Authority Document - Unified Compliance

Back

North America > Colorado State Legislature

Colorado Revised Statutes, Title 6, Article 1, Part 17, Artificial Intelligence

AD ID

0003985

AD STATUS

Colorado Revised Statutes, Title 6, Article 1, Part 17, Artificial Intelligence

ORIGINATOR

Colorado State Legislature

TYPE

Statutes (Bills or Acts)

AVAILABILITY

Free

SYNONYMS

Colorado AI Act

Colorado Revised Statutes, Title 6, Article 1, Part 17, Artificial Intelligence

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2024-10-14T00:00:00-0700.

URL

Click here

AD ID

0003985

AD STATUS

Free

ORIGINATOR

Colorado State Legislature

TYPE

Statutes (Bills or Acts)

AVAILABILITY

SYNONYMS

Colorado AI Act

Colorado Revised Statutes, Title 6, Article 1, Part 17, Artificial Intelligence

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2024-10-14T00:00:00-0700.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Colorado Revised Statutes, Title 6, Article 1, Part 17, Artificial Intelligence that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Colorado Revised Statutes, Title 6, Article 1, Part 17, Artificial Intelligence are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 65 Mandated Controls - bold
43 Implied Controls - italic 411 Implementation

Number of Controls

519 Total

Audits and risk management

124

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a risk management program. CC ID 12051 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) {risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) {risk management program} The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The content and requirements of the risk management policy and program required by section 6-1-1703 (2); 6-1-1707. (1)(c)]	Establish/Maintain Documentation	Preventive
Include the scope of risk management activities in the risk management program. CC ID 13658	Establish/Maintain Documentation	Preventive
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336	Business Processes	Detective
Integrate the risk management program with the organization's business activities. CC ID 13661	Business Processes	Preventive
Integrate the risk management program into daily business decision-making. CC ID 13659	Business Processes	Preventive
Include managing mobile risks in the risk management program. CC ID 13535	Establish/Maintain Documentation	Preventive
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992	Audits and Risk Management	Preventive
Include regular updating in the risk management system. CC ID 14990	Business Processes	Preventive
Establish, implement, and maintain a risk management policy. CC ID 17192 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) {risk management program} The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The content and requirements of the risk management policy and program required by section 6-1-1703 (2); 6-1-1707. (1)(c) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain risk management strategies. CC ID 13209 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a)]	Establish/Maintain Documentation	Preventive
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Establish/Maintain Documentation	Preventive
Include data quality in the risk management strategies. CC ID 15308	Data and Information Management	Preventive
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Establish/Maintain Documentation	Preventive
Include off-site storage in the risk mitigation strategies. CC ID 13213	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Analyze the risk management strategy for addressing threats. CC ID 12925 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: How the high-risk artificial intelligence system was evaluated for performance and mitigation of algorithmic discrimination before the high-risk artificial intelligence system was offered, sold, leased, licensed, given, or otherwise made available to the deployer; 6-1-1702. (2)(c)(I)]	Audits and Risk Management	Detective
Establish, implement, and maintain a risk assessment program. CC ID 00687	Establish/Maintain Documentation	Preventive
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306	Human Resources Management	Detective
Establish, implement, and maintain insurance requirements. CC ID 16562	Establish/Maintain Documentation	Preventive
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572	Communicate	Preventive
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567	Communicate	Preventive
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571	Acquisition/Sale of Assets or Services	Corrective
Address cybersecurity risks in the risk assessment program. CC ID 13193	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 [Except as provided in subsections (3)(d), (3)(e), and (6) of this section: On and after February 1, 2026, a deployer, or a third party contracted by the deployer, shall complete an impact assessment for a deployed high-risk artificial intelligence system at least annually and within ninety days after any intentional and substantial modification to the high-risk artificial intelligence system is made available. 6-1-1703. (3)(a)(II) Except as provided in subsections (3)(d), (3)(e), and (6) of this section: A deployer, or a third party contracted by the deployer, that deploys a high-risk artificial intelligence system on or after February 1, 2026, shall complete an impact assessment for the high-risk artificial intelligence system; and 6-1-1703. (3)(a)(I) Except as provided in subsection (6) of this section, a developer that offers, sells, leases, licenses, gives, or otherwise makes available to a deployer or other developer a high-risk artificial intelligence system on or after February 1, 2026, shall make available to the deployer or other developer, to the extent feasible, the documentation and information, through artifacts such as model cards, dataset cards, or other impact assessments, necessary for a deployer, or for a third party contracted by a deployer, to complete an impact assessment pursuant to section 6-1-1703 (3). 6-1-1702. (3)(a) An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: An analysis of whether the deployment of the high-risk artificial intelligence system poses any known or reasonably foreseeable risks of algorithmic discrimination and, if so, the nature of the algorithmic discrimination and the steps that have been taken to mitigate the risks; 6-1-1703. (3)(b)(II) The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The content and requirements of the impact assessments required by section 6-1-1703 (3); 6-1-1707. (1)(d) A single impact assessment may address a comparable set of high-risk artificial intelligence systems deployed by a deployer. 6-1-1703. (3)(d) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9)]	Audits and Risk Management	Preventive
Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: If the deployer used data to customize the high-risk artificial intelligence system, an overview of the categories of data the deployer used to customize the high-risk artificial intelligence system; 6-1-1703. (3)(b)(IV) An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of the categories of data the high-risk artificial intelligence system processes as inputs and the outputs the high-risk artificial intelligence system produces; 6-1-1703. (3)(b)(III)]	Establish/Maintain Documentation	Preventive
Include metrics in the fundamental rights impact assessment. CC ID 17249 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: Any metrics used to evaluate the performance and known limitations of the high-risk artificial intelligence system; 6-1-1703. (3)(b)(V)]	Establish/Maintain Documentation	Preventive
Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A statement by the deployer disclosing the purpose, intended use cases, and deployment context of, and benefits afforded by, the high-risk artificial intelligence system; 6-1-1703. (3)(b)(I)]	Establish/Maintain Documentation	Preventive
Include user safeguards in the fundamental rights impact assessment. CC ID 17255 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of the post-deployment monitoring and user safeguards provided concerning the high-risk artificial intelligence system, including the oversight, use, and learning process established by the deployer to address issues arising from the deployment of the high-risk artificial intelligence system. 6-1-1703. (3)(b)(VII)]	Establish/Maintain Documentation	Preventive
Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of the categories of data the high-risk artificial intelligence system processes as inputs and the outputs the high-risk artificial intelligence system produces; 6-1-1703. (3)(b)(III)]	Establish/Maintain Documentation	Preventive
Include the purpose in the fundamental rights impact assessment. CC ID 17243 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A statement by the deployer disclosing the purpose, intended use cases, and deployment context of, and benefits afforded by, the high-risk artificial intelligence system; 6-1-1703. (3)(b)(I)]	Establish/Maintain Documentation	Preventive
Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of the post-deployment monitoring and user safeguards provided concerning the high-risk artificial intelligence system, including the oversight, use, and learning process established by the deployer to address issues arising from the deployment of the high-risk artificial intelligence system. 6-1-1703. (3)(b)(VII)]	Establish/Maintain Documentation	Preventive
Include risk management measures in the fundamental rights impact assessment. CC ID 17224 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: An analysis of whether the deployment of the high-risk artificial intelligence system poses any known or reasonably foreseeable risks of algorithmic discrimination and, if so, the nature of the algorithmic discrimination and the steps that have been taken to mitigate the risks; 6-1-1703. (3)(b)(II)]	Establish/Maintain Documentation	Preventive
Include human oversight measures in the fundamental rights impact assessment. CC ID 17223	Establish/Maintain Documentation	Preventive
Include risks in the fundamental rights impact assessment. CC ID 17222 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: An analysis of whether the deployment of the high-risk artificial intelligence system poses any known or reasonably foreseeable risks of algorithmic discrimination and, if so, the nature of the algorithmic discrimination and the steps that have been taken to mitigate the risks; 6-1-1703. (3)(b)(II)]	Establish/Maintain Documentation	Preventive
Include affected parties in the fundamental rights impact assessment. CC ID 17221	Establish/Maintain Documentation	Preventive
Include the frequency in the fundamental rights impact assessment. CC ID 17220	Establish/Maintain Documentation	Preventive
Include the usage duration in the fundamental rights impact assessment. CC ID 17219	Establish/Maintain Documentation	Preventive
Include system use in the fundamental rights impact assessment. CC ID 17218 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A statement by the deployer disclosing the purpose, intended use cases, and deployment context of, and benefits afforded by, the high-risk artificial intelligence system; 6-1-1703. (3)(b)(I) An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A statement by the deployer disclosing the purpose, intended use cases, and deployment context of, and benefits afforded by, the high-risk artificial intelligence system; 6-1-1703. (3)(b)(I) In addition to the information required under subsection (3)(b) of this section, an impact assessment completed pursuant to this subsection (3) following an intentional and substantial modification to a high-risk artificial intelligence system on or after February 1, 2026, must include a statement disclosing the extent to which the high-risk artificial intelligence system was used in a manner that was consistent with, or varied from, the developer's intended uses of the high-risk artificial intelligence system. 6-1-1703. (3)(c)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830	Process or Activity	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Communicate	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a risk assessment policy. CC ID 14026	Establish/Maintain Documentation	Preventive
Include compliance requirements in the risk assessment policy. CC ID 14121	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the risk assessment policy. CC ID 14120	Establish/Maintain Documentation	Preventive
Include management commitment in the risk assessment policy. CC ID 14119	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the risk assessment policy. CC ID 14118	Establish/Maintain Documentation	Preventive
Include the scope in the risk assessment policy. CC ID 14117	Establish/Maintain Documentation	Preventive
Include the purpose in the risk assessment policy. CC ID 14116	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115	Communicate	Preventive
Analyze the organization's information security environment. CC ID 13122	Technical Security	Preventive
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153	Human Resources Management	Preventive
Employ risk assessment procedures that take into account risk factors. CC ID 16560	Audits and Risk Management	Preventive
Review the risk profiles, as necessary. CC ID 16561	Audits and Risk Management	Detective
Approve the threat and risk classification scheme. CC ID 15693	Business Processes	Preventive
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136	Communicate	Preventive
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Establish/Maintain Documentation	Preventive
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Establish/Maintain Documentation	Preventive
Create a risk assessment report based on the risk assessment results. CC ID 15695	Establish/Maintain Documentation	Preventive
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and Risk Management	Detective
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Communicate	Preventive
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491	Investigate	Detective
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224	Establish/Maintain Documentation	Preventive
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264	Establish/Maintain Documentation	Preventive
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223	Establish/Maintain Documentation	Preventive
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222	Establish/Maintain Documentation	Preventive
Include pandemic risks in the Business Impact Analysis. CC ID 13219	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300	Communicate	Preventive
Establish, implement, and maintain a risk register. CC ID 14828	Establish/Maintain Documentation	Preventive
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172	Process or Activity	Detective
Assess the potential level of business impact risk associated with individuals. CC ID 17170	Process or Activity	Detective
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Investigate	Detective
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169	Process or Activity	Detective
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171	Process or Activity	Detective
Approve the risk acceptance level, as necessary. CC ID 17168	Process or Activity	Preventive
Document the results of the gap analysis. CC ID 16271	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the risk treatment plan. CC ID 16991	Establish/Maintain Documentation	Preventive
Include time information in the risk treatment plan. CC ID 16993	Establish/Maintain Documentation	Preventive
Include allocation of resources in the risk treatment plan. CC ID 16989	Establish/Maintain Documentation	Preventive
Include the date of the risk assessment in the risk treatment plan. CC ID 16321	Establish/Maintain Documentation	Preventive
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320	Audits and Risk Management	Preventive
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620	Establish/Maintain Documentation	Preventive
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694	Communicate	Preventive
Document residual risk in a residual risk report. CC ID 13664	Establish/Maintain Documentation	Corrective
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672	Business Processes	Preventive
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 [On and after February 1, 2026, a developer of a high-risk artificial intelligence system shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination arising from the intended and contracted uses of the high-risk artificial intelligence system. In any enforcement action brought on or after February 1, 2026, by the attorney general pursuant to section 6-1-1706, there is a rebuttable presumption that a developer used reasonable care as required under this section if the developer complied with this section and any additional requirements or obligations as set forth in rules promulgated by the attorney general pursuant to section 6-1-1707. 6-1-1702. (1) {risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) On and after February 1, 2026, a deployer of a high-risk artificial intelligence system shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination. In any enforcement action brought on or after February 1, 2026, by the attorney general pursuant to section 6-1-1706, there is a rebuttable presumption that a deployer of a high-risk artificial intelligence system used reasonable care as required under this section if the deployer complied with this section and any additional requirements or obligations as set forth in rules promulgated by the attorney general pursuant to section 6-1-1707. 6-1-1703. (1) On and after February 1, 2026, a developer shall make available, in a manner that is clear and readily available on the developer's website or in a public use case inventory, a statement summarizing: How the developer manages known or reasonably foreseeable risks of algorithmic discrimination that may arise from the development or intentional and substantial modification of the types of high-risk artificial intelligence systems described in accordance with subsection (4)(a)(I) of this section. 6-1-1702. (4)(a)(II) On and after February 1, 2026, a developer of a high-risk artificial intelligence system shall disclose to the attorney general, in a form and manner prescribed by the attorney general, and to all known deployers or other developers of the high-risk artificial intelligence system, any known or reasonably foreseeable risks of algorithmic discrimination arising from the intended uses of the high-risk artificial intelligence system without unreasonable delay but no later than ninety days after the date on which: 6-1-1702. (5) The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The requirements for the affirmative defense set forth in section 6-1-1706 (3), including the process by which the attorney general will recognize any other nationally or internationally recognized risk management framework for artificial intelligence systems. 6-1-1707. (1)(f) {algorithmic discrimination} {risk management} The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The requirements for the rebuttable presumptions set forth in sections 6-1-1702 and 6-1-1703; and 6-1-1707. (1)(e) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The size and un">complexityspan> of the deployer; 6-1-1703. (2)(a)(II) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The nature and scope of the rm_primary-noun">high-risk artificial intelligence systems deployed by the deployer, including the intended uses of the high-risk artificial intelligence systems; and 6-1-1703. (2)(a)(III) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The nature and scope of the rm_primary-noun">high-risk artificial intelligence systems deployed by the deployer, including the intended uses of the high-risk artificial intelligence systems; and 6-1-1703. (2)(a)(III) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The sensitivity and volume of data processed in connection with the le="background-color:#F0BBBC;" class="term_primary-noun">high-risk artificial intelligence systems e="background-color:#CBD0E5;" class="term_secondary-verb">deployed by the deployer. 6-1-1703. (2)(a)(IV) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The sensitivity and volume of data processed in connection with the le="background-color:#F0BBBC;" class="term_primary-noun">high-risk artificial intelligence systems e="background-color:#CBD0E5;" class="term_secondary-verb">deployed by the deployer. 6-1-1703. (2)(a)(IV)]	Establish/Maintain Documentation	Preventive
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255	Establish/Maintain Documentation	Preventive
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Business Processes	Preventive
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and Risk Management	Detective
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and Risk Management	Detective
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827	Audits and Risk Management	Preventive
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839	Establish/Maintain Documentation	Preventive
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834	Establish/Maintain Documentation	Preventive
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832	Communicate	Preventive
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829	Communicate	Preventive
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276	Establish/Maintain Documentation	Preventive
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582	Establish/Maintain Documentation	Preventive
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825	Communicate	Preventive
Acquire cyber insurance, as necessary. CC ID 12693	Business Processes	Preventive
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830	Establish/Maintain Documentation	Preventive
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663	Establish/Maintain Documentation	Preventive
Include compliance requirements in the supply chain risk management policy. CC ID 14711	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710	Establish/Maintain Documentation	Preventive
Include management commitment in the supply chain risk management policy. CC ID 14709	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708	Establish/Maintain Documentation	Preventive
Include the scope in the supply chain risk management policy. CC ID 14707	Establish/Maintain Documentation	Preventive
Include the purpose in the supply chain risk management policy. CC ID 14706	Establish/Maintain Documentation	Preventive
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662	Communicate	Preventive
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Establish/Maintain Documentation	Preventive
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619	Establish/Maintain Documentation	Preventive
Include dates in the supply chain risk management plan. CC ID 15617	Establish/Maintain Documentation	Preventive
Include implementation milestones in the supply chain risk management plan. CC ID 15615	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613	Establish/Maintain Documentation	Preventive
Include supply chain risk management procedures in the risk management program. CC ID 13190	Establish/Maintain Documentation	Preventive
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712	Communicate	Preventive
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199	Human Resources Management	Preventive
Analyze supply chain risk management procedures, as necessary. CC ID 13198	Process or Activity	Detective
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792	Communicate	Preventive

Harmonization Methods and Manual of Style

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Harmonization Methods and Manual of Style CC ID 06095	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain organizational documents. CC ID 16202	Establish/Maintain Documentation	Preventive
Write organizational documents using clear and conspicuous language. CC ID 16281 [Except as provided in subsection (4)(c)(ii) of this section, a deployer shall provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section: In plain language; 6-1-1703. (4)(c)(I)(B)]	Establish/Maintain Documentation	Preventive
Write organizational documents using information that is free from bias. CC ID 16341	Establish/Maintain Documentation	Preventive
Structure the language of compliance documents. CC ID 06098	Establish/Maintain Documentation	Preventive
Standardize word usage. CC ID 06104	Establish/Maintain Documentation	Preventive
Write policies and instructions using clear and conspicuous language. CC ID 16286 [Except as provided in subsection (4)(c)(ii) of this section, a deployer shall provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section: In all languages in which the deployer, in the ordinary course of the deployer's business, provides contracts, disclaimers, sale announcements, and other information to consumers; and 6-1-1703. (4)(c)(I)(C)]	Establish/Maintain Documentation	Preventive

Leadership and high level objectives

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Analyze organizational objectives, functions, and activities. CC ID 00598	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain data governance and management practices. CC ID 14998 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The data governance measures used to cover the training datasets and the measures used to examine the suitability of data sources, possible biases, and appropriate mitigation; 6-1-1702. (2)(c)(II)]	Establish/Maintain Documentation	Preventive
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087	Establish/Maintain Documentation	Preventive
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086	Establish/Maintain Documentation	Preventive
Include bias for data sets in the data governance and management practices. CC ID 15085 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The data governance measures used to cover the training datasets and the measures used to examine the suitability of data sources, possible biases, and appropriate mitigation; 6-1-1702. (2)(c)(II)]	Establish/Maintain Documentation	Preventive
Include the data source in the data governance and management practices. CC ID 17211	Data and Information Management	Preventive
Include a data strategy in the data governance and management practices. CC ID 15304	Establish/Maintain Documentation	Preventive
Include data monitoring in the data governance and management practices. CC ID 15303	Establish/Maintain Documentation	Preventive
Include an assessment of the data sets in the data governance and management practices. CC ID 15084	Establish/Maintain Documentation	Preventive
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083	Establish/Maintain Documentation	Preventive
Include data collection for data sets in the data governance and management practices. CC ID 15082	Establish/Maintain Documentation	Preventive
Include data preparations for data sets in the data governance and management practices. CC ID 15081 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The data governance measures used to cover the training datasets and the measures used to examine the suitability of data sources, possible biases, and appropriate mitigation; 6-1-1702. (2)(c)(II)]	Establish/Maintain Documentation	Preventive
Include design choices for data sets in the data governance and management practices. CC ID 15080	Establish/Maintain Documentation	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: 6-1-1707. (1)]	Establish/Maintain Documentation	Preventive
Include contact information in the organization's policies, standards, and procedures. CC ID 17167 [On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer a statement disclosing the purpose of the high-risk artificial intelligence system and the nature of the consequential decision; the contact information for the deployer; a description, in plain language, of the high-risk artificial intelligence system; and instructions on how to access the statement required by subsection (5)(a) of this section; and 6-1-1703. (4)(a)(II)]	Establish/Maintain Documentation	Preventive
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The documentation and requirements for developers pursuant to section 6-1-1702 (2); 6-1-1707. (1)(a) The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The contents of and requirements for the notices and disclosures required by sections 6-1-1702 (5) and (7); 6-1-1703 (4), (5), (7), and (9); and 6-1-1704; 6-1-1707. (1)(b)]	Establish/Maintain Documentation	Preventive
Analyze organizational policies, as necessary. CC ID 14037	Establish/Maintain Documentation	Detective
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824	Business Processes	Preventive
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Establish/Maintain Documentation	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Establish/Maintain Documentation	Corrective
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Establish/Maintain Documentation	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Establish/Maintain Documentation	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Establish/Maintain Documentation	Preventive
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Establish/Maintain Documentation	Preventive
Include when exemptions expire in the compliance exception standard. CC ID 14330	Establish/Maintain Documentation	Preventive
Include management of the exemption register in the compliance exception standard. CC ID 14328	Establish/Maintain Documentation	Preventive
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Communicate	Preventive

