from occurring.
CAIA’s Safe Harbors and Enforcement
CAIA provides a form of safe harbor for companies that meet its requirements. Businesses that maintain a risk management program and complete the required impact assessments receive a rebuttable presumption of compliance. In addition, an affirmative defense is available if a violation is discovered and cured while the company is following a recognized risk framework.
Enforcement authority rests with the Colorado Attorney General (AG), and deployers must notify the AG within 90 days of discovering algorithmic discrimination. The effect is that while liability under CAIA extends to unintentional discrimination, companies that perform and document robust assessments and governance programs will have significant legal protections if problems arise.
II. Federal Approach: Liability for Intentional Discrimination Only
In April 2025, President Trump issued Executive Order 14281, titled “Restoring Equality of Opportunity and Meritocracy.” The order directs federal agencies to abandon disparate impact analysis in rulemaking and enforcement. Under this approach, liability is limited to intentional discrimination. Disparate outcomes without intent are not actionable, and agencies such as the EEOC, HUD, and CFPB will no longer require or expect disparate impact testing or documentation.
For businesses, this shift reduces the compliance burdens associated with federal oversight. Agencies are less likely to investigate AI systems based solely on the outcomes that they produce. While this should limit the risk of liability when deploying AI, the federal rollback does not eliminate risk altogether. Private plaintiffs may still pursue disparate impact claims under federal statutes such as Title VII of the Civil Rights Act or the Fair Housing Act. State-level enforcement under CAIA and similar laws will also continue regardless of federal policy.
III. Practical Implications of State and Federal Divergence
Colorado has tied liability to disparate impact and made recurring impact assessments the centerpiece of compliance. The federal government has gone the other way, abandoning disparate impact analysis and narrowing liability to intentional discrimination. The result is a divided regulatory landscape. Companies that operate nationally will need to reconcile these two systems: expansive state-level liability built around impact assessments and reduced federal oversight.
For businesses, the divergence creates a two-track compliance environment. Federal regulators are signaling that companies need not test or document disparate impacts, while Colorado requires ongoing assessments designed to uncover and mitigate them. Companies that focus exclusively on federal standards risk liability in Colorado and in other states that may follow its lead. By contrast, businesses that structure governance programs around CAIA’s higher standard (including annual assessments, consumer disclosures, and reporting protocols) will be positioned to satisfy both regimes.
It is important to recognize that CAIA does not just impose obligations. CAIA also builds in safe harbor protections for those businesses that comply. Companies that perform impact assessments and maintain a risk management program receive a rebuttable presumption of compliance. Those that discover and cure problems while following a recognized risk framework have an affirmative defense. These protections mean that compliance is not simply a matter of avoiding penalties, but a way to secure a modicum of legal insulation if issues arise.
Conclusion
Businesses now face two starkly different approaches to AI regulation. At the state level, companies may be held responsible for unintentional discrimination unless they proactively comply with CAIA’s requirements, most notably by conducting detailed, recurring impact assessments. At the federal level, liability is limited to intentional discrimination, with disparate impact analysis abandoned as a regulatory standard under many circumstances.
CAIA also makes clear that companies have a path to protect themselves. By maintaining risk management programs, performing regular impact assessments, and documenting mitigation steps, businesses gain access to safe harbors in the form of a rebuttable presumption of compliance and an affirmative defense if they discover and cure problems.
As more states consider enacting regulatory frameworks similar to CAIA, the patchwork is likely to expand. Companies that undertake to design risk management programs, perform thorough impact assessments, and calibrate disclosures will be best positioned not only to navigate these diverging systems, but also to make full use of the safe harbors that CAIA provides.