Monitoring and measurement

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Monitor the usage and capacity of critical assets. CC ID 14825	Monitor and Evaluate Occurrences	Detective
Monitor the usage and capacity of Information Technology assets. CC ID 00668 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: How the high-risk artificial intelligence system should be used, not be used, and be monitored by an individual when the high-risk artificial intelligence system is used to make, or is a substantial factor in making, a consequential decision; and 6-1-1702. (2)(c)(V) On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: Any additional documentation that is reasonably necessary to assist the deployer in understanding the outputs and monitor the performance of the high-risk artificial intelligence system for risks of algorithmic discrimination. 6-1-1702. (2)(d)]	Monitor and Evaluate Occurrences	Detective
Report errors and faults to the appropriate personnel, as necessary. CC ID 14296	Communicate	Corrective
Correct or mitigate vulnerabilities. CC ID 12497 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a)]	Technical Security	Corrective
Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859	Technical Security	Corrective
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Establish/Maintain Documentation	Preventive
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726	Monitor and Evaluate Occurrences	Detective
Correct compliance violations. CC ID 13515 [In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: Discovers and cures a violation of this part 17 as a result of: 6-1-1706. (3)(a) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: discovers and cures a violation of this part 17 as a result of: Feedback that the developer, deployer, or other person encourages deployers or users to provide to the developer, deployer, or other person; 6-1-1706. (3)(a)(I) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: discovers and cures a violation of this part 17 as a result of: Adversarial testing or red teaming, as those terms are defined or used by the national institute of standards and technology; or 6-1-1706. (3)(a)(II) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: discovers and cures a violation of this part 17 as a result of: An internal review process; and 6-1-1706. (3)(a)(III)]	Process or Activity	Corrective

Operational and Systems Continuity

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include website continuity procedures in the continuity plan. CC ID 01380	Establish/Maintain Documentation	Preventive
Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer shall make available, in a manner that is clear and readily available on the deployer's website, a statement summarizing: The types of high-risk artificial intelligence systems that are currently deployed by the deployer; 6-1-1703. (5)(a)(I) On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer shall make available, in a manner that is clear and readily available on the deployer's website, a statement summarizing: How the deployer manages known or reasonably foreseeable risks of algorithmic discrimination that may arise from the deployment of each high-risk artificial intelligence system described pursuant to subsection (5)(a)(I) of this section; and 6-1-1703. (5)(a)(II) On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer shall make available, in a manner that is clear and readily available on the deployer's website, a statement summarizing: In detail, the nature, source, and extent of the information collected and used by the deployer. 6-1-1703. (5)(a)(III) {high-risk artificial intelligence system} A deployer shall periodically update the statement described in subsection (5)(a) of this section. 6-1-1703. (5)(b) On and after February 1, 2026, a developer shall make available, in a manner that is clear and readily available on the developer's website or in a public use case inventory, a statement summarizing: The types of high-risk artificial intelligence systems that the developer has developed or intentionally and substantially modified and currently makes available to a deployer or other developer; and 6-1-1702. (4)(a)(I) On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer a statement disclosing the purpose of the high-risk artificial intelligence system and the nature of the consequential decision; the contact information for the deployer; a description, in plain language, of the high-risk artificial intelligence system; and instructions on how to access the statement required by subsection (5)(a) of this section; and 6-1-1703. (4)(a)(II)]	Data and Information Management	Preventive

Operational management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain operational control procedures. CC ID 00831	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Establish/Maintain Documentation	Preventive
Include system use information in the standard operating procedures manual. CC ID 17240 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: A general statement describing the reasonably foreseeable uses and known harmful or inappropriate uses of the high-risk artificial intelligence system; 6-1-1702. (2)(a) On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: The intended benefits and uses of the high-risk artificial intelligence system; and 6-1-1702. (2)(b)(IV)]	Establish/Maintain Documentation	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: The purpose of the high-risk artificial intelligence system; 6-1-1702. (2)(b)(III) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The nature and scope of the high-risk artificial intelligence systems deployed by the deployer, including the intended uses of the high-risk artificial intelligence systems; and 6-1-1703. (2)(a)(III) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The nature and scope of the high-risk artificial intelligence systems deployed by the deployer, including the intended uses of the high-risk artificial intelligence systems; and 6-1-1703. (2)(a)(III)]	Establish/Maintain Documentation	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: The intended benefits and uses of the high-risk artificial intelligence system; and 6-1-1702. (2)(b)(IV)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [{refrain from requiring} Nothing in subsections (2) to (5) and (7) of this section requires a deployer to disclose a trade secret or information protected from disclosure by state or federal law. To the extent that a deployer withholds information pursuant to this subsection (8) or section 6-1-1705 (5), the deployer shall notify the consumer and provide a basis for the withholding. 6-1-1703. (8)]	Establish/Maintain Documentation	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Business Processes	Preventive
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [On and after February 1, 2026, a developer of a high-risk artificial intelligence system shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination arising from the intended and contracted uses of the high-risk artificial intelligence system. In any enforcement action brought on or after February 1, 2026, by the attorney general pursuant to section 6-1-1706, there is a rebuttable presumption that a developer used reasonable care as required under this section if the developer complied with this section and any additional requirements or obligations as set forth in rules promulgated by the attorney general pursuant to section 6-1-1707. 6-1-1702. (1) On and after February 1, 2026, a deployer of a high-risk artificial intelligence system shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination. In any enforcement action brought on or after February 1, 2026, by the attorney general pursuant to section 6-1-1706, there is a rebuttable presumption that a deployer of a high-risk artificial intelligence system used reasonable care as required under this section if the deployer complied with this section and any additional requirements or obligations as set forth in rules promulgated by the attorney general pursuant to section 6-1-1707. 6-1-1703. (1) If a deployer, or a third party contracted by the deployer, completes an impact assessment for the purpose of complying with another applicable law or regulation, the impact assessment satisfies the requirements established in this subsection (3) if the impact assessment is reasonably similar in scope and effect to the impact assessment that would otherwise be completed pursuant to this subsection (3). 6-1-1703. (3)(e) {high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: is otherwise in compliance with: The latest version of the "Artificial Intelligence Risk Management Framework" published by the national institute of standards and technology in the United States department of commerce and standard ISO/IEC 42001 of the International Organization for Standardization; 6-1-1706. (3)(b)(I) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: is otherwise in compliance with: Another nationally or internationally recognized risk management framework for artificial intelligence systems, if the standards are substantially equivalent to or more stringent than the requirements of this part 17; or 6-1-1706. (3)(b)(II) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: is otherwise in compliance with: Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate and, if designated, shall publicly disseminate. 6-1-1706. (3)(b)(III)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Business Processes	Preventive
Include incident monitoring procedures in the Incident Management program. CC ID 01207	Establish/Maintain Documentation	Preventive
Include incident recovery procedures in the Incident Management program. CC ID 01758	Establish/Maintain Documentation	Corrective
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Establish/Maintain Documentation	Preventive
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 [In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: Discovers and cures a violation of this part 17 as a result of: 6-1-1706. (3)(a)]	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain a disability accessibility program. CC ID 06191	Establish/Maintain Documentation	Preventive
Follow disability accessibility standards when designing and building content. CC ID 06193 [{be accessible} Except as provided in subsection (4)(c)(ii) of this section, a deployer shall provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section: In a format that is accessible to consumers with disabilities. 6-1-1703. (4)(c)(I)(D)]	Testing	Detective
Establish, implement, and maintain an artificial intelligence system. CC ID 14943 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) {high-risk artificial intelligence system} A developer shall update the statement described in subsection (4)(a) of this section: 6-1-1702. (4)(b)]	Systems Design, Build, and Implementation	Preventive
Provide affected parties with the role of artificial intelligence in decision making. CC ID 17236 [On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Notify the consumer that the deployer has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision before the decision is made; 6-1-1703. (4)(a)(I) On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer a statement disclosing the purpose of the high-risk artificial intelligence system and the nature of the consequential decision; the contact information for the deployer; a description, in plain language, of the high-risk artificial intelligence system; and instructions on how to access the statement required by subsection (5)(a) of this section; and 6-1-1703. (4)(a)(II) On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: The degree to which, and manner in which, the high-risk artificial intelligence system contributed to the consequential decision; 6-1-1703. (4)(b)(I)(A)]	Communicate	Preventive
Provide the reasons for adverse decisions made by artificial intelligence systems. CC ID 17253 [On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: 6-1-1703. (4)(b)(I) On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: The type of data that was processed by the high-risk artificial intelligence system in making the consequential decision; and 6-1-1703. (4)(b)(I)(B) On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: The source or sources of the data described in subsection (4)(b)(I)(B) of this section; 6-1-1703. (4)(b)(I)(C)]	Process or Activity	Preventive
Authorize artificial intelligence systems for use under defined conditions. CC ID 17210 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: How the high-risk artificial intelligence system should be used, not be used, and be monitored by an individual when the high-risk artificial intelligence system is used to make, or is a substantial factor in making, a consequential decision; and 6-1-1702. (2)(c)(V)]	Process or Activity	Preventive
Refrain from notifying users when images, videos, or audio have been artificially generated or manipulated if use of the artificial intelligence system is authorized by law. CC ID 15051 [Disclosure is not required under subsection (1) of this section under circumstances in which it would be obvious to a reasonable person that the person is interacting with an artificial intelligence system. 6-1-1704. (2)]	Communicate	Preventive
Establish, implement, and maintain a post-market monitoring system. CC ID 15050	Monitor and Evaluate Occurrences	Preventive
Include mitigation measures to address biased output during the development of artificial intelligence systems. CC ID 15047	Systems Design, Build, and Implementation	Corrective
Limit artificial intelligence systems authorizations to the time period until conformity assessment procedures are complete. CC ID 15043	Business Processes	Preventive
Terminate authorizations for artificial intelligence systems when conformity assessment procedures are complete. CC ID 15042	Business Processes	Preventive
Authorize artificial intelligence systems to be put into service for exceptional reasons while conformity assessment procedures are being conducted. CC ID 15039	Business Processes	Preventive
Discard the outputs of the artificial intelligence system when authorizations are denied. CC ID 17225	Process or Activity	Preventive
Assess the trustworthiness of artificial intelligence systems. CC ID 16319	Business Processes	Detective
Authorize artificial intelligence systems to be placed on the market for exceptional reasons while conformity assessment procedures are being conducted. CC ID 15037	Business Processes	Preventive
Withdraw authorizations that are unjustified. CC ID 15035	Business Processes	Corrective
Ensure the transport conditions for artificial intelligence systems refrain from compromising compliance. CC ID 15031	Business Processes	Detective
Ensure the storage conditions for artificial intelligence systems refrain from compromising compliance. CC ID 15030	Physical and Environmental Protection	Detective
Prohibit artificial intelligence systems from being placed on the market when it is not in compliance with the requirements. CC ID 15029	Acquisition/Sale of Assets or Services	Preventive
Ensure the artificial intelligence system performs at an acceptable level of accuracy, robustness, and cybersecurity. CC ID 15024	Process or Activity	Preventive
Implement an acceptable level of accuracy, robustness, and cybersecurity in the development of artificial intelligence systems. CC ID 15022	Systems Design, Build, and Implementation	Preventive
Take into account the nature of the situation when determining the possibility of using 'real-time’ remote biometric identification systems in publicly accessible spaces for law enforcement. CC ID 15020	Process or Activity	Preventive
Notify users when images, videos, or audio on the artificial intelligence system has been artificially generated or manipulated. CC ID 15019	Communicate	Preventive
Refrain from notifying users of artificial intelligence systems using biometric categorization for law enforcement. CC ID 15017	Communicate	Preventive
Use a remote biometric identification system under defined conditions. CC ID 15016	Process or Activity	Preventive
Notify users when they are using an artificial intelligence system. CC ID 15015 [On and after February 1, 2026, and except as provided in subsection (2) of this section, a deployer or other developer that deploys, offers, sells, leases, licenses, gives, or otherwise makes available an artificial intelligence system that is intended to interact with consumers shall ensure the disclosure to each consumer who interacts with the artificial intelligence system that the consumer is interacting with an artificial intelligence system. 6-1-1704. (1)]	Communicate	Preventive
Receive prior authorization for the use of a remote biometric identification system. CC ID 15014	Business Processes	Preventive
Prohibit artificial intelligence systems that deploys subliminal techniques from being placed on the market. CC ID 15012	Acquisition/Sale of Assets or Services	Preventive
Prohibit artificial intelligence systems that use social scores for unfavorable treatment from being placed on the market. CC ID 15010	Acquisition/Sale of Assets or Services	Preventive
Prohibit artificial intelligence systems that evaluate or classify the trustworthiness of individuals from being placed on the market. CC ID 15008	Acquisition/Sale of Assets or Services	Preventive
Prohibit artificial intelligence systems that exploits vulnerabilities of a specific group of persons from being placed on the market. CC ID 15006	Acquisition/Sale of Assets or Services	Preventive
Refrain from making a decision based on system output unless verified by at least two natural persons. CC ID 15004	Business Processes	Preventive
Establish, implement, and maintain human oversight over artificial intelligence systems. CC ID 15003 [On or before February 1, 2026, and at least annually thereafter, a deployer, or a third party contracted by the deployer, must review the deployment of each high-risk artificial intelligence system deployed by the deployer to ensure that the high-risk artificial intelligence system is not causing algorithmic discrimination. 6-1-1703. (3)(g)]	Behavior	Preventive
Implement measures to enable personnel assigned to human oversight to intervene or interrupt the operation of the artificial intelligence system. CC ID 15093	Process or Activity	Preventive
Implement measures to enable personnel assigned to human oversight to be aware of the possibility of automatically relying or over-relying on outputs to make decisions. CC ID 15091	Human Resources Management	Preventive
Implement measures to enable personnel assigned to human oversight to interpret output correctly. CC ID 15089	Data and Information Management	Preventive
Implement measures to enable personnel assigned to human oversight to decide to refrain from using the artificial intelligence system or override disregard, or reverse the output. CC ID 15079	Behavior	Preventive
Enable users to interpret the artificial intelligence system's output and use. CC ID 15002	Business Processes	Preventive
Develop artificial intelligence systems involving the training of models with data sets that meet the quality criteria. CC ID 14996	Systems Design, Build, and Implementation	Preventive
Withdraw the technical documentation assessment certificate when the artificial intelligence system is not in compliance with requirements. CC ID 15099	Establish/Maintain Documentation	Preventive
Reassess the designation of artificial intelligence systems. CC ID 17230	Process or Activity	Preventive
Define a high-risk artificial intelligence system. CC ID 14959	Establish/Maintain Documentation	Preventive
Take into account the consequences for the rights and freedoms of persons when using ‘real-time’ remote biometric identification systems for law enforcement. CC ID 14957	Process or Activity	Preventive
Allow the use of 'real-time' remote biometric identification systems for law enforcement under defined conditions. CC ID 14955	Process or Activity	Preventive
Document the use of remote biometric identification systems. CC ID 17215	Business Processes	Preventive
Notify interested personnel and affected parties of the use of remote biometric identification systems. CC ID 17216	Communicate	Preventive
Refrain from using remote biometric identification systems under defined conditions. CC ID 14953	Process or Activity	Preventive
Prohibit the use of artificial intelligence systems under defined conditions. CC ID 14951 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: How the high-risk artificial intelligence system should be used, not be used, and be monitored by an individual when the high-risk artificial intelligence system is used to make, or is a substantial factor in making, a consequential decision; and 6-1-1702. (2)(c)(V)]	Process or Activity	Preventive
Establish, implement, and maintain a declaration of conformity. CC ID 15038	Establish/Maintain Documentation	Preventive
Include a statement that the artificial intelligence system meets all requirements in the declaration of conformity. CC ID 15100 [A developer, a deployer, or other person bears the burden of demonstrating to the attorney general that the requirements established in subsection (3) of this section have been satisfied. 6-1-1706. (4)]	Establish/Maintain Documentation	Preventive

Privacy protection for information and data

268

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Privacy protection for information and data CC ID 00008	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of any transparency measures taken concerning the high-risk artificial intelligence system, including any measures taken to disclose to a consumer that the high-risk artificial intelligence system is in use when the high-risk artificial intelligence system is in use; and 6-1-1703. (3)(b)(VI)]	Data and Information Management	Preventive
Establish and maintain privacy notices, as necessary. CC ID 13443	Establish/Maintain Documentation	Preventive
Include the purpose of the privacy notice in the privacy notice. CC ID 13526	Establish/Maintain Documentation	Preventive
Include the processing purpose in the privacy notice. CC ID 16543	Establish/Maintain Documentation	Preventive
Include the record types which may not be used or disclosed unless required by law in the privacy notice. CC ID 17258	Establish/Maintain Documentation	Preventive
Include contact information in the privacy notice. CC ID 14432	Establish/Maintain Documentation	Preventive
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503	Establish/Maintain Documentation	Preventive
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Establish/Maintain Documentation	Preventive
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461	Establish/Maintain Documentation	Preventive
Include the uses or disclosures that require authorizations in the privacy notice. CC ID 17257	Establish/Maintain Documentation	Preventive
Include prohibitions of use or disclosure in the privacy notice. CC ID 17252	Establish/Maintain Documentation	Preventive
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459	Establish/Maintain Documentation	Preventive
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455	Establish/Maintain Documentation	Preventive
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456	Establish/Maintain Documentation	Preventive
Include the personal data collection categories in the privacy notice. CC ID 13457	Establish/Maintain Documentation	Preventive
Include disclosure exceptions in the privacy notice. CC ID 13447	Establish/Maintain Documentation	Preventive
Include the types of personal data disclosed in the privacy notice. CC ID 13446	Establish/Maintain Documentation	Preventive
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Establish/Maintain Documentation	Preventive
Specify the time frame that notice will be given. CC ID 00385	Establish/Maintain Documentation	Preventive
Include the information about the appeal process in the privacy notice. CC ID 15312	Establish/Maintain Documentation	Preventive
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468	Establish/Maintain Documentation	Preventive
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445	Communicate	Preventive
Deliver privacy notices to data subjects, as necessary. CC ID 13444	Communicate	Preventive
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Establish/Maintain Documentation	Preventive
Update privacy notices, as necessary. CC ID 13474	Communicate	Preventive
Redeliver privacy notices, as necessary. CC ID 14850	Communicate	Preventive
Deliver privacy notices to third parties, as necessary. CC ID 13473	Communicate	Preventive
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435	Communicate	Preventive
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434	Establish/Maintain Documentation	Corrective
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466	Establish/Maintain Documentation	Preventive
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472	Establish/Maintain Documentation	Preventive
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471	Establish/Maintain Documentation	Preventive
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain opt-out notices. CC ID 13448	Establish/Maintain Documentation	Preventive
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Establish/Maintain Documentation	Preventive
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Establish/Maintain Documentation	Preventive
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 [On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer information, if applicable, regarding the consumer's right to opt out of the processing of personal data concerning the consumer for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer under section 6-1-1306 (1)(a)(I)(C). 6-1-1703. (4)(a)(III)]	Establish/Maintain Documentation	Preventive
Explain the right to opt out in the opt-out notice. CC ID 13462	Establish/Maintain Documentation	Preventive
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Establish/Maintain Documentation	Preventive
Deliver opt-out notices, as necessary. CC ID 13449	Communicate	Preventive
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453	Communicate	Preventive
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376	Communicate	Preventive
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372	Communicate	Preventive
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391	Communicate	Preventive
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819	Data and Information Management	Preventive
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393	Communicate	Preventive
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Communicate	Preventive
Provide the data subject with a notice of participation procedures. CC ID 06241	Establish/Maintain Documentation	Preventive
Deliver notices to the intended parties. CC ID 06240 [{make available} {be reasonable} If the deployer is unable to provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section directly to the consumer, the deployer shall make the notice, statement, contact information, and description available in a manner that is reasonably calculated to ensure that the consumer receives the notice, statement, contact information, and description. 6-1-1703. (4)(c)(II)]	Data and Information Management	Preventive
Notify data subjects about their privacy rights. CC ID 12989	Communicate	Preventive
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352	Communicate	Preventive
Require a data protection impact assessment when profiling the data subject. CC ID 12680	Process or Activity	Detective
Establish, implement, and maintain adequate openness procedures. CC ID 00377	Data and Information Management	Preventive
Provide public proof the organization participates in a privacy program. CC ID 12349	Communicate	Preventive
Publish a description of processing activities in an official register. CC ID 00379	Establish/Maintain Documentation	Preventive
Establish and maintain a records request manual. CC ID 00381	Establish/Maintain Documentation	Preventive
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Establish/Maintain Documentation	Preventive
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Behavior	Preventive
Define what is included in registration notices. CC ID 00386	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the registration notice. CC ID 16803	Establish Roles	Preventive
Include the verification method in the registration notice. CC ID 16798	Establish/Maintain Documentation	Preventive
Include the statutory authority in the registration notice. CC ID 16799	Establish/Maintain Documentation	Preventive
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Establish/Maintain Documentation	Preventive
Include a purpose specification description in the registration notice. CC ID 00388	Establish/Maintain Documentation	Preventive
Include information about the dispute resolution body in the registration notice. CC ID 16800	Establish/Maintain Documentation	Preventive
Include the data subject category being processed in the registration notice. CC ID 00389	Establish/Maintain Documentation	Preventive
Include the time period for data processing in the registration notice. CC ID 00390	Establish/Maintain Documentation	Preventive
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Establish/Maintain Documentation	Preventive
Provide legal authorities access to personal data, upon request. CC ID 06818	Data and Information Management	Preventive
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609	Process or Activity	Preventive
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618	Establish/Maintain Documentation	Preventive
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394	Establish/Maintain Documentation	Preventive
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [Except as provided in subsection (4)(c)(ii) of this section, a deployer shall provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section: Directly to the consumer; 6-1-1703. (4)(c)(I)(A)]	Establish/Maintain Documentation	Preventive
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588	Process or Activity	Preventive
Document the countries where restricted data may be stored. CC ID 12750	Data and Information Management	Preventive
Protect the rights of students and their parents or legal representatives. CC ID 00222	Data and Information Management	Preventive
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Technical Security	Preventive
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Records Management	Preventive
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Records Management	Preventive
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Records Management	Corrective
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Records Management	Corrective
Define the criteria for waivers of data subjects' rights. CC ID 16858	Behavior	Preventive
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Behavior	Preventive
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Establish/Maintain Documentation	Preventive
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Establish/Maintain Documentation	Preventive
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Establish/Maintain Documentation	Preventive
Disclose educational data, as necessary. CC ID 00223	Data and Information Management	Preventive
Grant access to education records in support of educational program audits. CC ID 13032	Records Management	Preventive
Grant access to education records in support of external requirements. CC ID 13033	Records Management	Preventive
Disclose statements added to education records, as necessary. CC ID 12990	Communicate	Preventive
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Data and Information Management	Preventive
Disclose education records when written consent is received. CC ID 00224	Data and Information Management	Preventive
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Establish/Maintain Documentation	Preventive
Specify the purpose of the disclosure in the written consent. CC ID 13001	Establish/Maintain Documentation	Preventive
Specify which education records may be disclosed in the written consent. CC ID 13000	Establish/Maintain Documentation	Preventive
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Establish/Maintain Documentation	Preventive
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Communicate	Preventive
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Communicate	Preventive
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Communicate	Preventive
Disclose educational data absent consent to other school officials. CC ID 00226	Data and Information Management	Preventive
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Data and Information Management	Preventive
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Data and Information Management	Preventive
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Data and Information Management	Preventive
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Communicate	Preventive
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Data and Information Management	Preventive
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Data and Information Management	Preventive
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Data and Information Management	Preventive
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Data and Information Management	Preventive
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Data and Information Management	Preventive
Disclose educational data absent consent to a crime victim. CC ID 00236	Data and Information Management	Preventive
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Establish/Maintain Documentation	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625	Communicate	Preventive
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Communicate	Preventive
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Communicate	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Communicate	Preventive
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Communicate	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Establish/Maintain Documentation	Preventive
Provide the data subject with the data retention period for personal data. CC ID 12587	Process or Activity	Preventive
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589	Process or Activity	Preventive
Provide the data subject with the adequacy decision. CC ID 12586	Process or Activity	Preventive
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585	Process or Activity	Preventive
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608	Process or Activity	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396	Data and Information Management	Preventive
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780	Business Processes	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573	Business Processes	Preventive
Notify the data subject of the right to data portability. CC ID 12603	Process or Activity	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602	Process or Activity	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397	Establish/Maintain Documentation	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Data and Information Management	Preventive
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Establish/Maintain Documentation	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Establish/Maintain Documentation	Preventive
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Establish/Maintain Documentation	Preventive
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Establish/Maintain Documentation	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680	Establish/Maintain Documentation	Preventive
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Establish/Maintain Documentation	Preventive
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Establish/Maintain Documentation	Preventive
Include the disclosure date in the disclosure accounting record. CC ID 07133	Establish/Maintain Documentation	Preventive
Include the disclosure recipient in the disclosure accounting record. CC ID 07134	Establish/Maintain Documentation	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Establish/Maintain Documentation	Preventive
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Establish/Maintain Documentation	Preventive
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Establish/Maintain Documentation	Preventive
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Establish/Maintain Documentation	Preventive
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Establish/Maintain Documentation	Preventive
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Establish/Maintain Documentation	Preventive
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Establish/Maintain Documentation	Preventive
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860	Data and Information Management	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Communicate	Preventive
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586	Establish/Maintain Documentation	Preventive
Provide shareholders access to electronic messages via electronic means. CC ID 11855	Process or Activity	Preventive
Make telephone directory information available to the public. CC ID 08698	Establish/Maintain Documentation	Preventive
Display warning screens and confirmation screens for all payment transactions. CC ID 06409	Technical Security	Preventive
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400	Establish/Maintain Documentation	Preventive
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614	Process or Activity	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Establish/Maintain Documentation	Preventive
Require data controllers to be accountable for their actions. CC ID 00470	Establish Roles	Preventive
Notify the supervisory authority. CC ID 00472 [If a deployer deploys a high-risk artificial intelligence system on or after February 1, 2026, and subsequently discovers that the high-risk artificial intelligence system has caused algorithmic discrimination, the deployer, without unreasonable delay, but no later than ninety days after the date of the discovery, shall send to the attorney general, in a form and manner prescribed by the attorney general, a notice disclosing the discovery. 6-1-1703. (7)]	Behavior	Preventive
Establish, implement, and maintain approval applications. CC ID 16778	Establish/Maintain Documentation	Preventive
Define the requirements for approving or denying approval applications. CC ID 16780	Business Processes	Preventive
Submit approval applications to the supervisory authority. CC ID 16627	Communicate	Preventive
Include required information in the approval application. CC ID 16628	Establish/Maintain Documentation	Preventive
Extend the time limit for approving or denying approval applications. CC ID 16779	Business Processes	Preventive
Approve the approval application unless applicant has been convicted. CC ID 16603	Process or Activity	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7)]	Process or Activity	Preventive
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Communicate	Preventive
Respond to questions about submissions in a timely manner. CC ID 16930	Communicate	Preventive
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Communicate	Corrective
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133 [{high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901	Communicate	Preventive
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298	Data and Information Management	Preventive
Review personal data disclosure requests. CC ID 07129	Data and Information Management	Preventive
Notify the data subject of the disclosure purpose. CC ID 15268	Communicate	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434	Establish/Maintain Documentation	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435	Data and Information Management	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Data and Information Management	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Data and Information Management	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Data and Information Management	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Data and Information Management	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Data and Information Management	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [{refrain from requiring} Nothing in subsections (2) to (5) and (7) of this section requires a deployer to disclose a trade secret or information protected from disclosure by state or federal law. To the extent that a deployer withholds information pursuant to this subsection (8) or section 6-1-1705 (5), the deployer shall notify the consumer and provide a basis for the withholding. 6-1-1703. (8) {refrain from requiring} Nothing in subsections (2) to (5) of this section requires a developer to disclose a trade secret, information protected from disclosure by state or federal law, or information that would create a security risk to the developer. 6-1-1702. (6)]	Data and Information Management	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Data and Information Management	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Data and Information Management	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Process or Activity	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Data and Information Management	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Data and Information Management	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Data and Information Management	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Data and Information Management	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Data and Information Management	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Data and Information Management	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Data and Information Management	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Data and Information Management	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Data and Information Management	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Data and Information Management	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Data and Information Management	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Data and Information Management	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{refrain from requiring} Nothing in subsections (2) to (5) and (7) of this section requires a deployer to disclose a trade secret or information protected from disclosure by state or federal law. To the extent that a deployer withholds information pursuant to this subsection (8) or section 6-1-1705 (5), the deployer shall notify the consumer and provide a basis for the withholding. 6-1-1703. (8)]	Data and Information Management	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Communicate	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Data and Information Management	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Process or Activity	Preventive
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428	Data and Information Management	Preventive
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Data and Information Management	Preventive
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Communicate	Preventive
Provide data or records in a reasonable time frame. CC ID 00429	Data and Information Management	Preventive
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599	Communicate	Preventive
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Data and Information Management	Preventive
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Data and Information Management	Preventive
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Data and Information Management	Preventive
Provide data at a cost that is not excessive. CC ID 00430	Data and Information Management	Preventive
Provide records or data in a reasonable manner. CC ID 00431	Data and Information Management	Preventive
Provide personal data in a form that is intelligible. CC ID 00432	Data and Information Management	Preventive
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Data and Information Management	Preventive
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Data and Information Management	Preventive
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Data and Information Management	Preventive
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7) {high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The sensitivity and volume of data processed in connection with the le="background-color:#F0BBBC;" class="term_primary-noun">high-risk artificial intelligence systems e="background-color:#CBD0E5;" class="term_secondary-verb">deployed by the deployer. 6-1-1703. (2)(a)(IV) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The sensitivity and volume of data processed in connection with the le="background-color:#F0BBBC;" class="term_primary-noun">high-risk artificial intelligence systems e="background-color:#CBD0E5;" class="term_secondary-verb">deployed by the deployer. 6-1-1703. (2)(a)(IV)]	Establish/Maintain Documentation	Preventive
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Data and Information Management	Preventive
Protect electronic messaging information. CC ID 12022	Technical Security	Preventive
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Data and Information Management	Preventive
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Configuration	Preventive
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Testing	Detective
Store payment card data in secure chips, if possible. CC ID 13065	Configuration	Preventive
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Configuration	Preventive
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Technical Security	Preventive
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Data and Information Management	Preventive
Log the disclosure of personal data. CC ID 06628	Log Management	Preventive
Log the modification of personal data. CC ID 11844	Log Management	Preventive
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Technical Security	Preventive
Implement security measures to protect personal data. CC ID 13606	Technical Security	Preventive
Implement physical controls to protect personal data. CC ID 00355	Testing	Preventive
Limit data leakage. CC ID 00356	Data and Information Management	Preventive
Conduct personal data risk assessments. CC ID 00357	Testing	Detective
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Business Processes	Preventive
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Establish/Maintain Documentation	Detective
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Data and Information Management	Detective
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Data and Information Management	Detective
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Monitor and Evaluate Occurrences	Detective
Perform an identity check prior to approving an account change request. CC ID 13670	Investigate	Detective
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Behavior	Detective
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Data and Information Management	Detective
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Log Management	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Monitor and Evaluate Occurrences	Corrective
Log dates for account name changes or address changes. CC ID 04876	Log Management	Detective
Review accounts that are changed for additional user requests. CC ID 11846	Monitor and Evaluate Occurrences	Detective
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Data and Information Management	Detective
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Acquisition/Sale of Assets or Services	Preventive
Search the Internet for evidence of data leakage. CC ID 10419	Process or Activity	Detective
Alert appropriate personnel when data leakage is detected. CC ID 14715	Process or Activity	Preventive
Review monitored websites for data leakage. CC ID 10593	Monitor and Evaluate Occurrences	Detective
Take appropriate action when a data leakage is discovered. CC ID 14716	Process or Activity	Corrective
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Data and Information Management	Preventive
Change or destroy any personal data that is incorrect. CC ID 00462 [On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: An opportunity to correct any incorrect personal data that the high-risk artificial intelligence system processed in making, or as a substantial factor in making, the consequential decision; and 6-1-1703. (4)(b)(II)]	Data and Information Management	Corrective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Behavior	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Data and Information Management	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Data and Information Management	Corrective
Define the appeal process based on the applicable law. CC ID 00506 [On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: An opportunity to appeal an adverse consequential decision concerning the consumer arising from the deployment of a high-risk artificial intelligence system, which appeal must, if technically feasible, allow for human review unless providing the opportunity for appeal is not in the best interest of the consumer, including in instances in which any delay might pose a risk to the life or safety of such consumer. 6-1-1703. (4)(b)(III)]	Establish/Maintain Documentation	Preventive
Define the fee structure for the appeal process. CC ID 16532	Process or Activity	Preventive
Define the time requirements for the appeal process. CC ID 16531	Process or Activity	Preventive
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: An opportunity to appeal an adverse consequential decision concerning the consumer arising from the deployment of a high-risk artificial intelligence system, which appeal must, if technically feasible, allow for human review unless providing the opportunity for appeal is not in the best interest of the consumer, including in instances in which any delay might pose a risk to the life or safety of such consumer. 6-1-1703. (4)(b)(III)]	Communicate	Preventive
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Communicate	Preventive

Records management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Retain records in accordance with applicable requirements. CC ID 00968 [A deployer shall maintain the most recently completed impact assessment for a high-risk artificial intelligence system as required under this subsection (3), all records concerning each impact assessment, and all prior impact assessments, if any, for at least three years following the final deployment of the high-risk artificial intelligence system. 6-1-1703. (3)(f) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9)]	Records Management	Preventive

Systems design, build, and implementation

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Systems design, build, and implementation CC ID 00989	IT Impact Zone	IT Impact Zone
Establish and maintain technical documentation. CC ID 15005 [A developer that also serves as a deployer for a high-risk artificial intelligence system is not required to generate the documentation required by this section unless the high-risk artificial intelligence system is provided to an unaffiliated entity acting as a deployer. 6-1-1702. (3)(b) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9)]	Establish/Maintain Documentation	Preventive
Retain technical documentation on the premises where the artificial intelligence system is located. CC ID 15104	Establish/Maintain Documentation	Preventive
Include the risk mitigation measures in the technical documentation. CC ID 17246 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The measures the developer has taken to mitigate known or reasonably foreseeable risks of algorithmic discrimination that may arise from the reasonably foreseeable deployment of the high-risk artificial intelligence system; and 6-1-1702. (2)(c)(IV)]	Establish/Maintain Documentation	Preventive
Include the intended outputs of the system in the technical documentation. CC ID 17245 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The intended outputs of the high-risk artificial intelligence system; 6-1-1702. (2)(c)(III) On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: Any additional documentation that is reasonably necessary to assist the deployer in understanding the outputs and monitor the performance of the high-risk artificial intelligence system for risks of algorithmic discrimination. 6-1-1702. (2)(d)]	Establish/Maintain Documentation	Preventive
Include the limitations of the system in the technical documentation. CC ID 17242 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: Known or reasonably foreseeable limitations of the high-risk artificial intelligence system, including known or reasonably foreseeable risks of algorithmic discrimination arising from the intended uses of the high-risk artificial intelligence system; 6-1-1702. (2)(b)(II)]	Establish/Maintain Documentation	Preventive
Include the types of data used to train the artificial intelligence system in the technical documentation. CC ID 17241 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: High-level summaries of the type of data used to train the high-risk artificial intelligence system; 6-1-1702. (2)(b)(I)]	Establish/Maintain Documentation	Preventive
Include all required information in the technical documentation. CC ID 15094 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: All other information necessary to allow the deployer to comply with the requirements of section 6-1-1703; 6-1-1702. (2)(b)(V)]	Establish/Maintain Documentation	Preventive
Include information that demonstrates compliance with requirements in the technical documentation. CC ID 15088	Establish/Maintain Documentation	Preventive
Disseminate and communicate technical documentation to interested personnel and affected parties. CC ID 17229 [On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer a statement disclosing the purpose of the high-risk artificial intelligence system and the nature of the consequential decision; the contact information for the deployer; a description, in plain language, of the high-risk artificial intelligence system; and instructions on how to access the statement required by subsection (5)(a) of this section; and 6-1-1703. (4)(a)(II)]	Communicate	Preventive

Common Controls and
mandates by Type 65 Mandated Controls - bold
43 Implied Controls - italic 411 Implementation

Number of Controls

519 Total

Acquisition/Sale of Assets or Services

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571	Audits and risk management	Corrective
Prohibit artificial intelligence systems from being placed on the market when it is not in compliance with the requirements. CC ID 15029	Operational management	Preventive
Prohibit artificial intelligence systems that deploys subliminal techniques from being placed on the market. CC ID 15012	Operational management	Preventive
Prohibit artificial intelligence systems that use social scores for unfavorable treatment from being placed on the market. CC ID 15010	Operational management	Preventive
Prohibit artificial intelligence systems that evaluate or classify the trustworthiness of individuals from being placed on the market. CC ID 15008	Operational management	Preventive
Prohibit artificial intelligence systems that exploits vulnerabilities of a specific group of persons from being placed on the market. CC ID 15006	Operational management	Preventive
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Privacy protection for information and data	Preventive

Audits and Risk Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992	Audits and risk management	Preventive
Analyze the risk management strategy for addressing threats. CC ID 12925 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: How the high-risk artificial intelligence system was evaluated for performance and mitigation of algorithmic discrimination before the high-risk artificial intelligence system was offered, sold, leased, licensed, given, or otherwise made available to the deployer; 6-1-1702. (2)(c)(I)]	Audits and risk management	Detective
Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 [Except as provided in subsections (3)(d), (3)(e), and (6) of this section: On and after February 1, 2026, a deployer, or a third party contracted by the deployer, shall complete an impact assessment for a deployed high-risk artificial intelligence system at least annually and within ninety days after any intentional and substantial modification to the high-risk artificial intelligence system is made available. 6-1-1703. (3)(a)(II) Except as provided in subsections (3)(d), (3)(e), and (6) of this section: A deployer, or a third party contracted by the deployer, that deploys a high-risk artificial intelligence system on or after February 1, 2026, shall complete an impact assessment for the high-risk artificial intelligence system; and 6-1-1703. (3)(a)(I) Except as provided in subsection (6) of this section, a developer that offers, sells, leases, licenses, gives, or otherwise makes available to a deployer or other developer a high-risk artificial intelligence system on or after February 1, 2026, shall make available to the deployer or other developer, to the extent feasible, the documentation and information, through artifacts such as model cards, dataset cards, or other impact assessments, necessary for a deployer, or for a third party contracted by a deployer, to complete an impact assessment pursuant to section 6-1-1703 (3). 6-1-1702. (3)(a) An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: An analysis of whether the deployment of the high-risk artificial intelligence system poses any known or reasonably foreseeable risks of algorithmic discrimination and, if so, the nature of the algorithmic discrimination and the steps that have been taken to mitigate the risks; 6-1-1703. (3)(b)(II) The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The content and requirements of the impact assessments required by section 6-1-1703 (3); 6-1-1707. (1)(d) A single impact assessment may address a comparable set of high-risk artificial intelligence systems deployed by a deployer. 6-1-1703. (3)(d) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9)]	Audits and risk management	Preventive
Employ risk assessment procedures that take into account risk factors. CC ID 16560	Audits and risk management	Preventive
Review the risk profiles, as necessary. CC ID 16561	Audits and risk management	Detective
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and risk management	Detective
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and risk management	Detective
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320	Audits and risk management	Preventive
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and risk management	Detective
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and risk management	Detective
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827	Audits and risk management	Preventive

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain human oversight over artificial intelligence systems. CC ID 15003 [On or before February 1, 2026, and at least annually thereafter, a deployer, or a third party contracted by the deployer, must review the deployment of each high-risk artificial intelligence system deployed by the deployer to ensure that the high-risk artificial intelligence system is not causing algorithmic discrimination. 6-1-1703. (3)(g)]	Operational management	Preventive
Implement measures to enable personnel assigned to human oversight to decide to refrain from using the artificial intelligence system or override disregard, or reverse the output. CC ID 15079	Operational management	Preventive
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Privacy protection for information and data	Preventive
Define the criteria for waivers of data subjects' rights. CC ID 16858	Privacy protection for information and data	Preventive
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Privacy protection for information and data	Preventive
Notify the supervisory authority. CC ID 00472 [If a deployer deploys a high-risk artificial intelligence system on or after February 1, 2026, and subsequently discovers that the high-risk artificial intelligence system has caused algorithmic discrimination, the deployer, without unreasonable delay, but no later than ninety days after the date of the discovery, shall send to the attorney general, in a form and manner prescribed by the attorney general, a notice disclosing the discovery. 6-1-1703. (7)]	Privacy protection for information and data	Preventive
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Privacy protection for information and data	Detective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Corrective

Business Processes

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824	Leadership and high level objectives	Preventive
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336	Audits and risk management	Detective
Integrate the risk management program with the organization's business activities. CC ID 13661	Audits and risk management	Preventive
Integrate the risk management program into daily business decision-making. CC ID 13659	Audits and risk management	Preventive
Include regular updating in the risk management system. CC ID 14990	Audits and risk management	Preventive
Approve the threat and risk classification scheme. CC ID 15693	Audits and risk management	Preventive
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672	Audits and risk management	Preventive
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Audits and risk management	Preventive
Acquire cyber insurance, as necessary. CC ID 12693	Audits and risk management	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Preventive
Limit artificial intelligence systems authorizations to the time period until conformity assessment procedures are complete. CC ID 15043	Operational management	Preventive
Terminate authorizations for artificial intelligence systems when conformity assessment procedures are complete. CC ID 15042	Operational management	Preventive
Authorize artificial intelligence systems to be put into service for exceptional reasons while conformity assessment procedures are being conducted. CC ID 15039	Operational management	Preventive
Assess the trustworthiness of artificial intelligence systems. CC ID 16319	Operational management	Detective
Authorize artificial intelligence systems to be placed on the market for exceptional reasons while conformity assessment procedures are being conducted. CC ID 15037	Operational management	Preventive
Withdraw authorizations that are unjustified. CC ID 15035	Operational management	Corrective
Ensure the transport conditions for artificial intelligence systems refrain from compromising compliance. CC ID 15031	Operational management	Detective
Receive prior authorization for the use of a remote biometric identification system. CC ID 15014	Operational management	Preventive
Refrain from making a decision based on system output unless verified by at least two natural persons. CC ID 15004	Operational management	Preventive
Enable users to interpret the artificial intelligence system's output and use. CC ID 15002	Operational management	Preventive
Document the use of remote biometric identification systems. CC ID 17215	Operational management	Preventive
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780	Privacy protection for information and data	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573	Privacy protection for information and data	Preventive
Define the requirements for approving or denying approval applications. CC ID 16780	Privacy protection for information and data	Preventive
Extend the time limit for approving or denying approval applications. CC ID 16779	Privacy protection for information and data	Preventive
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Privacy protection for information and data	Preventive