Troutman Pepper Locke State Attorneys General Team
 |
Ashley Taylor – Co-leader and Firm Vice Chair Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation. |
 |
Clay Friedman – Co-leader Clay co-leads the firm’s State Attorneys General practice and is nationally ranked by Chambers USA for AG Government Relations and in Best Lawyers for Advertising Law. He has dedicated his entire career to state attorney general and federal work, serving for nearly a decade in a senior role and more than 25+ years in private practice. Clay focuses his practice on helping industry-leading companies mitigate the risks associated with state and federal regulatory investigations and associated litigation. |
 |
Chris Carlson Chris advises clients on regulatory, civil, and criminal investigations and litigation. With a background as an assistant attorney general, he provides practical guidance to clients with matters involving state attorneys general and federal regulatory agencies. |
 |
Lauren Fincher Lauren has vast experience handling state attorneys general investigations, navigating complex regulatory compliance matters, and providing strategic counsel in enforcement actions across various industries. She helps clients manage high-stakes regulatory matters and guides them through complex legal landscapes. |
 |
Stephen Piepgrass Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, representing clients in single and multistate enforcement actions, including inquiries and investigations, as well as litigation involving state attorneys general and other state and federal governmental enforcement bodies. He has significant experience handling actions with federal agencies, including the CFPB and FTC, as well as single plaintiff and class action litigation for clients in highly regulated sectors such as financial services, health care, pharmaceutical, and education. |
 |
Michael Yaghi Mike handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries. He assists clients through the entire life cycle of investigations, from regulatory enforcement through formal litigation. |
 |
Samuel E. “Gene” Fishel Gene is a former regulator with two decades of experience who has overseen state privacy and cybersecurity regulation enforcement, led national, multistate attorneys general privacy investigations, and prosecuted computer crimes at the state and federal levels. He has served at the forefront of state attorney general and federal enforcement, and utilizes this experience to proficiently represent client interests. |
 |
Jay Myers Jay assists clients in heavily regulated industries, including health care, energy, insurance, emerging industries, and data privacy. He provides both regulatory legal advice and government relations strategies. Jay’s past and current clients include Fortune 10 companies, startups, nonprofits, industry associations, and advocacy groups. Recognizing that state government matters are often complex and multifaceted, he utilizes regulatory guidance, government advocacy, or both in tandem to deliver tailored solutions for each client’s unique needs. |
 |
Jessica Birdsong Jessica is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, magna cum laude, where she served as associate articles editor of the Journal of Law & Technology. |
 |
Blake R. Christopher Blake collaborates with clients on matters related to government contracting, investigations, and disputes. His senior-level government experience generates valuable insights and strategies for clients across a variety of industries. |
 |
Nick Gouverneur Nick is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. He received his J.D. from the University of Illinois College of Law, where he served as a member of the Journal of Law, Technology & Policy. |
 |
Troy Homesley Troy is an accomplished litigator who has represented and defended clients across a wide range of complex, high-stakes disputes at both the trial and appellate levels. He has represented technology companies, business executives, law firms, investment funds, high-ranking federal officials, international non-profits, and asylum seekers. Troy draws on his broad litigation experience to advise clients before litigation arises, while claims are pending or threatened, and leading up to and through trial and appeals. |
 |
Natalia Jacobo Natalia is an associate in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based on the West Coast. She routinely counsels clients on a variety of state and federal regulatory matters, with a particular emphasis on consumer protection and data privacy matters. |
 |
Namrata Kang Namrata (Nam) is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. She routinely advises clients on a wide variety of state and federal regulatory matters, with a particular emphasis on state consumer protection laws relating to consumer financial services and marketing and advertising. Nam’s experience transcends multiple industries, including financial services, telecommunications, media, and sports betting. |
 |
Michael Lafleur Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general. |
 |
Philip Nickerson Philip represents clients in sectors such as financial, tech, real estate, and energy in a range of litigation matters. He is experienced in matters involving trade secrets, government investigations, commercial contracts, construction and product defect. |
 |
Lane Page Lane specializes in federal and state regulatory investigations and complex civil litigation. He focuses on representing financial institutions and other businesses, with a particular emphasis on consumer protection and fair lending issues. |
 |
Dascher Pasco Dascher is an attorney within the Regulatory Investigations, Strategy, and Enforcement practice, based in the Richmond office. She joined our firm after working in personal injury and medical malpractice for a Virginia trial law firm. Dascher brings varied legal experience to the firm with strong litigation and regulatory strategy capabilities. |
 |
Kyara Rivera Rivera Kyara is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, cum laude, where she served as publications and online editor of the Public Interest Law Review. |
 |
Trey Smith Trey focuses his practice on representing and advising regulated utilities before state public utility commissions. He routinely helps clients obtain certificates of public convenience and necessity for transmission infrastructure. In this role, Trey works with his clients’ subject-matter experts to manage administrative proceedings, including by preparing initial filings; responding to discovery requests; drafting rebuttal testimony; and litigating any disputed issues. |
 |
Timothy Shyu Timothy is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. |
 |
Daniel Waltz Dan helps clients navigate all aspects highly regulated relationships between industry participants and federal, state and local governments. Whether engaging with regulators, negotiating transactions or representing clients in the courtroom, he delivers solutions that help his clients achieve their strategic goals. |
 |
Cole White Cole is a member of the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) group. He has a decade of experience working in the attorney general community, having joined the firm from the Wyoming Office of the Attorney General, where he was assistant attorney general. |
 |
Stephanie Kozol Stephanie is Troutman Pepper Locke’s senior government relations manager in the state attorneys general department. |