Communicate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Leadership and high level objectives	Preventive
Report errors and faults to the appropriate personnel, as necessary. CC ID 14296	Monitoring and measurement	Corrective
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572	Audits and risk management	Preventive
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567	Audits and risk management	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Audits and risk management	Preventive
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115	Audits and risk management	Preventive
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136	Audits and risk management	Preventive
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Audits and risk management	Preventive
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300	Audits and risk management	Preventive
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694	Audits and risk management	Preventive
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832	Audits and risk management	Preventive
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829	Audits and risk management	Preventive
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825	Audits and risk management	Preventive
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662	Audits and risk management	Preventive
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712	Audits and risk management	Preventive
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792	Audits and risk management	Preventive
Provide affected parties with the role of artificial intelligence in decision making. CC ID 17236 [On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Notify the consumer that the deployer has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision before the decision is made; 6-1-1703. (4)(a)(I) On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer a statement disclosing the purpose of the high-risk artificial intelligence system and the nature of the consequential decision; the contact information for the deployer; a description, in plain language, of the high-risk artificial intelligence system; and instructions on how to access the statement required by subsection (5)(a) of this section; and 6-1-1703. (4)(a)(II) On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: The degree to which, and manner in which, the high-risk artificial intelligence system contributed to the consequential decision; 6-1-1703. (4)(b)(I)(A)]	Operational management	Preventive
Refrain from notifying users when images, videos, or audio have been artificially generated or manipulated if use of the artificial intelligence system is authorized by law. CC ID 15051 [Disclosure is not required under subsection (1) of this section under circumstances in which it would be obvious to a reasonable person that the person is interacting with an artificial intelligence system. 6-1-1704. (2)]	Operational management	Preventive
Notify users when images, videos, or audio on the artificial intelligence system has been artificially generated or manipulated. CC ID 15019	Operational management	Preventive
Refrain from notifying users of artificial intelligence systems using biometric categorization for law enforcement. CC ID 15017	Operational management	Preventive
Notify users when they are using an artificial intelligence system. CC ID 15015 [On and after February 1, 2026, and except as provided in subsection (2) of this section, a deployer or other developer that deploys, offers, sells, leases, licenses, gives, or otherwise makes available an artificial intelligence system that is intended to interact with consumers shall ensure the disclosure to each consumer who interacts with the artificial intelligence system that the consumer is interacting with an artificial intelligence system. 6-1-1704. (1)]	Operational management	Preventive
Notify interested personnel and affected parties of the use of remote biometric identification systems. CC ID 17216	Operational management	Preventive
Disseminate and communicate technical documentation to interested personnel and affected parties. CC ID 17229 [On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer a statement disclosing the purpose of the high-risk artificial intelligence system and the nature of the consequential decision; the contact information for the deployer; a description, in plain language, of the high-risk artificial intelligence system; and instructions on how to access the statement required by subsection (5)(a) of this section; and 6-1-1703. (4)(a)(II)]	Systems design, build, and implementation	Preventive
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445	Privacy protection for information and data	Preventive
Deliver privacy notices to data subjects, as necessary. CC ID 13444	Privacy protection for information and data	Preventive
Update privacy notices, as necessary. CC ID 13474	Privacy protection for information and data	Preventive
Redeliver privacy notices, as necessary. CC ID 14850	Privacy protection for information and data	Preventive
Deliver privacy notices to third parties, as necessary. CC ID 13473	Privacy protection for information and data	Preventive
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435	Privacy protection for information and data	Preventive
Deliver opt-out notices, as necessary. CC ID 13449	Privacy protection for information and data	Preventive
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453	Privacy protection for information and data	Preventive
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376	Privacy protection for information and data	Preventive
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372	Privacy protection for information and data	Preventive
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391	Privacy protection for information and data	Preventive
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393	Privacy protection for information and data	Preventive
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Privacy protection for information and data	Preventive
Notify data subjects about their privacy rights. CC ID 12989	Privacy protection for information and data	Preventive
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352	Privacy protection for information and data	Preventive
Provide public proof the organization participates in a privacy program. CC ID 12349	Privacy protection for information and data	Preventive
Disclose statements added to education records, as necessary. CC ID 12990	Privacy protection for information and data	Preventive
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Privacy protection for information and data	Preventive
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Privacy protection for information and data	Preventive
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Privacy protection for information and data	Preventive
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Privacy protection for information and data	Preventive
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Privacy protection for information and data	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Privacy protection for information and data	Preventive
Submit approval applications to the supervisory authority. CC ID 16627	Privacy protection for information and data	Preventive
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Privacy protection for information and data	Preventive
Respond to questions about submissions in a timely manner. CC ID 16930	Privacy protection for information and data	Preventive
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Privacy protection for information and data	Corrective
Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901	Privacy protection for information and data	Preventive
Notify the data subject of the disclosure purpose. CC ID 15268	Privacy protection for information and data	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Privacy protection for information and data	Preventive
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Privacy protection for information and data	Preventive
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599	Privacy protection for information and data	Preventive
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: An opportunity to appeal an adverse consequential decision concerning the consumer arising from the deployment of a high-risk artificial intelligence system, which appeal must, if technically feasible, allow for human review unless providing the opportunity for appeal is not in the best interest of the consumer, including in instances in which any delay might pose a risk to the life or safety of such consumer. 6-1-1703. (4)(b)(III)]	Privacy protection for information and data	Preventive
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Privacy protection for information and data	Preventive

Configuration

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Privacy protection for information and data	Preventive
Store payment card data in secure chips, if possible. CC ID 13065	Privacy protection for information and data	Preventive
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Privacy protection for information and data	Preventive

Data and Information Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include the data source in the data governance and management practices. CC ID 17211	Leadership and high level objectives	Preventive
Include data quality in the risk management strategies. CC ID 15308	Audits and risk management	Preventive
Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer shall make available, in a manner that is clear and readily available on the deployer's website, a statement summarizing: The types of high-risk artificial intelligence systems that are currently deployed by the deployer; 6-1-1703. (5)(a)(I) On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer shall make available, in a manner that is clear and readily available on the deployer's website, a statement summarizing: How the deployer manages known or reasonably foreseeable risks of algorithmic discrimination that may arise from the deployment of each high-risk artificial intelligence system described pursuant to subsection (5)(a)(I) of this section; and 6-1-1703. (5)(a)(II) On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer shall make available, in a manner that is clear and readily available on the deployer's website, a statement summarizing: In detail, the nature, source, and extent of the information collected and used by the deployer. 6-1-1703. (5)(a)(III) {high-risk artificial intelligence system} A deployer shall periodically update the statement described in subsection (5)(a) of this section. 6-1-1703. (5)(b) On and after February 1, 2026, a developer shall make available, in a manner that is clear and readily available on the developer's website or in a public use case inventory, a statement summarizing: The types of high-risk artificial intelligence systems that the developer has developed or intentionally and substantially modified and currently makes available to a deployer or other developer; and 6-1-1702. (4)(a)(I) On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer a statement disclosing the purpose of the high-risk artificial intelligence system and the nature of the consequential decision; the contact information for the deployer; a description, in plain language, of the high-risk artificial intelligence system; and instructions on how to access the statement required by subsection (5)(a) of this section; and 6-1-1703. (4)(a)(II)]	Operational and Systems Continuity	Preventive
Implement measures to enable personnel assigned to human oversight to interpret output correctly. CC ID 15089	Operational management	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of any transparency measures taken concerning the high-risk artificial intelligence system, including any measures taken to disclose to a consumer that the high-risk artificial intelligence system is in use when the high-risk artificial intelligence system is in use; and 6-1-1703. (3)(b)(VI)]	Privacy protection for information and data	Preventive
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819	Privacy protection for information and data	Preventive
Deliver notices to the intended parties. CC ID 06240 [{make available} {be reasonable} If the deployer is unable to provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section directly to the consumer, the deployer shall make the notice, statement, contact information, and description available in a manner that is reasonably calculated to ensure that the consumer receives the notice, statement, contact information, and description. 6-1-1703. (4)(c)(II)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain adequate openness procedures. CC ID 00377	Privacy protection for information and data	Preventive
Provide legal authorities access to personal data, upon request. CC ID 06818	Privacy protection for information and data	Preventive
Document the countries where restricted data may be stored. CC ID 12750	Privacy protection for information and data	Preventive
Protect the rights of students and their parents or legal representatives. CC ID 00222	Privacy protection for information and data	Preventive
Disclose educational data, as necessary. CC ID 00223	Privacy protection for information and data	Preventive
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Privacy protection for information and data	Preventive
Disclose education records when written consent is received. CC ID 00224	Privacy protection for information and data	Preventive
Disclose educational data absent consent to other school officials. CC ID 00226	Privacy protection for information and data	Preventive
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Privacy protection for information and data	Preventive
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Privacy protection for information and data	Preventive
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Privacy protection for information and data	Preventive
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Privacy protection for information and data	Preventive
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Privacy protection for information and data	Preventive
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Privacy protection for information and data	Preventive
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Privacy protection for information and data	Preventive
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Privacy protection for information and data	Preventive
Disclose educational data absent consent to a crime victim. CC ID 00236	Privacy protection for information and data	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396	Privacy protection for information and data	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Privacy protection for information and data	Preventive
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860	Privacy protection for information and data	Preventive
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298	Privacy protection for information and data	Preventive
Review personal data disclosure requests. CC ID 07129	Privacy protection for information and data	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435	Privacy protection for information and data	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Privacy protection for information and data	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Privacy protection for information and data	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Privacy protection for information and data	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Privacy protection for information and data	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Privacy protection for information and data	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [{refrain from requiring} Nothing in subsections (2) to (5) and (7) of this section requires a deployer to disclose a trade secret or information protected from disclosure by state or federal law. To the extent that a deployer withholds information pursuant to this subsection (8) or section 6-1-1705 (5), the deployer shall notify the consumer and provide a basis for the withholding. 6-1-1703. (8) {refrain from requiring} Nothing in subsections (2) to (5) of this section requires a developer to disclose a trade secret, information protected from disclosure by state or federal law, or information that would create a security risk to the developer. 6-1-1702. (6)]	Privacy protection for information and data	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Privacy protection for information and data	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Privacy protection for information and data	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Privacy protection for information and data	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Privacy protection for information and data	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Privacy protection for information and data	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Privacy protection for information and data	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Privacy protection for information and data	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Privacy protection for information and data	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Privacy protection for information and data	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Privacy protection for information and data	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Privacy protection for information and data	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Privacy protection for information and data	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Privacy protection for information and data	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Privacy protection for information and data	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{refrain from requiring} Nothing in subsections (2) to (5) and (7) of this section requires a deployer to disclose a trade secret or information protected from disclosure by state or federal law. To the extent that a deployer withholds information pursuant to this subsection (8) or section 6-1-1705 (5), the deployer shall notify the consumer and provide a basis for the withholding. 6-1-1703. (8)]	Privacy protection for information and data	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Privacy protection for information and data	Preventive
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428	Privacy protection for information and data	Preventive
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Privacy protection for information and data	Preventive
Provide data or records in a reasonable time frame. CC ID 00429	Privacy protection for information and data	Preventive
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Privacy protection for information and data	Preventive
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Privacy protection for information and data	Preventive
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Privacy protection for information and data	Preventive
Provide data at a cost that is not excessive. CC ID 00430	Privacy protection for information and data	Preventive
Provide records or data in a reasonable manner. CC ID 00431	Privacy protection for information and data	Preventive
Provide personal data in a form that is intelligible. CC ID 00432	Privacy protection for information and data	Preventive
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Privacy protection for information and data	Preventive
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Privacy protection for information and data	Preventive
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Privacy protection for information and data	Preventive
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Privacy protection for information and data	Preventive
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Privacy protection for information and data	Preventive
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Privacy protection for information and data	Preventive
Limit data leakage. CC ID 00356	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Privacy protection for information and data	Detective
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Privacy protection for information and data	Detective
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Privacy protection for information and data	Detective
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Privacy protection for information and data	Detective
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Privacy protection for information and data	Preventive
Change or destroy any personal data that is incorrect. CC ID 00462 [On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: An opportunity to correct any incorrect personal data that the high-risk artificial intelligence system processed in making, or as a substantial factor in making, the consequential decision; and 6-1-1703. (4)(b)(II)]	Privacy protection for information and data	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Privacy protection for information and data	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Corrective

Establish Roles

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include roles and responsibilities in the registration notice. CC ID 16803	Privacy protection for information and data	Preventive
Require data controllers to be accountable for their actions. CC ID 00470	Privacy protection for information and data	Preventive

Establish/Maintain Documentation

223

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain data governance and management practices. CC ID 14998 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The data governance measures used to cover the training datasets and the measures used to examine the suitability of data sources, possible biases, and appropriate mitigation; 6-1-1702. (2)(c)(II)]	Leadership and high level objectives	Preventive
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087	Leadership and high level objectives	Preventive
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086	Leadership and high level objectives	Preventive
Include bias for data sets in the data governance and management practices. CC ID 15085 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The data governance measures used to cover the training datasets and the measures used to examine the suitability of data sources, possible biases, and appropriate mitigation; 6-1-1702. (2)(c)(II)]	Leadership and high level objectives	Preventive
Include a data strategy in the data governance and management practices. CC ID 15304	Leadership and high level objectives	Preventive
Include data monitoring in the data governance and management practices. CC ID 15303	Leadership and high level objectives	Preventive
Include an assessment of the data sets in the data governance and management practices. CC ID 15084	Leadership and high level objectives	Preventive
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083	Leadership and high level objectives	Preventive
Include data collection for data sets in the data governance and management practices. CC ID 15082	Leadership and high level objectives	Preventive
Include data preparations for data sets in the data governance and management practices. CC ID 15081 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The data governance measures used to cover the training datasets and the measures used to examine the suitability of data sources, possible biases, and appropriate mitigation; 6-1-1702. (2)(c)(II)]	Leadership and high level objectives	Preventive
Include design choices for data sets in the data governance and management practices. CC ID 15080	Leadership and high level objectives	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: 6-1-1707. (1)]	Leadership and high level objectives	Preventive
Include contact information in the organization's policies, standards, and procedures. CC ID 17167 [On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer a statement disclosing the purpose of the high-risk artificial intelligence system and the nature of the consequential decision; the contact information for the deployer; a description, in plain language, of the high-risk artificial intelligence system; and instructions on how to access the statement required by subsection (5)(a) of this section; and 6-1-1703. (4)(a)(II)]	Leadership and high level objectives	Preventive
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The documentation and requirements for developers pursuant to section 6-1-1702 (2); 6-1-1707. (1)(a) The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The contents of and requirements for the notices and disclosures required by sections 6-1-1702 (5) and (7); 6-1-1703 (4), (5), (7), and (9); and 6-1-1704; 6-1-1707. (1)(b)]	Leadership and high level objectives	Preventive
Analyze organizational policies, as necessary. CC ID 14037	Leadership and high level objectives	Detective
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Leadership and high level objectives	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Leadership and high level objectives	Corrective
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Leadership and high level objectives	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Leadership and high level objectives	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Leadership and high level objectives	Preventive
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Leadership and high level objectives	Preventive
Include when exemptions expire in the compliance exception standard. CC ID 14330	Leadership and high level objectives	Preventive
Include management of the exemption register in the compliance exception standard. CC ID 14328	Leadership and high level objectives	Preventive
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Monitoring and measurement	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) {risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) {risk management program} The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The content and requirements of the risk management policy and program required by section 6-1-1703 (2); 6-1-1707. (1)(c)]	Audits and risk management	Preventive
Include the scope of risk management activities in the risk management program. CC ID 13658	Audits and risk management	Preventive
Include managing mobile risks in the risk management program. CC ID 13535	Audits and risk management	Preventive
Establish, implement, and maintain a risk management policy. CC ID 17192 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) {risk management program} The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The content and requirements of the risk management policy and program required by section 6-1-1703 (2); 6-1-1707. (1)(c) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9)]	Audits and risk management	Preventive
Establish, implement, and maintain risk management strategies. CC ID 13209 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a)]	Audits and risk management	Preventive
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Audits and risk management	Preventive
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Audits and risk management	Preventive
Include off-site storage in the risk mitigation strategies. CC ID 13213	Audits and risk management	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Preventive
Establish, implement, and maintain insurance requirements. CC ID 16562	Audits and risk management	Preventive
Address cybersecurity risks in the risk assessment program. CC ID 13193	Audits and risk management	Preventive
Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: If the deployer used data to customize the high-risk artificial intelligence system, an overview of the categories of data the deployer used to customize the high-risk artificial intelligence system; 6-1-1703. (3)(b)(IV) An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of the categories of data the high-risk artificial intelligence system processes as inputs and the outputs the high-risk artificial intelligence system produces; 6-1-1703. (3)(b)(III)]	Audits and risk management	Preventive
Include metrics in the fundamental rights impact assessment. CC ID 17249 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: Any metrics used to evaluate the performance and known limitations of the high-risk artificial intelligence system; 6-1-1703. (3)(b)(V)]	Audits and risk management	Preventive
Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A statement by the deployer disclosing the purpose, intended use cases, and deployment context of, and benefits afforded by, the high-risk artificial intelligence system; 6-1-1703. (3)(b)(I)]	Audits and risk management	Preventive
Include user safeguards in the fundamental rights impact assessment. CC ID 17255 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of the post-deployment monitoring and user safeguards provided concerning the high-risk artificial intelligence system, including the oversight, use, and learning process established by the deployer to address issues arising from the deployment of the high-risk artificial intelligence system. 6-1-1703. (3)(b)(VII)]	Audits and risk management	Preventive
Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of the categories of data the high-risk artificial intelligence system processes as inputs and the outputs the high-risk artificial intelligence system produces; 6-1-1703. (3)(b)(III)]	Audits and risk management	Preventive
Include the purpose in the fundamental rights impact assessment. CC ID 17243 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A statement by the deployer disclosing the purpose, intended use cases, and deployment context of, and benefits afforded by, the high-risk artificial intelligence system; 6-1-1703. (3)(b)(I)]	Audits and risk management	Preventive
Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of the post-deployment monitoring and user safeguards provided concerning the high-risk artificial intelligence system, including the oversight, use, and learning process established by the deployer to address issues arising from the deployment of the high-risk artificial intelligence system. 6-1-1703. (3)(b)(VII)]	Audits and risk management	Preventive
Include risk management measures in the fundamental rights impact assessment. CC ID 17224 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: An analysis of whether the deployment of the high-risk artificial intelligence system poses any known or reasonably foreseeable risks of algorithmic discrimination and, if so, the nature of the algorithmic discrimination and the steps that have been taken to mitigate the risks; 6-1-1703. (3)(b)(II)]	Audits and risk management	Preventive
Include human oversight measures in the fundamental rights impact assessment. CC ID 17223	Audits and risk management	Preventive
Include risks in the fundamental rights impact assessment. CC ID 17222 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: An analysis of whether the deployment of the high-risk artificial intelligence system poses any known or reasonably foreseeable risks of algorithmic discrimination and, if so, the nature of the algorithmic discrimination and the steps that have been taken to mitigate the risks; 6-1-1703. (3)(b)(II)]	Audits and risk management	Preventive
Include affected parties in the fundamental rights impact assessment. CC ID 17221	Audits and risk management	Preventive
Include the frequency in the fundamental rights impact assessment. CC ID 17220	Audits and risk management	Preventive
Include the usage duration in the fundamental rights impact assessment. CC ID 17219	Audits and risk management	Preventive
Include system use in the fundamental rights impact assessment. CC ID 17218 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A statement by the deployer disclosing the purpose, intended use cases, and deployment context of, and benefits afforded by, the high-risk artificial intelligence system; 6-1-1703. (3)(b)(I) An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A statement by the deployer disclosing the purpose, intended use cases, and deployment context of, and benefits afforded by, the high-risk artificial intelligence system; 6-1-1703. (3)(b)(I) In addition to the information required under subsection (3)(b) of this section, an impact assessment completed pursuant to this subsection (3) following an intentional and substantial modification to a high-risk artificial intelligence system on or after February 1, 2026, must include a statement disclosing the extent to which the high-risk artificial intelligence system was used in a manner that was consistent with, or varied from, the developer's intended uses of the high-risk artificial intelligence system. 6-1-1703. (3)(c)]	Audits and risk management	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Audits and risk management	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment policy. CC ID 14026	Audits and risk management	Preventive
Include compliance requirements in the risk assessment policy. CC ID 14121	Audits and risk management	Preventive
Include coordination amongst entities in the risk assessment policy. CC ID 14120	Audits and risk management	Preventive
Include management commitment in the risk assessment policy. CC ID 14119	Audits and risk management	Preventive
Include roles and responsibilities in the risk assessment policy. CC ID 14118	Audits and risk management	Preventive
Include the scope in the risk assessment policy. CC ID 14117	Audits and risk management	Preventive
Include the purpose in the risk assessment policy. CC ID 14116	Audits and risk management	Preventive
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Audits and risk management	Preventive
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Audits and risk management	Preventive
Create a risk assessment report based on the risk assessment results. CC ID 15695	Audits and risk management	Preventive
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224	Audits and risk management	Preventive
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264	Audits and risk management	Preventive
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223	Audits and risk management	Preventive
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222	Audits and risk management	Preventive
Include pandemic risks in the Business Impact Analysis. CC ID 13219	Audits and risk management	Preventive
Establish, implement, and maintain a risk register. CC ID 14828	Audits and risk management	Preventive
Document the results of the gap analysis. CC ID 16271	Audits and risk management	Preventive
Include roles and responsibilities in the risk treatment plan. CC ID 16991	Audits and risk management	Preventive
Include time information in the risk treatment plan. CC ID 16993	Audits and risk management	Preventive
Include allocation of resources in the risk treatment plan. CC ID 16989	Audits and risk management	Preventive
Include the date of the risk assessment in the risk treatment plan. CC ID 16321	Audits and risk management	Preventive
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620	Audits and risk management	Preventive
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619	Audits and risk management	Preventive
Document residual risk in a residual risk report. CC ID 13664	Audits and risk management	Corrective
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 [On and after February 1, 2026, a developer of a high-risk artificial intelligence system shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination arising from the intended and contracted uses of the high-risk artificial intelligence system. In any enforcement action brought on or after February 1, 2026, by the attorney general pursuant to section 6-1-1706, there is a rebuttable presumption that a developer used reasonable care as required under this section if the developer complied with this section and any additional requirements or obligations as set forth in rules promulgated by the attorney general pursuant to section 6-1-1707. 6-1-1702. (1) {risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) On and after February 1, 2026, a deployer of a high-risk artificial intelligence system shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination. In any enforcement action brought on or after February 1, 2026, by the attorney general pursuant to section 6-1-1706, there is a rebuttable presumption that a deployer of a high-risk artificial intelligence system used reasonable care as required under this section if the deployer complied with this section and any additional requirements or obligations as set forth in rules promulgated by the attorney general pursuant to section 6-1-1707. 6-1-1703. (1) On and after February 1, 2026, a developer shall make available, in a manner that is clear and readily available on the developer's website or in a public use case inventory, a statement summarizing: How the developer manages known or reasonably foreseeable risks of algorithmic discrimination that may arise from the development or intentional and substantial modification of the types of high-risk artificial intelligence systems described in accordance with subsection (4)(a)(I) of this section. 6-1-1702. (4)(a)(II) On and after February 1, 2026, a developer of a high-risk artificial intelligence system shall disclose to the attorney general, in a form and manner prescribed by the attorney general, and to all known deployers or other developers of the high-risk artificial intelligence system, any known or reasonably foreseeable risks of algorithmic discrimination arising from the intended uses of the high-risk artificial intelligence system without unreasonable delay but no later than ninety days after the date on which: 6-1-1702. (5) The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The requirements for the affirmative defense set forth in section 6-1-1706 (3), including the process by which the attorney general will recognize any other nationally or internationally recognized risk management framework for artificial intelligence systems. 6-1-1707. (1)(f) {algorithmic discrimination} {risk management} The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The requirements for the rebuttable presumptions set forth in sections 6-1-1702 and 6-1-1703; and 6-1-1707. (1)(e) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The size and un">complexityspan> of the deployer; 6-1-1703. (2)(a)(II) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The nature and scope of the rm_primary-noun">high-risk artificial intelligence systems deployed by the deployer, including the intended uses of the high-risk artificial intelligence systems; and 6-1-1703. (2)(a)(III) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The nature and scope of the rm_primary-noun">high-risk artificial intelligence systems deployed by the deployer, including the intended uses of the high-risk artificial intelligence systems; and 6-1-1703. (2)(a)(III) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The sensitivity and volume of data processed in connection with the le="background-color:#F0BBBC;" class="term_primary-noun">high-risk artificial intelligence systems e="background-color:#CBD0E5;" class="term_secondary-verb">deployed by the deployer. 6-1-1703. (2)(a)(IV) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The sensitivity and volume of data processed in connection with the le="background-color:#F0BBBC;" class="term_primary-noun">high-risk artificial intelligence systems e="background-color:#CBD0E5;" class="term_secondary-verb">deployed by the deployer. 6-1-1703. (2)(a)(IV)]	Audits and risk management	Preventive
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255	Audits and risk management	Preventive
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839	Audits and risk management	Preventive
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834	Audits and risk management	Preventive
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276	Audits and risk management	Preventive
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582	Audits and risk management	Preventive
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826	Audits and risk management	Preventive
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830	Audits and risk management	Preventive
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663	Audits and risk management	Preventive
Include compliance requirements in the supply chain risk management policy. CC ID 14711	Audits and risk management	Preventive
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710	Audits and risk management	Preventive
Include management commitment in the supply chain risk management policy. CC ID 14709	Audits and risk management	Preventive
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708	Audits and risk management	Preventive
Include the scope in the supply chain risk management policy. CC ID 14707	Audits and risk management	Preventive
Include the purpose in the supply chain risk management policy. CC ID 14706	Audits and risk management	Preventive
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Audits and risk management	Preventive
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619	Audits and risk management	Preventive
Include dates in the supply chain risk management plan. CC ID 15617	Audits and risk management	Preventive
Include implementation milestones in the supply chain risk management plan. CC ID 15615	Audits and risk management	Preventive
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613	Audits and risk management	Preventive
Include supply chain risk management procedures in the risk management program. CC ID 13190	Audits and risk management	Preventive
Include website continuity procedures in the continuity plan. CC ID 01380	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Preventive
Establish, implement, and maintain operational control procedures. CC ID 00831	Operational management	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Preventive
Include system use information in the standard operating procedures manual. CC ID 17240 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: A general statement describing the reasonably foreseeable uses and known harmful or inappropriate uses of the high-risk artificial intelligence system; 6-1-1702. (2)(a) On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: The intended benefits and uses of the high-risk artificial intelligence system; and 6-1-1702. (2)(b)(IV)]	Operational management	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: The purpose of the high-risk artificial intelligence system; 6-1-1702. (2)(b)(III) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The nature and scope of the high-risk artificial intelligence systems deployed by the deployer, including the intended uses of the high-risk artificial intelligence systems; and 6-1-1703. (2)(a)(III) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The nature and scope of the high-risk artificial intelligence systems deployed by the deployer, including the intended uses of the high-risk artificial intelligence systems; and 6-1-1703. (2)(a)(III)]	Operational management	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: The intended benefits and uses of the high-risk artificial intelligence system; and 6-1-1702. (2)(b)(IV)]	Operational management	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [{refrain from requiring} Nothing in subsections (2) to (5) and (7) of this section requires a deployer to disclose a trade secret or information protected from disclosure by state or federal law. To the extent that a deployer withholds information pursuant to this subsection (8) or section 6-1-1705 (5), the deployer shall notify the consumer and provide a basis for the withholding. 6-1-1703. (8)]	Operational management	Preventive
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [On and after February 1, 2026, a developer of a high-risk artificial intelligence system shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination arising from the intended and contracted uses of the high-risk artificial intelligence system. In any enforcement action brought on or after February 1, 2026, by the attorney general pursuant to section 6-1-1706, there is a rebuttable presumption that a developer used reasonable care as required under this section if the developer complied with this section and any additional requirements or obligations as set forth in rules promulgated by the attorney general pursuant to section 6-1-1707. 6-1-1702. (1) On and after February 1, 2026, a deployer of a high-risk artificial intelligence system shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination. In any enforcement action brought on or after February 1, 2026, by the attorney general pursuant to section 6-1-1706, there is a rebuttable presumption that a deployer of a high-risk artificial intelligence system used reasonable care as required under this section if the deployer complied with this section and any additional requirements or obligations as set forth in rules promulgated by the attorney general pursuant to section 6-1-1707. 6-1-1703. (1) If a deployer, or a third party contracted by the deployer, completes an impact assessment for the purpose of complying with another applicable law or regulation, the impact assessment satisfies the requirements established in this subsection (3) if the impact assessment is reasonably similar in scope and effect to the impact assessment that would otherwise be completed pursuant to this subsection (3). 6-1-1703. (3)(e) {high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: is otherwise in compliance with: The latest version of the "Artificial Intelligence Risk Management Framework" published by the national institute of standards and technology in the United States department of commerce and standard ISO/IEC 42001 of the International Organization for Standardization; 6-1-1706. (3)(b)(I) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: is otherwise in compliance with: Another nationally or internationally recognized risk management framework for artificial intelligence systems, if the standards are substantially equivalent to or more stringent than the requirements of this part 17; or 6-1-1706. (3)(b)(II) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: is otherwise in compliance with: Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate and, if designated, shall publicly disseminate. 6-1-1706. (3)(b)(III)]	Operational management	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Preventive
Include incident monitoring procedures in the Incident Management program. CC ID 01207	Operational management	Preventive
Include incident recovery procedures in the Incident Management program. CC ID 01758	Operational management	Corrective
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Operational management	Preventive
Establish, implement, and maintain a disability accessibility program. CC ID 06191	Operational management	Preventive
Withdraw the technical documentation assessment certificate when the artificial intelligence system is not in compliance with requirements. CC ID 15099	Operational management	Preventive
Define a high-risk artificial intelligence system. CC ID 14959	Operational management	Preventive
Establish, implement, and maintain a declaration of conformity. CC ID 15038	Operational management	Preventive
Include a statement that the artificial intelligence system meets all requirements in the declaration of conformity. CC ID 15100 [A developer, a deployer, or other person bears the burden of demonstrating to the attorney general that the requirements established in subsection (3) of this section have been satisfied. 6-1-1706. (4)]	Operational management	Preventive
Establish and maintain technical documentation. CC ID 15005 [A developer that also serves as a deployer for a high-risk artificial intelligence system is not required to generate the documentation required by this section unless the high-risk artificial intelligence system is provided to an unaffiliated entity acting as a deployer. 6-1-1702. (3)(b) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9)]	Systems design, build, and implementation	Preventive
Retain technical documentation on the premises where the artificial intelligence system is located. CC ID 15104	Systems design, build, and implementation	Preventive
Include the risk mitigation measures in the technical documentation. CC ID 17246 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The measures the developer has taken to mitigate known or reasonably foreseeable risks of algorithmic discrimination that may arise from the reasonably foreseeable deployment of the high-risk artificial intelligence system; and 6-1-1702. (2)(c)(IV)]	Systems design, build, and implementation	Preventive
Include the intended outputs of the system in the technical documentation. CC ID 17245 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The intended outputs of the high-risk artificial intelligence system; 6-1-1702. (2)(c)(III) On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: Any additional documentation that is reasonably necessary to assist the deployer in understanding the outputs and monitor the performance of the high-risk artificial intelligence system for risks of algorithmic discrimination. 6-1-1702. (2)(d)]	Systems design, build, and implementation	Preventive
Include the limitations of the system in the technical documentation. CC ID 17242 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: Known or reasonably foreseeable limitations of the high-risk artificial intelligence system, including known or reasonably foreseeable risks of algorithmic discrimination arising from the intended uses of the high-risk artificial intelligence system; 6-1-1702. (2)(b)(II)]	Systems design, build, and implementation	Preventive
Include the types of data used to train the artificial intelligence system in the technical documentation. CC ID 17241 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: High-level summaries of the type of data used to train the high-risk artificial intelligence system; 6-1-1702. (2)(b)(I)]	Systems design, build, and implementation	Preventive
Include all required information in the technical documentation. CC ID 15094 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: All other information necessary to allow the deployer to comply with the requirements of section 6-1-1703; 6-1-1702. (2)(b)(V)]	Systems design, build, and implementation	Preventive
Include information that demonstrates compliance with requirements in the technical documentation. CC ID 15088	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Preventive
Establish and maintain privacy notices, as necessary. CC ID 13443	Privacy protection for information and data	Preventive
Include the purpose of the privacy notice in the privacy notice. CC ID 13526	Privacy protection for information and data	Preventive
Include the processing purpose in the privacy notice. CC ID 16543	Privacy protection for information and data	Preventive
Include the record types which may not be used or disclosed unless required by law in the privacy notice. CC ID 17258	Privacy protection for information and data	Preventive
Include contact information in the privacy notice. CC ID 14432	Privacy protection for information and data	Preventive
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503	Privacy protection for information and data	Preventive
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Privacy protection for information and data	Preventive
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461	Privacy protection for information and data	Preventive
Include the uses or disclosures that require authorizations in the privacy notice. CC ID 17257	Privacy protection for information and data	Preventive
Include prohibitions of use or disclosure in the privacy notice. CC ID 17252	Privacy protection for information and data	Preventive
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459	Privacy protection for information and data	Preventive
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455	Privacy protection for information and data	Preventive
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456	Privacy protection for information and data	Preventive
Include the personal data collection categories in the privacy notice. CC ID 13457	Privacy protection for information and data	Preventive
Include disclosure exceptions in the privacy notice. CC ID 13447	Privacy protection for information and data	Preventive
Include the types of personal data disclosed in the privacy notice. CC ID 13446	Privacy protection for information and data	Preventive
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Privacy protection for information and data	Preventive
Specify the time frame that notice will be given. CC ID 00385	Privacy protection for information and data	Preventive
Include the information about the appeal process in the privacy notice. CC ID 15312	Privacy protection for information and data	Preventive
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468	Privacy protection for information and data	Preventive
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Privacy protection for information and data	Preventive
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434	Privacy protection for information and data	Corrective
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466	Privacy protection for information and data	Preventive
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472	Privacy protection for information and data	Preventive
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471	Privacy protection for information and data	Preventive
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470	Privacy protection for information and data	Preventive
Establish, implement, and maintain opt-out notices. CC ID 13448	Privacy protection for information and data	Preventive
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Privacy protection for information and data	Preventive
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Privacy protection for information and data	Preventive
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 [On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer information, if applicable, regarding the consumer's right to opt out of the processing of personal data concerning the consumer for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer under section 6-1-1306 (1)(a)(I)(C). 6-1-1703. (4)(a)(III)]	Privacy protection for information and data	Preventive
Explain the right to opt out in the opt-out notice. CC ID 13462	Privacy protection for information and data	Preventive
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Privacy protection for information and data	Preventive
Provide the data subject with a notice of participation procedures. CC ID 06241	Privacy protection for information and data	Preventive
Publish a description of processing activities in an official register. CC ID 00379	Privacy protection for information and data	Preventive
Establish and maintain a records request manual. CC ID 00381	Privacy protection for information and data	Preventive
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Privacy protection for information and data	Preventive
Define what is included in registration notices. CC ID 00386	Privacy protection for information and data	Preventive
Include the verification method in the registration notice. CC ID 16798	Privacy protection for information and data	Preventive
Include the statutory authority in the registration notice. CC ID 16799	Privacy protection for information and data	Preventive
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Privacy protection for information and data	Preventive
Include a purpose specification description in the registration notice. CC ID 00388	Privacy protection for information and data	Preventive
Include information about the dispute resolution body in the registration notice. CC ID 16800	Privacy protection for information and data	Preventive
Include the data subject category being processed in the registration notice. CC ID 00389	Privacy protection for information and data	Preventive
Include the time period for data processing in the registration notice. CC ID 00390	Privacy protection for information and data	Preventive
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Privacy protection for information and data	Preventive
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618	Privacy protection for information and data	Preventive
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394	Privacy protection for information and data	Preventive
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [Except as provided in subsection (4)(c)(ii) of this section, a deployer shall provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section: Directly to the consumer; 6-1-1703. (4)(c)(I)(A)]	Privacy protection for information and data	Preventive
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Privacy protection for information and data	Preventive
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Privacy protection for information and data	Preventive
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Privacy protection for information and data	Preventive
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Privacy protection for information and data	Preventive
Specify the purpose of the disclosure in the written consent. CC ID 13001	Privacy protection for information and data	Preventive
Specify which education records may be disclosed in the written consent. CC ID 13000	Privacy protection for information and data	Preventive
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Privacy protection for information and data	Preventive
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Privacy protection for information and data	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Privacy protection for information and data	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397	Privacy protection for information and data	Preventive
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Privacy protection for information and data	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Privacy protection for information and data	Preventive
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Privacy protection for information and data	Preventive
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Privacy protection for information and data	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680	Privacy protection for information and data	Preventive
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Privacy protection for information and data	Preventive
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Privacy protection for information and data	Preventive
Include the disclosure date in the disclosure accounting record. CC ID 07133	Privacy protection for information and data	Preventive
Include the disclosure recipient in the disclosure accounting record. CC ID 07134	Privacy protection for information and data	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Privacy protection for information and data	Preventive
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Privacy protection for information and data	Preventive
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Privacy protection for information and data	Preventive
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Privacy protection for information and data	Preventive
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Privacy protection for information and data	Preventive
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Privacy protection for information and data	Preventive
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Privacy protection for information and data	Preventive
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586	Privacy protection for information and data	Preventive
Make telephone directory information available to the public. CC ID 08698	Privacy protection for information and data	Preventive
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Privacy protection for information and data	Preventive
Establish, implement, and maintain approval applications. CC ID 16778	Privacy protection for information and data	Preventive
Include required information in the approval application. CC ID 16628	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133 [{high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434	Privacy protection for information and data	Preventive
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Privacy protection for information and data	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7) {high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The sensitivity and volume of data processed in connection with the le="background-color:#F0BBBC;" class="term_primary-noun">high-risk artificial intelligence systems e="background-color:#CBD0E5;" class="term_secondary-verb">deployed by the deployer. 6-1-1703. (2)(a)(IV) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The sensitivity and volume of data processed in connection with the le="background-color:#F0BBBC;" class="term_primary-noun">high-risk artificial intelligence systems e="background-color:#CBD0E5;" class="term_secondary-verb">deployed by the deployer. 6-1-1703. (2)(a)(IV)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Privacy protection for information and data	Detective
Define the appeal process based on the applicable law. CC ID 00506 [On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: An opportunity to appeal an adverse consequential decision concerning the consumer arising from the deployment of a high-risk artificial intelligence system, which appeal must, if technically feasible, allow for human review unless providing the opportunity for appeal is not in the best interest of the consumer, including in instances in which any delay might pose a risk to the life or safety of such consumer. 6-1-1703. (4)(b)(III)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain organizational documents. CC ID 16202	Harmonization Methods and Manual of Style	Preventive
Write organizational documents using clear and conspicuous language. CC ID 16281 [Except as provided in subsection (4)(c)(ii) of this section, a deployer shall provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section: In plain language; 6-1-1703. (4)(c)(I)(B)]	Harmonization Methods and Manual of Style	Preventive
Write organizational documents using information that is free from bias. CC ID 16341	Harmonization Methods and Manual of Style	Preventive
Structure the language of compliance documents. CC ID 06098	Harmonization Methods and Manual of Style	Preventive
Standardize word usage. CC ID 06104	Harmonization Methods and Manual of Style	Preventive
Write policies and instructions using clear and conspicuous language. CC ID 16286 [Except as provided in subsection (4)(c)(ii) of this section, a deployer shall provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section: In all languages in which the deployer, in the ordinary course of the deployer's business, provides contracts, disclaimers, sale announcements, and other information to consumers; and 6-1-1703. (4)(c)(I)(C)]	Harmonization Methods and Manual of Style	Preventive

Human Resources Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306	Audits and risk management	Detective
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153	Audits and risk management	Preventive
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199	Audits and risk management	Preventive
Implement measures to enable personnel assigned to human oversight to be aware of the possibility of automatically relying or over-relying on outputs to make decisions. CC ID 15091	Operational management	Preventive

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Harmonization Methods and Manual of Style CC ID 06095	Harmonization Methods and Manual of Style	IT Impact Zone

Investigate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491	Audits and risk management	Detective
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Audits and risk management	Detective
Perform an identity check prior to approving an account change request. CC ID 13670	Privacy protection for information and data	Detective

Log Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Log the disclosure of personal data. CC ID 06628	Privacy protection for information and data	Preventive
Log the modification of personal data. CC ID 11844	Privacy protection for information and data	Preventive
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Privacy protection for information and data	Detective
Log dates for account name changes or address changes. CC ID 04876	Privacy protection for information and data	Detective

Monitor and Evaluate Occurrences

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze organizational objectives, functions, and activities. CC ID 00598	Leadership and high level objectives	Preventive
Monitor the usage and capacity of critical assets. CC ID 14825	Monitoring and measurement	Detective
Monitor the usage and capacity of Information Technology assets. CC ID 00668 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: How the high-risk artificial intelligence system should be used, not be used, and be monitored by an individual when the high-risk artificial intelligence system is used to make, or is a substantial factor in making, a consequential decision; and 6-1-1702. (2)(c)(V) On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: Any additional documentation that is reasonably necessary to assist the deployer in understanding the outputs and monitor the performance of the high-risk artificial intelligence system for risks of algorithmic discrimination. 6-1-1702. (2)(d)]	Monitoring and measurement	Detective
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726	Monitoring and measurement	Detective
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831	Audits and risk management	Preventive
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828	Audits and risk management	Preventive
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 [In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: Discovers and cures a violation of this part 17 as a result of: 6-1-1706. (3)(a)]	Operational management	Detective
Establish, implement, and maintain a post-market monitoring system. CC ID 15050	Operational management	Preventive
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Privacy protection for information and data	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Privacy protection for information and data	Corrective
Review accounts that are changed for additional user requests. CC ID 11846	Privacy protection for information and data	Detective
Review monitored websites for data leakage. CC ID 10593	Privacy protection for information and data	Detective

Physical and Environmental Protection

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Ensure the storage conditions for artificial intelligence systems refrain from compromising compliance. CC ID 15030	Operational management	Detective

Process or Activity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Correct compliance violations. CC ID 13515 [In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: Discovers and cures a violation of this part 17 as a result of: 6-1-1706. (3)(a) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: discovers and cures a violation of this part 17 as a result of: Feedback that the developer, deployer, or other person encourages deployers or users to provide to the developer, deployer, or other person; 6-1-1706. (3)(a)(I) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: discovers and cures a violation of this part 17 as a result of: Adversarial testing or red teaming, as those terms are defined or used by the national institute of standards and technology; or 6-1-1706. (3)(a)(II) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: discovers and cures a violation of this part 17 as a result of: An internal review process; and 6-1-1706. (3)(a)(III)]	Monitoring and measurement	Corrective
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830	Audits and risk management	Preventive
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172	Audits and risk management	Detective
Assess the potential level of business impact risk associated with individuals. CC ID 17170	Audits and risk management	Detective
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169	Audits and risk management	Detective
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171	Audits and risk management	Detective
Approve the risk acceptance level, as necessary. CC ID 17168	Audits and risk management	Preventive
Analyze supply chain risk management procedures, as necessary. CC ID 13198	Audits and risk management	Detective
Provide the reasons for adverse decisions made by artificial intelligence systems. CC ID 17253 [On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: 6-1-1703. (4)(b)(I) On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: The type of data that was processed by the high-risk artificial intelligence system in making the consequential decision; and 6-1-1703. (4)(b)(I)(B) On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: The source or sources of the data described in subsection (4)(b)(I)(B) of this section; 6-1-1703. (4)(b)(I)(C)]	Operational management	Preventive
Authorize artificial intelligence systems for use under defined conditions. CC ID 17210 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: How the high-risk artificial intelligence system should be used, not be used, and be monitored by an individual when the high-risk artificial intelligence system is used to make, or is a substantial factor in making, a consequential decision; and 6-1-1702. (2)(c)(V)]	Operational management	Preventive
Discard the outputs of the artificial intelligence system when authorizations are denied. CC ID 17225	Operational management	Preventive
Ensure the artificial intelligence system performs at an acceptable level of accuracy, robustness, and cybersecurity. CC ID 15024	Operational management	Preventive
Take into account the nature of the situation when determining the possibility of using 'real-time’ remote biometric identification systems in publicly accessible spaces for law enforcement. CC ID 15020	Operational management	Preventive
Use a remote biometric identification system under defined conditions. CC ID 15016	Operational management	Preventive
Implement measures to enable personnel assigned to human oversight to intervene or interrupt the operation of the artificial intelligence system. CC ID 15093	Operational management	Preventive
Reassess the designation of artificial intelligence systems. CC ID 17230	Operational management	Preventive
Take into account the consequences for the rights and freedoms of persons when using ‘real-time’ remote biometric identification systems for law enforcement. CC ID 14957	Operational management	Preventive
Allow the use of 'real-time' remote biometric identification systems for law enforcement under defined conditions. CC ID 14955	Operational management	Preventive
Refrain from using remote biometric identification systems under defined conditions. CC ID 14953	Operational management	Preventive
Prohibit the use of artificial intelligence systems under defined conditions. CC ID 14951 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: How the high-risk artificial intelligence system should be used, not be used, and be monitored by an individual when the high-risk artificial intelligence system is used to make, or is a substantial factor in making, a consequential decision; and 6-1-1702. (2)(c)(V)]	Operational management	Preventive
Require a data protection impact assessment when profiling the data subject. CC ID 12680	Privacy protection for information and data	Detective
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609	Privacy protection for information and data	Preventive
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588	Privacy protection for information and data	Preventive
Provide the data subject with the data retention period for personal data. CC ID 12587	Privacy protection for information and data	Preventive
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589	Privacy protection for information and data	Preventive
Provide the data subject with the adequacy decision. CC ID 12586	Privacy protection for information and data	Preventive
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585	Privacy protection for information and data	Preventive
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608	Privacy protection for information and data	Preventive
Notify the data subject of the right to data portability. CC ID 12603	Privacy protection for information and data	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602	Privacy protection for information and data	Preventive
Provide shareholders access to electronic messages via electronic means. CC ID 11855	Privacy protection for information and data	Preventive
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614	Privacy protection for information and data	Preventive
Approve the approval application unless applicant has been convicted. CC ID 16603	Privacy protection for information and data	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7)]	Privacy protection for information and data	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Privacy protection for information and data	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Privacy protection for information and data	Preventive
Search the Internet for evidence of data leakage. CC ID 10419	Privacy protection for information and data	Detective
Alert appropriate personnel when data leakage is detected. CC ID 14715	Privacy protection for information and data	Preventive
Take appropriate action when a data leakage is discovered. CC ID 14716	Privacy protection for information and data	Corrective
Define the fee structure for the appeal process. CC ID 16532	Privacy protection for information and data	Preventive
Define the time requirements for the appeal process. CC ID 16531	Privacy protection for information and data	Preventive

Records Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Retain records in accordance with applicable requirements. CC ID 00968 [A deployer shall maintain the most recently completed impact assessment for a high-risk artificial intelligence system as required under this subsection (3), all records concerning each impact assessment, and all prior impact assessments, if any, for at least three years following the final deployment of the high-risk artificial intelligence system. 6-1-1703. (3)(f) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9)]	Records management	Preventive
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Privacy protection for information and data	Preventive
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Privacy protection for information and data	Preventive
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Privacy protection for information and data	Corrective
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Privacy protection for information and data	Corrective
Grant access to education records in support of educational program audits. CC ID 13032	Privacy protection for information and data	Preventive
Grant access to education records in support of external requirements. CC ID 13033	Privacy protection for information and data	Preventive

Systems Design, Build, and Implementation

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain an artificial intelligence system. CC ID 14943 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) {high-risk artificial intelligence system} A developer shall update the statement described in subsection (4)(a) of this section: 6-1-1702. (4)(b)]	Operational management	Preventive
Include mitigation measures to address biased output during the development of artificial intelligence systems. CC ID 15047	Operational management	Corrective
Implement an acceptable level of accuracy, robustness, and cybersecurity in the development of artificial intelligence systems. CC ID 15022	Operational management	Preventive
Develop artificial intelligence systems involving the training of models with data sets that meet the quality criteria. CC ID 14996	Operational management	Preventive

Technical Security

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Correct or mitigate vulnerabilities. CC ID 12497 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a)]	Monitoring and measurement	Corrective
Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859	Monitoring and measurement	Corrective
Analyze the organization's information security environment. CC ID 13122	Audits and risk management	Preventive
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Privacy protection for information and data	Preventive
Display warning screens and confirmation screens for all payment transactions. CC ID 06409	Privacy protection for information and data	Preventive
Protect electronic messaging information. CC ID 12022	Privacy protection for information and data	Preventive
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Privacy protection for information and data	Preventive
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Privacy protection for information and data	Preventive
Implement security measures to protect personal data. CC ID 13606	Privacy protection for information and data	Preventive

Testing

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Follow disability accessibility standards when designing and building content. CC ID 06193 [{be accessible} Except as provided in subsection (4)(c)(ii) of this section, a deployer shall provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section: In a format that is accessible to consumers with disabilities. 6-1-1703. (4)(c)(I)(D)]	Operational management	Detective
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Privacy protection for information and data	Detective
Implement physical controls to protect personal data. CC ID 00355	Privacy protection for information and data	Preventive
Conduct personal data risk assessments. CC ID 00357	Privacy protection for information and data	Detective

Common Controls and
mandates by Classification 65 Mandated Controls - bold
43 Implied Controls - italic 411 Implementation

Number of Controls

519 Total

Corrective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Leadership and high level objectives	Establish/Maintain Documentation
Report errors and faults to the appropriate personnel, as necessary. CC ID 14296	Monitoring and measurement	Communicate
Correct or mitigate vulnerabilities. CC ID 12497 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a)]	Monitoring and measurement	Technical Security
Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859	Monitoring and measurement	Technical Security
Correct compliance violations. CC ID 13515 [In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: Discovers and cures a violation of this part 17 as a result of: 6-1-1706. (3)(a) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: discovers and cures a violation of this part 17 as a result of: Feedback that the developer, deployer, or other person encourages deployers or users to provide to the developer, deployer, or other person; 6-1-1706. (3)(a)(I) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: discovers and cures a violation of this part 17 as a result of: Adversarial testing or red teaming, as those terms are defined or used by the national institute of standards and technology; or 6-1-1706. (3)(a)(II) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: discovers and cures a violation of this part 17 as a result of: An internal review process; and 6-1-1706. (3)(a)(III)]	Monitoring and measurement	Process or Activity
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571	Audits and risk management	Acquisition/Sale of Assets or Services
Document residual risk in a residual risk report. CC ID 13664	Audits and risk management	Establish/Maintain Documentation
Include incident recovery procedures in the Incident Management program. CC ID 01758	Operational management	Establish/Maintain Documentation
Include mitigation measures to address biased output during the development of artificial intelligence systems. CC ID 15047	Operational management	Systems Design, Build, and Implementation
Withdraw authorizations that are unjustified. CC ID 15035	Operational management	Business Processes
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434	Privacy protection for information and data	Establish/Maintain Documentation
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Privacy protection for information and data	Records Management
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Privacy protection for information and data	Records Management
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Privacy protection for information and data	Communicate
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Privacy protection for information and data	Monitor and Evaluate Occurrences
Take appropriate action when a data leakage is discovered. CC ID 14716	Privacy protection for information and data	Process or Activity
Change or destroy any personal data that is incorrect. CC ID 00462 [On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: An opportunity to correct any incorrect personal data that the high-risk artificial intelligence system processed in making, or as a substantial factor in making, the consequential decision; and 6-1-1703. (4)(b)(II)]	Privacy protection for information and data	Data and Information Management
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Behavior
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Data and Information Management

Detective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze organizational policies, as necessary. CC ID 14037	Leadership and high level objectives	Establish/Maintain Documentation
Monitor the usage and capacity of critical assets. CC ID 14825	Monitoring and measurement	Monitor and Evaluate Occurrences
Monitor the usage and capacity of Information Technology assets. CC ID 00668 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: How the high-risk artificial intelligence system should be used, not be used, and be monitored by an individual when the high-risk artificial intelligence system is used to make, or is a substantial factor in making, a consequential decision; and 6-1-1702. (2)(c)(V) On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: Any additional documentation that is reasonably necessary to assist the deployer in understanding the outputs and monitor the performance of the high-risk artificial intelligence system for risks of algorithmic discrimination. 6-1-1702. (2)(d)]	Monitoring and measurement	Monitor and Evaluate Occurrences
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726	Monitoring and measurement	Monitor and Evaluate Occurrences
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336	Audits and risk management	Business Processes
Analyze the risk management strategy for addressing threats. CC ID 12925 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: How the high-risk artificial intelligence system was evaluated for performance and mitigation of algorithmic discrimination before the high-risk artificial intelligence system was offered, sold, leased, licensed, given, or otherwise made available to the deployer; 6-1-1702. (2)(c)(I)]	Audits and risk management	Audits and Risk Management
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306	Audits and risk management	Human Resources Management
Review the risk profiles, as necessary. CC ID 16561	Audits and risk management	Audits and Risk Management
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and risk management	Audits and Risk Management
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491	Audits and risk management	Investigate
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172	Audits and risk management	Process or Activity
Assess the potential level of business impact risk associated with individuals. CC ID 17170	Audits and risk management	Process or Activity
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Audits and risk management	Investigate
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169	Audits and risk management	Process or Activity
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171	Audits and risk management	Process or Activity
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and risk management	Audits and Risk Management
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and risk management	Audits and Risk Management
Analyze supply chain risk management procedures, as necessary. CC ID 13198	Audits and risk management	Process or Activity
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 [In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: Discovers and cures a violation of this part 17 as a result of: 6-1-1706. (3)(a)]	Operational management	Monitor and Evaluate Occurrences
Follow disability accessibility standards when designing and building content. CC ID 06193 [{be accessible} Except as provided in subsection (4)(c)(ii) of this section, a deployer shall provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section: In a format that is accessible to consumers with disabilities. 6-1-1703. (4)(c)(I)(D)]	Operational management	Testing
Assess the trustworthiness of artificial intelligence systems. CC ID 16319	Operational management	Business Processes
Ensure the transport conditions for artificial intelligence systems refrain from compromising compliance. CC ID 15031	Operational management	Business Processes
Ensure the storage conditions for artificial intelligence systems refrain from compromising compliance. CC ID 15030	Operational management	Physical and Environmental Protection
Require a data protection impact assessment when profiling the data subject. CC ID 12680	Privacy protection for information and data	Process or Activity
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Privacy protection for information and data	Data and Information Management
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Privacy protection for information and data	Testing
Conduct personal data risk assessments. CC ID 00357	Privacy protection for information and data	Testing
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Privacy protection for information and data	Data and Information Management
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Privacy protection for information and data	Monitor and Evaluate Occurrences
Perform an identity check prior to approving an account change request. CC ID 13670	Privacy protection for information and data	Investigate
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Privacy protection for information and data	Behavior
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Privacy protection for information and data	Data and Information Management
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Privacy protection for information and data	Log Management
Log dates for account name changes or address changes. CC ID 04876	Privacy protection for information and data	Log Management
Review accounts that are changed for additional user requests. CC ID 11846	Privacy protection for information and data	Monitor and Evaluate Occurrences
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Privacy protection for information and data	Data and Information Management
Search the Internet for evidence of data leakage. CC ID 10419	Privacy protection for information and data	Process or Activity
Review monitored websites for data leakage. CC ID 10593	Privacy protection for information and data	Monitor and Evaluate Occurrences

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Harmonization Methods and Manual of Style CC ID 06095	Harmonization Methods and Manual of Style	IT Impact Zone

Preventive

452

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze organizational objectives, functions, and activities. CC ID 00598	Leadership and high level objectives	Monitor and Evaluate Occurrences
Establish, implement, and maintain data governance and management practices. CC ID 14998 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The data governance measures used to cover the training datasets and the measures used to examine the suitability of data sources, possible biases, and appropriate mitigation; 6-1-1702. (2)(c)(II)]	Leadership and high level objectives	Establish/Maintain Documentation
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087	Leadership and high level objectives	Establish/Maintain Documentation
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086	Leadership and high level objectives	Establish/Maintain Documentation
Include bias for data sets in the data governance and management practices. CC ID 15085 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The data governance measures used to cover the training datasets and the measures used to examine the suitability of data sources, possible biases, and appropriate mitigation; 6-1-1702. (2)(c)(II)]	Leadership and high level objectives	Establish/Maintain Documentation
Include the data source in the data governance and management practices. CC ID 17211	Leadership and high level objectives	Data and Information Management
Include a data strategy in the data governance and management practices. CC ID 15304	Leadership and high level objectives	Establish/Maintain Documentation
Include data monitoring in the data governance and management practices. CC ID 15303	Leadership and high level objectives	Establish/Maintain Documentation
Include an assessment of the data sets in the data governance and management practices. CC ID 15084	Leadership and high level objectives	Establish/Maintain Documentation
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083	Leadership and high level objectives	Establish/Maintain Documentation
Include data collection for data sets in the data governance and management practices. CC ID 15082	Leadership and high level objectives	Establish/Maintain Documentation
Include data preparations for data sets in the data governance and management practices. CC ID 15081 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The data governance measures used to cover the training datasets and the measures used to examine the suitability of data sources, possible biases, and appropriate mitigation; 6-1-1702. (2)(c)(II)]	Leadership and high level objectives	Establish/Maintain Documentation
Include design choices for data sets in the data governance and management practices. CC ID 15080	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: 6-1-1707. (1)]	Leadership and high level objectives	Establish/Maintain Documentation
Include contact information in the organization's policies, standards, and procedures. CC ID 17167 [On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer a statement disclosing the purpose of the high-risk artificial intelligence system and the nature of the consequential decision; the contact information for the deployer; a description, in plain language, of the high-risk artificial intelligence system; and instructions on how to access the statement required by subsection (5)(a) of this section; and 6-1-1703. (4)(a)(II)]	Leadership and high level objectives	Establish/Maintain Documentation
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The documentation and requirements for developers pursuant to section 6-1-1702 (2); 6-1-1707. (1)(a) The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The contents of and requirements for the notices and disclosures required by sections 6-1-1702 (5) and (7); 6-1-1703 (4), (5), (7), and (9); and 6-1-1704; 6-1-1707. (1)(b)]	Leadership and high level objectives	Establish/Maintain Documentation
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824	Leadership and high level objectives	Business Processes
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Leadership and high level objectives	Establish/Maintain Documentation
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Leadership and high level objectives	Establish/Maintain Documentation
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Leadership and high level objectives	Establish/Maintain Documentation
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Leadership and high level objectives	Establish/Maintain Documentation
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Leadership and high level objectives	Establish/Maintain Documentation
Include when exemptions expire in the compliance exception standard. CC ID 14330	Leadership and high level objectives	Establish/Maintain Documentation
Include management of the exemption register in the compliance exception standard. CC ID 14328	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Leadership and high level objectives	Communicate
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a risk management program. CC ID 12051 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) {risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) {risk management program} The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The content and requirements of the risk management policy and program required by section 6-1-1703 (2); 6-1-1707. (1)(c)]	Audits and risk management	Establish/Maintain Documentation
Include the scope of risk management activities in the risk management program. CC ID 13658	Audits and risk management	Establish/Maintain Documentation
Integrate the risk management program with the organization's business activities. CC ID 13661	Audits and risk management	Business Processes
Integrate the risk management program into daily business decision-making. CC ID 13659	Audits and risk management	Business Processes
Include managing mobile risks in the risk management program. CC ID 13535	Audits and risk management	Establish/Maintain Documentation
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992	Audits and risk management	Audits and Risk Management
Include regular updating in the risk management system. CC ID 14990	Audits and risk management	Business Processes
Establish, implement, and maintain a risk management policy. CC ID 17192 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) {risk management program} The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The content and requirements of the risk management policy and program required by section 6-1-1703 (2); 6-1-1707. (1)(c) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9)]	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain risk management strategies. CC ID 13209 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a)]	Audits and risk management	Establish/Maintain Documentation
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Audits and risk management	Establish/Maintain Documentation
Include data quality in the risk management strategies. CC ID 15308	Audits and risk management	Data and Information Management
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Audits and risk management	Establish/Maintain Documentation
Include off-site storage in the risk mitigation strategies. CC ID 13213	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain insurance requirements. CC ID 16562	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572	Audits and risk management	Communicate
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567	Audits and risk management	Communicate
Address cybersecurity risks in the risk assessment program. CC ID 13193	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 [Except as provided in subsections (3)(d), (3)(e), and (6) of this section: On and after February 1, 2026, a deployer, or a third party contracted by the deployer, shall complete an impact assessment for a deployed high-risk artificial intelligence system at least annually and within ninety days after any intentional and substantial modification to the high-risk artificial intelligence system is made available. 6-1-1703. (3)(a)(II) Except as provided in subsections (3)(d), (3)(e), and (6) of this section: A deployer, or a third party contracted by the deployer, that deploys a high-risk artificial intelligence system on or after February 1, 2026, shall complete an impact assessment for the high-risk artificial intelligence system; and 6-1-1703. (3)(a)(I) Except as provided in subsection (6) of this section, a developer that offers, sells, leases, licenses, gives, or otherwise makes available to a deployer or other developer a high-risk artificial intelligence system on or after February 1, 2026, shall make available to the deployer or other developer, to the extent feasible, the documentation and information, through artifacts such as model cards, dataset cards, or other impact assessments, necessary for a deployer, or for a third party contracted by a deployer, to complete an impact assessment pursuant to section 6-1-1703 (3). 6-1-1702. (3)(a) An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: An analysis of whether the deployment of the high-risk artificial intelligence system poses any known or reasonably foreseeable risks of algorithmic discrimination and, if so, the nature of the algorithmic discrimination and the steps that have been taken to mitigate the risks; 6-1-1703. (3)(b)(II) The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The content and requirements of the impact assessments required by section 6-1-1703 (3); 6-1-1707. (1)(d) A single impact assessment may address a comparable set of high-risk artificial intelligence systems deployed by a deployer. 6-1-1703. (3)(d) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9)]	Audits and risk management	Audits and Risk Management
Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: If the deployer used data to customize the high-risk artificial intelligence system, an overview of the categories of data the deployer used to customize the high-risk artificial intelligence system; 6-1-1703. (3)(b)(IV) An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of the categories of data the high-risk artificial intelligence system processes as inputs and the outputs the high-risk artificial intelligence system produces; 6-1-1703. (3)(b)(III)]	Audits and risk management	Establish/Maintain Documentation
Include metrics in the fundamental rights impact assessment. CC ID 17249 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: Any metrics used to evaluate the performance and known limitations of the high-risk artificial intelligence system; 6-1-1703. (3)(b)(V)]	Audits and risk management	Establish/Maintain Documentation
Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A statement by the deployer disclosing the purpose, intended use cases, and deployment context of, and benefits afforded by, the high-risk artificial intelligence system; 6-1-1703. (3)(b)(I)]	Audits and risk management	Establish/Maintain Documentation
Include user safeguards in the fundamental rights impact assessment. CC ID 17255 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of the post-deployment monitoring and user safeguards provided concerning the high-risk artificial intelligence system, including the oversight, use, and learning process established by the deployer to address issues arising from the deployment of the high-risk artificial intelligence system. 6-1-1703. (3)(b)(VII)]	Audits and risk management	Establish/Maintain Documentation
Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of the categories of data the high-risk artificial intelligence system processes as inputs and the outputs the high-risk artificial intelligence system produces; 6-1-1703. (3)(b)(III)]	Audits and risk management	Establish/Maintain Documentation
Include the purpose in the fundamental rights impact assessment. CC ID 17243 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A statement by the deployer disclosing the purpose, intended use cases, and deployment context of, and benefits afforded by, the high-risk artificial intelligence system; 6-1-1703. (3)(b)(I)]	Audits and risk management	Establish/Maintain Documentation
Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of the post-deployment monitoring and user safeguards provided concerning the high-risk artificial intelligence system, including the oversight, use, and learning process established by the deployer to address issues arising from the deployment of the high-risk artificial intelligence system. 6-1-1703. (3)(b)(VII)]	Audits and risk management	Establish/Maintain Documentation
Include risk management measures in the fundamental rights impact assessment. CC ID 17224 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: An analysis of whether the deployment of the high-risk artificial intelligence system poses any known or reasonably foreseeable risks of algorithmic discrimination and, if so, the nature of the algorithmic discrimination and the steps that have been taken to mitigate the risks; 6-1-1703. (3)(b)(II)]	Audits and risk management	Establish/Maintain Documentation
Include human oversight measures in the fundamental rights impact assessment. CC ID 17223	Audits and risk management	Establish/Maintain Documentation
Include risks in the fundamental rights impact assessment. CC ID 17222 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: An analysis of whether the deployment of the high-risk artificial intelligence system poses any known or reasonably foreseeable risks of algorithmic discrimination and, if so, the nature of the algorithmic discrimination and the steps that have been taken to mitigate the risks; 6-1-1703. (3)(b)(II)]	Audits and risk management	Establish/Maintain Documentation
Include affected parties in the fundamental rights impact assessment. CC ID 17221	Audits and risk management	Establish/Maintain Documentation
Include the frequency in the fundamental rights impact assessment. CC ID 17220	Audits and risk management	Establish/Maintain Documentation
Include the usage duration in the fundamental rights impact assessment. CC ID 17219	Audits and risk management	Establish/Maintain Documentation
Include system use in the fundamental rights impact assessment. CC ID 17218 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A statement by the deployer disclosing the purpose, intended use cases, and deployment context of, and benefits afforded by, the high-risk artificial intelligence system; 6-1-1703. (3)(b)(I) An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A statement by the deployer disclosing the purpose, intended use cases, and deployment context of, and benefits afforded by, the high-risk artificial intelligence system; 6-1-1703. (3)(b)(I) In addition to the information required under subsection (3)(b) of this section, an impact assessment completed pursuant to this subsection (3) following an intentional and substantial modification to a high-risk artificial intelligence system on or after February 1, 2026, must include a statement disclosing the extent to which the high-risk artificial intelligence system was used in a manner that was consistent with, or varied from, the developer's intended uses of the high-risk artificial intelligence system. 6-1-1703. (3)(c)]	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830	Audits and risk management	Process or Activity
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Audits and risk management	Communicate
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a risk assessment policy. CC ID 14026	Audits and risk management	Establish/Maintain Documentation
Include compliance requirements in the risk assessment policy. CC ID 14121	Audits and risk management	Establish/Maintain Documentation
Include coordination amongst entities in the risk assessment policy. CC ID 14120	Audits and risk management	Establish/Maintain Documentation
Include management commitment in the risk assessment policy. CC ID 14119	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the risk assessment policy. CC ID 14118	Audits and risk management	Establish/Maintain Documentation
Include the scope in the risk assessment policy. CC ID 14117	Audits and risk management	Establish/Maintain Documentation
Include the purpose in the risk assessment policy. CC ID 14116	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115	Audits and risk management	Communicate
Analyze the organization's information security environment. CC ID 13122	Audits and risk management	Technical Security
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153	Audits and risk management	Human Resources Management
Employ risk assessment procedures that take into account risk factors. CC ID 16560	Audits and risk management	Audits and Risk Management
Approve the threat and risk classification scheme. CC ID 15693	Audits and risk management	Business Processes
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136	Audits and risk management	Communicate
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Audits and risk management	Establish/Maintain Documentation
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Audits and risk management	Establish/Maintain Documentation
Create a risk assessment report based on the risk assessment results. CC ID 15695	Audits and risk management	Establish/Maintain Documentation
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Audits and risk management	Communicate
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224	Audits and risk management	Establish/Maintain Documentation
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264	Audits and risk management	Establish/Maintain Documentation
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223	Audits and risk management	Establish/Maintain Documentation
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222	Audits and risk management	Establish/Maintain Documentation
Include pandemic risks in the Business Impact Analysis. CC ID 13219	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300	Audits and risk management	Communicate
Establish, implement, and maintain a risk register. CC ID 14828	Audits and risk management	Establish/Maintain Documentation
Approve the risk acceptance level, as necessary. CC ID 17168	Audits and risk management	Process or Activity
Document the results of the gap analysis. CC ID 16271	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the risk treatment plan. CC ID 16991	Audits and risk management	Establish/Maintain Documentation
Include time information in the risk treatment plan. CC ID 16993	Audits and risk management	Establish/Maintain Documentation
Include allocation of resources in the risk treatment plan. CC ID 16989	Audits and risk management	Establish/Maintain Documentation
Include the date of the risk assessment in the risk treatment plan. CC ID 16321	Audits and risk management	Establish/Maintain Documentation
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320	Audits and risk management	Audits and Risk Management
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620	Audits and risk management	Establish/Maintain Documentation
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694	Audits and risk management	Communicate
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672	Audits and risk management	Business Processes
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 [On and after February 1, 2026, a developer of a high-risk artificial intelligence system shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination arising from the intended and contracted uses of the high-risk artificial intelligence system. In any enforcement action brought on or after February 1, 2026, by the attorney general pursuant to section 6-1-1706, there is a rebuttable presumption that a developer used reasonable care as required under this section if the developer complied with this section and any additional requirements or obligations as set forth in rules promulgated by the attorney general pursuant to section 6-1-1707. 6-1-1702. (1) {risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) On and after February 1, 2026, a deployer of a high-risk artificial intelligence system shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination. In any enforcement action brought on or after February 1, 2026, by the attorney general pursuant to section 6-1-1706, there is a rebuttable presumption that a deployer of a high-risk artificial intelligence system used reasonable care as required under this section if the deployer complied with this section and any additional requirements or obligations as set forth in rules promulgated by the attorney general pursuant to section 6-1-1707. 6-1-1703. (1) On and after February 1, 2026, a developer shall make available, in a manner that is clear and readily available on the developer's website or in a public use case inventory, a statement summarizing: How the developer manages known or reasonably foreseeable risks of algorithmic discrimination that may arise from the development or intentional and substantial modification of the types of high-risk artificial intelligence systems described in accordance with subsection (4)(a)(I) of this section. 6-1-1702. (4)(a)(II) On and after February 1, 2026, a developer of a high-risk artificial intelligence system shall disclose to the attorney general, in a form and manner prescribed by the attorney general, and to all known deployers or other developers of the high-risk artificial intelligence system, any known or reasonably foreseeable risks of algorithmic discrimination arising from the intended uses of the high-risk artificial intelligence system without unreasonable delay but no later than ninety days after the date on which: 6-1-1702. (5) The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The requirements for the affirmative defense set forth in section 6-1-1706 (3), including the process by which the attorney general will recognize any other nationally or internationally recognized risk management framework for artificial intelligence systems. 6-1-1707. (1)(f) {algorithmic discrimination} {risk management} The attorney general may promulgate rules as necessary for the purpose of implementing and enforcing this part 17, including: The requirements for the rebuttable presumptions set forth in sections 6-1-1702 and 6-1-1703; and 6-1-1707. (1)(e) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The size and un">complexityspan> of the deployer; 6-1-1703. (2)(a)(II) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The nature and scope of the rm_primary-noun">high-risk artificial intelligence systems deployed by the deployer, including the intended uses of the high-risk artificial intelligence systems; and 6-1-1703. (2)(a)(III) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The nature and scope of the rm_primary-noun">high-risk artificial intelligence systems deployed by the deployer, including the intended uses of the high-risk artificial intelligence systems; and 6-1-1703. (2)(a)(III) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The sensitivity and volume of data processed in connection with the le="background-color:#F0BBBC;" class="term_primary-noun">high-risk artificial intelligence systems e="background-color:#CBD0E5;" class="term_secondary-verb">deployed by the deployer. 6-1-1703. (2)(a)(IV) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The sensitivity and volume of data processed in connection with the le="background-color:#F0BBBC;" class="term_primary-noun">high-risk artificial intelligence systems e="background-color:#CBD0E5;" class="term_secondary-verb">deployed by the deployer. 6-1-1703. (2)(a)(IV)]	Audits and risk management	Establish/Maintain Documentation
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255	Audits and risk management	Establish/Maintain Documentation
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Audits and risk management	Business Processes
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827	Audits and risk management	Audits and Risk Management
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839	Audits and risk management	Establish/Maintain Documentation
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831	Audits and risk management	Monitor and Evaluate Occurrences
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832	Audits and risk management	Communicate
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829	Audits and risk management	Communicate
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276	Audits and risk management	Establish/Maintain Documentation
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825	Audits and risk management	Communicate
Acquire cyber insurance, as necessary. CC ID 12693	Audits and risk management	Business Processes
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830	Audits and risk management	Establish/Maintain Documentation
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828	Audits and risk management	Monitor and Evaluate Occurrences
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663	Audits and risk management	Establish/Maintain Documentation
Include compliance requirements in the supply chain risk management policy. CC ID 14711	Audits and risk management	Establish/Maintain Documentation
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710	Audits and risk management	Establish/Maintain Documentation
Include management commitment in the supply chain risk management policy. CC ID 14709	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708	Audits and risk management	Establish/Maintain Documentation
Include the scope in the supply chain risk management policy. CC ID 14707	Audits and risk management	Establish/Maintain Documentation
Include the purpose in the supply chain risk management policy. CC ID 14706	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662	Audits and risk management	Communicate
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Audits and risk management	Establish/Maintain Documentation
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619	Audits and risk management	Establish/Maintain Documentation
Include dates in the supply chain risk management plan. CC ID 15617	Audits and risk management	Establish/Maintain Documentation
Include implementation milestones in the supply chain risk management plan. CC ID 15615	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613	Audits and risk management	Establish/Maintain Documentation
Include supply chain risk management procedures in the risk management program. CC ID 13190	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712	Audits and risk management	Communicate
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199	Audits and risk management	Human Resources Management
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792	Audits and risk management	Communicate
Include website continuity procedures in the continuity plan. CC ID 01380	Operational and Systems Continuity	Establish/Maintain Documentation
Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer shall make available, in a manner that is clear and readily available on the deployer's website, a statement summarizing: The types of high-risk artificial intelligence systems that are currently deployed by the deployer; 6-1-1703. (5)(a)(I) On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer shall make available, in a manner that is clear and readily available on the deployer's website, a statement summarizing: How the deployer manages known or reasonably foreseeable risks of algorithmic discrimination that may arise from the deployment of each high-risk artificial intelligence system described pursuant to subsection (5)(a)(I) of this section; and 6-1-1703. (5)(a)(II) On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer shall make available, in a manner that is clear and readily available on the deployer's website, a statement summarizing: In detail, the nature, source, and extent of the information collected and used by the deployer. 6-1-1703. (5)(a)(III) {high-risk artificial intelligence system} A deployer shall periodically update the statement described in subsection (5)(a) of this section. 6-1-1703. (5)(b) On and after February 1, 2026, a developer shall make available, in a manner that is clear and readily available on the developer's website or in a public use case inventory, a statement summarizing: The types of high-risk artificial intelligence systems that the developer has developed or intentionally and substantially modified and currently makes available to a deployer or other developer; and 6-1-1702. (4)(a)(I) On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer a statement disclosing the purpose of the high-risk artificial intelligence system and the nature of the consequential decision; the contact information for the deployer; a description, in plain language, of the high-risk artificial intelligence system; and instructions on how to access the statement required by subsection (5)(a) of this section; and 6-1-1703. (4)(a)(II)]	Operational and Systems Continuity	Data and Information Management
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain operational control procedures. CC ID 00831	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Establish/Maintain Documentation
Include system use information in the standard operating procedures manual. CC ID 17240 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: A general statement describing the reasonably foreseeable uses and known harmful or inappropriate uses of the high-risk artificial intelligence system; 6-1-1702. (2)(a) On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: The intended benefits and uses of the high-risk artificial intelligence system; and 6-1-1702. (2)(b)(IV)]	Operational management	Establish/Maintain Documentation
Include the intended purpose in the standard operating procedures manual. CC ID 14967 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: The purpose of the high-risk artificial intelligence system; 6-1-1702. (2)(b)(III) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The nature and scope of the high-risk artificial intelligence systems deployed by the deployer, including the intended uses of the high-risk artificial intelligence systems; and 6-1-1703. (2)(a)(III) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The nature and scope of the high-risk artificial intelligence systems deployed by the deployer, including the intended uses of the high-risk artificial intelligence systems; and 6-1-1703. (2)(a)(III)]	Operational management	Establish/Maintain Documentation
Include information on system performance in the standard operating procedures manual. CC ID 14965 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: The intended benefits and uses of the high-risk artificial intelligence system; and 6-1-1702. (2)(b)(IV)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [{refrain from requiring} Nothing in subsections (2) to (5) and (7) of this section requires a deployer to disclose a trade secret or information protected from disclosure by state or federal law. To the extent that a deployer withholds information pursuant to this subsection (8) or section 6-1-1705 (5), the deployer shall notify the consumer and provide a basis for the withholding. 6-1-1703. (8)]	Operational management	Establish/Maintain Documentation
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Business Processes
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [On and after February 1, 2026, a developer of a high-risk artificial intelligence system shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination arising from the intended and contracted uses of the high-risk artificial intelligence system. In any enforcement action brought on or after February 1, 2026, by the attorney general pursuant to section 6-1-1706, there is a rebuttable presumption that a developer used reasonable care as required under this section if the developer complied with this section and any additional requirements or obligations as set forth in rules promulgated by the attorney general pursuant to section 6-1-1707. 6-1-1702. (1) On and after February 1, 2026, a deployer of a high-risk artificial intelligence system shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination. In any enforcement action brought on or after February 1, 2026, by the attorney general pursuant to section 6-1-1706, there is a rebuttable presumption that a deployer of a high-risk artificial intelligence system used reasonable care as required under this section if the deployer complied with this section and any additional requirements or obligations as set forth in rules promulgated by the attorney general pursuant to section 6-1-1707. 6-1-1703. (1) If a deployer, or a third party contracted by the deployer, completes an impact assessment for the purpose of complying with another applicable law or regulation, the impact assessment satisfies the requirements established in this subsection (3) if the impact assessment is reasonably similar in scope and effect to the impact assessment that would otherwise be completed pursuant to this subsection (3). 6-1-1703. (3)(e) {high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: is otherwise in compliance with: The latest version of the "Artificial Intelligence Risk Management Framework" published by the national institute of standards and technology in the United States department of commerce and standard ISO/IEC 42001 of the International Organization for Standardization; 6-1-1706. (3)(b)(I) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: is otherwise in compliance with: Another nationally or internationally recognized risk management framework for artificial intelligence systems, if the standards are substantially equivalent to or more stringent than the requirements of this part 17; or 6-1-1706. (3)(b)(II) In any action commenced by the attorney general to enforce this part 17, it is an affirmative defense that the developer, deployer, or other person: is otherwise in compliance with: Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate and, if designated, shall publicly disseminate. 6-1-1706. (3)(b)(III)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Business Processes
Include incident monitoring procedures in the Incident Management program. CC ID 01207	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a disability accessibility program. CC ID 06191	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an artificial intelligence system. CC ID 14943 [{risk management program} On and after February 1, 2026, and except as provided in subsection (6) of this section, a deployer of a high-risk artificial intelligence system shall implement a risk management policy and program to govern the deployer's deployment of the high-risk artificial intelligence system. The risk management policy and program must specify and incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination. The risk management policy and program must be an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates. A risk management policy and program implemented and maintained pursuant to this subsection (2) must be reasonable considering: 6-1-1703. (2)(a) {high-risk artificial intelligence system} A developer shall update the statement described in subsection (4)(a) of this section: 6-1-1702. (4)(b)]	Operational management	Systems Design, Build, and Implementation
Provide affected parties with the role of artificial intelligence in decision making. CC ID 17236 [On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Notify the consumer that the deployer has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision before the decision is made; 6-1-1703. (4)(a)(I) On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer a statement disclosing the purpose of the high-risk artificial intelligence system and the nature of the consequential decision; the contact information for the deployer; a description, in plain language, of the high-risk artificial intelligence system; and instructions on how to access the statement required by subsection (5)(a) of this section; and 6-1-1703. (4)(a)(II) On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: The degree to which, and manner in which, the high-risk artificial intelligence system contributed to the consequential decision; 6-1-1703. (4)(b)(I)(A)]	Operational management	Communicate
Provide the reasons for adverse decisions made by artificial intelligence systems. CC ID 17253 [On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: 6-1-1703. (4)(b)(I) On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: The type of data that was processed by the high-risk artificial intelligence system in making the consequential decision; and 6-1-1703. (4)(b)(I)(B) On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: The source or sources of the data described in subsection (4)(b)(I)(B) of this section; 6-1-1703. (4)(b)(I)(C)]	Operational management	Process or Activity
Authorize artificial intelligence systems for use under defined conditions. CC ID 17210 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: How the high-risk artificial intelligence system should be used, not be used, and be monitored by an individual when the high-risk artificial intelligence system is used to make, or is a substantial factor in making, a consequential decision; and 6-1-1702. (2)(c)(V)]	Operational management	Process or Activity
Refrain from notifying users when images, videos, or audio have been artificially generated or manipulated if use of the artificial intelligence system is authorized by law. CC ID 15051 [Disclosure is not required under subsection (1) of this section under circumstances in which it would be obvious to a reasonable person that the person is interacting with an artificial intelligence system. 6-1-1704. (2)]	Operational management	Communicate
Establish, implement, and maintain a post-market monitoring system. CC ID 15050	Operational management	Monitor and Evaluate Occurrences
Limit artificial intelligence systems authorizations to the time period until conformity assessment procedures are complete. CC ID 15043	Operational management	Business Processes
Terminate authorizations for artificial intelligence systems when conformity assessment procedures are complete. CC ID 15042	Operational management	Business Processes
Authorize artificial intelligence systems to be put into service for exceptional reasons while conformity assessment procedures are being conducted. CC ID 15039	Operational management	Business Processes
Discard the outputs of the artificial intelligence system when authorizations are denied. CC ID 17225	Operational management	Process or Activity
Authorize artificial intelligence systems to be placed on the market for exceptional reasons while conformity assessment procedures are being conducted. CC ID 15037	Operational management	Business Processes
Prohibit artificial intelligence systems from being placed on the market when it is not in compliance with the requirements. CC ID 15029	Operational management	Acquisition/Sale of Assets or Services
Ensure the artificial intelligence system performs at an acceptable level of accuracy, robustness, and cybersecurity. CC ID 15024	Operational management	Process or Activity
Implement an acceptable level of accuracy, robustness, and cybersecurity in the development of artificial intelligence systems. CC ID 15022	Operational management	Systems Design, Build, and Implementation
Take into account the nature of the situation when determining the possibility of using 'real-time’ remote biometric identification systems in publicly accessible spaces for law enforcement. CC ID 15020	Operational management	Process or Activity
Notify users when images, videos, or audio on the artificial intelligence system has been artificially generated or manipulated. CC ID 15019	Operational management	Communicate
Refrain from notifying users of artificial intelligence systems using biometric categorization for law enforcement. CC ID 15017	Operational management	Communicate
Use a remote biometric identification system under defined conditions. CC ID 15016	Operational management	Process or Activity
Notify users when they are using an artificial intelligence system. CC ID 15015 [On and after February 1, 2026, and except as provided in subsection (2) of this section, a deployer or other developer that deploys, offers, sells, leases, licenses, gives, or otherwise makes available an artificial intelligence system that is intended to interact with consumers shall ensure the disclosure to each consumer who interacts with the artificial intelligence system that the consumer is interacting with an artificial intelligence system. 6-1-1704. (1)]	Operational management	Communicate
Receive prior authorization for the use of a remote biometric identification system. CC ID 15014	Operational management	Business Processes
Prohibit artificial intelligence systems that deploys subliminal techniques from being placed on the market. CC ID 15012	Operational management	Acquisition/Sale of Assets or Services
Prohibit artificial intelligence systems that use social scores for unfavorable treatment from being placed on the market. CC ID 15010	Operational management	Acquisition/Sale of Assets or Services
Prohibit artificial intelligence systems that evaluate or classify the trustworthiness of individuals from being placed on the market. CC ID 15008	Operational management	Acquisition/Sale of Assets or Services
Prohibit artificial intelligence systems that exploits vulnerabilities of a specific group of persons from being placed on the market. CC ID 15006	Operational management	Acquisition/Sale of Assets or Services
Refrain from making a decision based on system output unless verified by at least two natural persons. CC ID 15004	Operational management	Business Processes
Establish, implement, and maintain human oversight over artificial intelligence systems. CC ID 15003 [On or before February 1, 2026, and at least annually thereafter, a deployer, or a third party contracted by the deployer, must review the deployment of each high-risk artificial intelligence system deployed by the deployer to ensure that the high-risk artificial intelligence system is not causing algorithmic discrimination. 6-1-1703. (3)(g)]	Operational management	Behavior
Implement measures to enable personnel assigned to human oversight to intervene or interrupt the operation of the artificial intelligence system. CC ID 15093	Operational management	Process or Activity
Implement measures to enable personnel assigned to human oversight to be aware of the possibility of automatically relying or over-relying on outputs to make decisions. CC ID 15091	Operational management	Human Resources Management
Implement measures to enable personnel assigned to human oversight to interpret output correctly. CC ID 15089	Operational management	Data and Information Management
Implement measures to enable personnel assigned to human oversight to decide to refrain from using the artificial intelligence system or override disregard, or reverse the output. CC ID 15079	Operational management	Behavior
Enable users to interpret the artificial intelligence system's output and use. CC ID 15002	Operational management	Business Processes
Develop artificial intelligence systems involving the training of models with data sets that meet the quality criteria. CC ID 14996	Operational management	Systems Design, Build, and Implementation
Withdraw the technical documentation assessment certificate when the artificial intelligence system is not in compliance with requirements. CC ID 15099	Operational management	Establish/Maintain Documentation
Reassess the designation of artificial intelligence systems. CC ID 17230	Operational management	Process or Activity
Define a high-risk artificial intelligence system. CC ID 14959	Operational management	Establish/Maintain Documentation
Take into account the consequences for the rights and freedoms of persons when using ‘real-time’ remote biometric identification systems for law enforcement. CC ID 14957	Operational management	Process or Activity
Allow the use of 'real-time' remote biometric identification systems for law enforcement under defined conditions. CC ID 14955	Operational management	Process or Activity
Document the use of remote biometric identification systems. CC ID 17215	Operational management	Business Processes
Notify interested personnel and affected parties of the use of remote biometric identification systems. CC ID 17216	Operational management	Communicate
Refrain from using remote biometric identification systems under defined conditions. CC ID 14953	Operational management	Process or Activity
Prohibit the use of artificial intelligence systems under defined conditions. CC ID 14951 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: How the high-risk artificial intelligence system should be used, not be used, and be monitored by an individual when the high-risk artificial intelligence system is used to make, or is a substantial factor in making, a consequential decision; and 6-1-1702. (2)(c)(V)]	Operational management	Process or Activity
Establish, implement, and maintain a declaration of conformity. CC ID 15038	Operational management	Establish/Maintain Documentation
Include a statement that the artificial intelligence system meets all requirements in the declaration of conformity. CC ID 15100 [A developer, a deployer, or other person bears the burden of demonstrating to the attorney general that the requirements established in subsection (3) of this section have been satisfied. 6-1-1706. (4)]	Operational management	Establish/Maintain Documentation
Retain records in accordance with applicable requirements. CC ID 00968 [A deployer shall maintain the most recently completed impact assessment for a high-risk artificial intelligence system as required under this subsection (3), all records concerning each impact assessment, and all prior impact assessments, if any, for at least three years following the final deployment of the high-risk artificial intelligence system. 6-1-1703. (3)(f) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9)]	Records management	Records Management
Establish and maintain technical documentation. CC ID 15005 [A developer that also serves as a deployer for a high-risk artificial intelligence system is not required to generate the documentation required by this section unless the high-risk artificial intelligence system is provided to an unaffiliated entity acting as a deployer. 6-1-1702. (3)(b) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9)]	Systems design, build, and implementation	Establish/Maintain Documentation
Retain technical documentation on the premises where the artificial intelligence system is located. CC ID 15104	Systems design, build, and implementation	Establish/Maintain Documentation
Include the risk mitigation measures in the technical documentation. CC ID 17246 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The measures the developer has taken to mitigate known or reasonably foreseeable risks of algorithmic discrimination that may arise from the reasonably foreseeable deployment of the high-risk artificial intelligence system; and 6-1-1702. (2)(c)(IV)]	Systems design, build, and implementation	Establish/Maintain Documentation
Include the intended outputs of the system in the technical documentation. CC ID 17245 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation describing: The intended outputs of the high-risk artificial intelligence system; 6-1-1702. (2)(c)(III) On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: Any additional documentation that is reasonably necessary to assist the deployer in understanding the outputs and monitor the performance of the high-risk artificial intelligence system for risks of algorithmic discrimination. 6-1-1702. (2)(d)]	Systems design, build, and implementation	Establish/Maintain Documentation
Include the limitations of the system in the technical documentation. CC ID 17242 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: Known or reasonably foreseeable limitations of the high-risk artificial intelligence system, including known or reasonably foreseeable risks of algorithmic discrimination arising from the intended uses of the high-risk artificial intelligence system; 6-1-1702. (2)(b)(II)]	Systems design, build, and implementation	Establish/Maintain Documentation
Include the types of data used to train the artificial intelligence system in the technical documentation. CC ID 17241 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: High-level summaries of the type of data used to train the high-risk artificial intelligence system; 6-1-1702. (2)(b)(I)]	Systems design, build, and implementation	Establish/Maintain Documentation
Include all required information in the technical documentation. CC ID 15094 [On and after February 1, 2026, and except as provided in subsection (6) of this section, a developer of a high-risk artificial intelligence system shall make available to the deployer or other developer of the high-risk artificial intelligence system: documentation disclosing: All other information necessary to allow the deployer to comply with the requirements of section 6-1-1703; 6-1-1702. (2)(b)(V)]	Systems design, build, and implementation	Establish/Maintain Documentation
Include information that demonstrates compliance with requirements in the technical documentation. CC ID 15088	Systems design, build, and implementation	Establish/Maintain Documentation
Disseminate and communicate technical documentation to interested personnel and affected parties. CC ID 17229 [On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer a statement disclosing the purpose of the high-risk artificial intelligence system and the nature of the consequential decision; the contact information for the deployer; a description, in plain language, of the high-risk artificial intelligence system; and instructions on how to access the statement required by subsection (5)(a) of this section; and 6-1-1703. (4)(a)(II)]	Systems design, build, and implementation	Communicate
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data transparency program. CC ID 00375 [An impact assessment completed pursuant to this subsection (3) must include, at a minimum, and to the extent reasonably known by or available to the deployer: A description of any transparency measures taken concerning the high-risk artificial intelligence system, including any measures taken to disclose to a consumer that the high-risk artificial intelligence system is in use when the high-risk artificial intelligence system is in use; and 6-1-1703. (3)(b)(VI)]	Privacy protection for information and data	Data and Information Management
Establish and maintain privacy notices, as necessary. CC ID 13443	Privacy protection for information and data	Establish/Maintain Documentation
Include the purpose of the privacy notice in the privacy notice. CC ID 13526	Privacy protection for information and data	Establish/Maintain Documentation
Include the processing purpose in the privacy notice. CC ID 16543	Privacy protection for information and data	Establish/Maintain Documentation
Include the record types which may not be used or disclosed unless required by law in the privacy notice. CC ID 17258	Privacy protection for information and data	Establish/Maintain Documentation
Include contact information in the privacy notice. CC ID 14432	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503	Privacy protection for information and data	Establish/Maintain Documentation
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Privacy protection for information and data	Establish/Maintain Documentation
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461	Privacy protection for information and data	Establish/Maintain Documentation
Include the uses or disclosures that require authorizations in the privacy notice. CC ID 17257	Privacy protection for information and data	Establish/Maintain Documentation
Include prohibitions of use or disclosure in the privacy notice. CC ID 17252	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456	Privacy protection for information and data	Establish/Maintain Documentation
Include the personal data collection categories in the privacy notice. CC ID 13457	Privacy protection for information and data	Establish/Maintain Documentation
Include disclosure exceptions in the privacy notice. CC ID 13447	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of personal data disclosed in the privacy notice. CC ID 13446	Privacy protection for information and data	Establish/Maintain Documentation
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Privacy protection for information and data	Establish/Maintain Documentation
Specify the time frame that notice will be given. CC ID 00385	Privacy protection for information and data	Establish/Maintain Documentation
Include the information about the appeal process in the privacy notice. CC ID 15312	Privacy protection for information and data	Establish/Maintain Documentation
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445	Privacy protection for information and data	Communicate
Deliver privacy notices to data subjects, as necessary. CC ID 13444	Privacy protection for information and data	Communicate
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Privacy protection for information and data	Establish/Maintain Documentation
Update privacy notices, as necessary. CC ID 13474	Privacy protection for information and data	Communicate
Redeliver privacy notices, as necessary. CC ID 14850	Privacy protection for information and data	Communicate
Deliver privacy notices to third parties, as necessary. CC ID 13473	Privacy protection for information and data	Communicate
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435	Privacy protection for information and data	Communicate
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472	Privacy protection for information and data	Establish/Maintain Documentation
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471	Privacy protection for information and data	Establish/Maintain Documentation
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain opt-out notices. CC ID 13448	Privacy protection for information and data	Establish/Maintain Documentation
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Privacy protection for information and data	Establish/Maintain Documentation
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 [On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer shall: Provide to the consumer information, if applicable, regarding the consumer's right to opt out of the processing of personal data concerning the consumer for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer under section 6-1-1306 (1)(a)(I)(C). 6-1-1703. (4)(a)(III)]	Privacy protection for information and data	Establish/Maintain Documentation
Explain the right to opt out in the opt-out notice. CC ID 13462	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Privacy protection for information and data	Establish/Maintain Documentation
Deliver opt-out notices, as necessary. CC ID 13449	Privacy protection for information and data	Communicate
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453	Privacy protection for information and data	Communicate
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376	Privacy protection for information and data	Communicate
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372	Privacy protection for information and data	Communicate
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391	Privacy protection for information and data	Communicate
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819	Privacy protection for information and data	Data and Information Management
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393	Privacy protection for information and data	Communicate
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Privacy protection for information and data	Communicate
Provide the data subject with a notice of participation procedures. CC ID 06241	Privacy protection for information and data	Establish/Maintain Documentation
Deliver notices to the intended parties. CC ID 06240 [{make available} {be reasonable} If the deployer is unable to provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section directly to the consumer, the deployer shall make the notice, statement, contact information, and description available in a manner that is reasonably calculated to ensure that the consumer receives the notice, statement, contact information, and description. 6-1-1703. (4)(c)(II)]	Privacy protection for information and data	Data and Information Management
Notify data subjects about their privacy rights. CC ID 12989	Privacy protection for information and data	Communicate
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352	Privacy protection for information and data	Communicate
Establish, implement, and maintain adequate openness procedures. CC ID 00377	Privacy protection for information and data	Data and Information Management
Provide public proof the organization participates in a privacy program. CC ID 12349	Privacy protection for information and data	Communicate
Publish a description of processing activities in an official register. CC ID 00379	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a records request manual. CC ID 00381	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Privacy protection for information and data	Establish/Maintain Documentation
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Privacy protection for information and data	Behavior
Define what is included in registration notices. CC ID 00386	Privacy protection for information and data	Establish/Maintain Documentation
Include roles and responsibilities in the registration notice. CC ID 16803	Privacy protection for information and data	Establish Roles
Include the verification method in the registration notice. CC ID 16798	Privacy protection for information and data	Establish/Maintain Documentation
Include the statutory authority in the registration notice. CC ID 16799	Privacy protection for information and data	Establish/Maintain Documentation
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Privacy protection for information and data	Establish/Maintain Documentation
Include a purpose specification description in the registration notice. CC ID 00388	Privacy protection for information and data	Establish/Maintain Documentation
Include information about the dispute resolution body in the registration notice. CC ID 16800	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject category being processed in the registration notice. CC ID 00389	Privacy protection for information and data	Establish/Maintain Documentation
Include the time period for data processing in the registration notice. CC ID 00390	Privacy protection for information and data	Establish/Maintain Documentation
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Privacy protection for information and data	Establish/Maintain Documentation
Provide legal authorities access to personal data, upon request. CC ID 06818	Privacy protection for information and data	Data and Information Management
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609	Privacy protection for information and data	Process or Activity
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [Except as provided in subsection (4)(c)(ii) of this section, a deployer shall provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section: Directly to the consumer; 6-1-1703. (4)(c)(I)(A)]	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588	Privacy protection for information and data	Process or Activity
Document the countries where restricted data may be stored. CC ID 12750	Privacy protection for information and data	Data and Information Management
Protect the rights of students and their parents or legal representatives. CC ID 00222	Privacy protection for information and data	Data and Information Management
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Privacy protection for information and data	Technical Security
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Privacy protection for information and data	Records Management
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Privacy protection for information and data	Records Management
Define the criteria for waivers of data subjects' rights. CC ID 16858	Privacy protection for information and data	Behavior
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Privacy protection for information and data	Behavior
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Privacy protection for information and data	Establish/Maintain Documentation
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Privacy protection for information and data	Establish/Maintain Documentation
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Privacy protection for information and data	Establish/Maintain Documentation
Disclose educational data, as necessary. CC ID 00223	Privacy protection for information and data	Data and Information Management
Grant access to education records in support of educational program audits. CC ID 13032	Privacy protection for information and data	Records Management
Grant access to education records in support of external requirements. CC ID 13033	Privacy protection for information and data	Records Management
Disclose statements added to education records, as necessary. CC ID 12990	Privacy protection for information and data	Communicate
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Privacy protection for information and data	Data and Information Management
Disclose education records when written consent is received. CC ID 00224	Privacy protection for information and data	Data and Information Management
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Privacy protection for information and data	Establish/Maintain Documentation
Specify the purpose of the disclosure in the written consent. CC ID 13001	Privacy protection for information and data	Establish/Maintain Documentation
Specify which education records may be disclosed in the written consent. CC ID 13000	Privacy protection for information and data	Establish/Maintain Documentation
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Privacy protection for information and data	Establish/Maintain Documentation
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Privacy protection for information and data	Communicate
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Privacy protection for information and data	Communicate
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Privacy protection for information and data	Communicate
Disclose educational data absent consent to other school officials. CC ID 00226	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Privacy protection for information and data	Communicate
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to a crime victim. CC ID 00236	Privacy protection for information and data	Data and Information Management
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from providing information to the data subject, as necessary. CC ID 12625	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Privacy protection for information and data	Communicate
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Privacy protection for information and data	Communicate
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the data retention period for personal data. CC ID 12587	Privacy protection for information and data	Process or Activity
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589	Privacy protection for information and data	Process or Activity
Provide the data subject with the adequacy decision. CC ID 12586	Privacy protection for information and data	Process or Activity
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585	Privacy protection for information and data	Process or Activity
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608	Privacy protection for information and data	Process or Activity
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396	Privacy protection for information and data	Data and Information Management
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780	Privacy protection for information and data	Business Processes
Provide the data subject with the data protection officer's contact information. CC ID 12573	Privacy protection for information and data	Business Processes
Notify the data subject of the right to data portability. CC ID 12603	Privacy protection for information and data	Process or Activity
Provide the data subject with information about the right to erasure. CC ID 12602	Privacy protection for information and data	Process or Activity
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Privacy protection for information and data	Data and Information Management
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a disclosure accounting record. CC ID 13022	Privacy protection for information and data	Establish/Maintain Documentation
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Privacy protection for information and data	Establish/Maintain Documentation
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Privacy protection for information and data	Establish/Maintain Documentation
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680	Privacy protection for information and data	Establish/Maintain Documentation
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Privacy protection for information and data	Establish/Maintain Documentation
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure date in the disclosure accounting record. CC ID 07133	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure recipient in the disclosure accounting record. CC ID 07134	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Privacy protection for information and data	Establish/Maintain Documentation
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Privacy protection for information and data	Establish/Maintain Documentation
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Privacy protection for information and data	Establish/Maintain Documentation
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Privacy protection for information and data	Establish/Maintain Documentation
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Privacy protection for information and data	Establish/Maintain Documentation
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Privacy protection for information and data	Establish/Maintain Documentation
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860	Privacy protection for information and data	Data and Information Management
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Privacy protection for information and data	Communicate
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586	Privacy protection for information and data	Establish/Maintain Documentation
Provide shareholders access to electronic messages via electronic means. CC ID 11855	Privacy protection for information and data	Process or Activity
Make telephone directory information available to the public. CC ID 08698	Privacy protection for information and data	Establish/Maintain Documentation
Display warning screens and confirmation screens for all payment transactions. CC ID 06409	Privacy protection for information and data	Technical Security
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614	Privacy protection for information and data	Process or Activity
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Privacy protection for information and data	Establish/Maintain Documentation
Require data controllers to be accountable for their actions. CC ID 00470	Privacy protection for information and data	Establish Roles
Notify the supervisory authority. CC ID 00472 [If a deployer deploys a high-risk artificial intelligence system on or after February 1, 2026, and subsequently discovers that the high-risk artificial intelligence system has caused algorithmic discrimination, the deployer, without unreasonable delay, but no later than ninety days after the date of the discovery, shall send to the attorney general, in a form and manner prescribed by the attorney general, a notice disclosing the discovery. 6-1-1703. (7)]	Privacy protection for information and data	Behavior
Establish, implement, and maintain approval applications. CC ID 16778	Privacy protection for information and data	Establish/Maintain Documentation
Define the requirements for approving or denying approval applications. CC ID 16780	Privacy protection for information and data	Business Processes
Submit approval applications to the supervisory authority. CC ID 16627	Privacy protection for information and data	Communicate
Include required information in the approval application. CC ID 16628	Privacy protection for information and data	Establish/Maintain Documentation
Extend the time limit for approving or denying approval applications. CC ID 16779	Privacy protection for information and data	Business Processes
Approve the approval application unless applicant has been convicted. CC ID 16603	Privacy protection for information and data	Process or Activity
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7)]	Privacy protection for information and data	Process or Activity
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Privacy protection for information and data	Communicate
Respond to questions about submissions in a timely manner. CC ID 16930	Privacy protection for information and data	Communicate
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data disclosure procedures. CC ID 00133 [{high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7)]	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901	Privacy protection for information and data	Communicate
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298	Privacy protection for information and data	Data and Information Management
Review personal data disclosure requests. CC ID 07129	Privacy protection for information and data	Data and Information Management
Notify the data subject of the disclosure purpose. CC ID 15268	Privacy protection for information and data	Communicate
Establish, implement, and maintain data request denial procedures. CC ID 00434	Privacy protection for information and data	Establish/Maintain Documentation
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435	Privacy protection for information and data	Data and Information Management
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Privacy protection for information and data	Data and Information Management
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Privacy protection for information and data	Data and Information Management
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [{refrain from requiring} Nothing in subsections (2) to (5) and (7) of this section requires a deployer to disclose a trade secret or information protected from disclosure by state or federal law. To the extent that a deployer withholds information pursuant to this subsection (8) or section 6-1-1705 (5), the deployer shall notify the consumer and provide a basis for the withholding. 6-1-1703. (8) {refrain from requiring} Nothing in subsections (2) to (5) of this section requires a developer to disclose a trade secret, information protected from disclosure by state or federal law, or information that would create a security risk to the developer. 6-1-1702. (6)]	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Privacy protection for information and data	Process or Activity
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Privacy protection for information and data	Data and Information Management
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Privacy protection for information and data	Data and Information Management
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Privacy protection for information and data	Data and Information Management
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Privacy protection for information and data	Data and Information Management
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Privacy protection for information and data	Data and Information Management
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Privacy protection for information and data	Data and Information Management
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{refrain from requiring} Nothing in subsections (2) to (5) and (7) of this section requires a deployer to disclose a trade secret or information protected from disclosure by state or federal law. To the extent that a deployer withholds information pursuant to this subsection (8) or section 6-1-1705 (5), the deployer shall notify the consumer and provide a basis for the withholding. 6-1-1703. (8)]	Privacy protection for information and data	Data and Information Management
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Privacy protection for information and data	Communicate
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Privacy protection for information and data	Data and Information Management
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Privacy protection for information and data	Process or Activity
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428	Privacy protection for information and data	Data and Information Management
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Privacy protection for information and data	Data and Information Management
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Privacy protection for information and data	Communicate
Provide data or records in a reasonable time frame. CC ID 00429	Privacy protection for information and data	Data and Information Management
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599	Privacy protection for information and data	Communicate
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Privacy protection for information and data	Data and Information Management
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Privacy protection for information and data	Data and Information Management
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Privacy protection for information and data	Data and Information Management
Provide data at a cost that is not excessive. CC ID 00430	Privacy protection for information and data	Data and Information Management
Provide records or data in a reasonable manner. CC ID 00431	Privacy protection for information and data	Data and Information Management
Provide personal data in a form that is intelligible. CC ID 00432	Privacy protection for information and data	Data and Information Management
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Privacy protection for information and data	Data and Information Management
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Privacy protection for information and data	Data and Information Management
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Privacy protection for information and data	Data and Information Management
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7) {high-risk artificial intelligence system} On and after February 1, 2026, the attorney general may require that a developer disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the statement or documentation described in subsection (2) of this section. The attorney general may evaluate such statement or documentation to ensure compliance with this part 17, and the statement or documentation is not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (7), a developer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the statement or documentation includes information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1702. (7) On and after February 1, 2026, the attorney general may require that a deployer, or a third party contracted by the deployer, disclose to the attorney general, no later than ninety days after the request and in a form and manner prescribed by the attorney general, the risk management policy implemented pursuant to subsection (2) of this section, the impact assessment completed pursuant to subsection (3) of this section, or the records maintained pursuant to subsection (3)(f) of this section. The attorney general may evaluate the risk management policy, impact assessment, or records to ensure compliance with this part 17, and the risk management policy, impact assessment, and records are not subject to disclosure under the "Colorado Open Records Act", part 2 of article 72 of title 24. In a disclosure pursuant to this subsection (9), a deployer may designate the statement or documentation as including proprietary information or a trade secret. To the extent that any information contained in the risk management policy, impact assessment, or records include information subject to attorney-client privilege or work-product protection, the disclosure does not constitute a waiver of the privilege or protection. 6-1-1703. (9) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The sensitivity and volume of data processed in connection with the le="background-color:#F0BBBC;" class="term_primary-noun">high-risk artificial intelligence systems e="background-color:#CBD0E5;" class="term_secondary-verb">deployed by the deployer. 6-1-1703. (2)(a)(IV) Any risk management framework for artificial intelligence systems that the attorney general, in the attorney general's discretion, may designate; The sensitivity and volume of data processed in connection with the le="background-color:#F0BBBC;" class="term_primary-noun">high-risk artificial intelligence systems e="background-color:#CBD0E5;" class="term_secondary-verb">deployed by the deployer. 6-1-1703. (2)(a)(IV)]	Privacy protection for information and data	Establish/Maintain Documentation
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Privacy protection for information and data	Data and Information Management
Protect electronic messaging information. CC ID 12022	Privacy protection for information and data	Technical Security
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Privacy protection for information and data	Data and Information Management
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Privacy protection for information and data	Configuration
Store payment card data in secure chips, if possible. CC ID 13065	Privacy protection for information and data	Configuration
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Privacy protection for information and data	Configuration
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Privacy protection for information and data	Technical Security
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Privacy protection for information and data	Data and Information Management
Log the disclosure of personal data. CC ID 06628	Privacy protection for information and data	Log Management
Log the modification of personal data. CC ID 11844	Privacy protection for information and data	Log Management
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Privacy protection for information and data	Technical Security
Implement security measures to protect personal data. CC ID 13606	Privacy protection for information and data	Technical Security
Implement physical controls to protect personal data. CC ID 00355	Privacy protection for information and data	Testing
Limit data leakage. CC ID 00356	Privacy protection for information and data	Data and Information Management
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Privacy protection for information and data	Monitor and Evaluate Occurrences
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Privacy protection for information and data	Business Processes
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Privacy protection for information and data	Acquisition/Sale of Assets or Services
Alert appropriate personnel when data leakage is detected. CC ID 14715	Privacy protection for information and data	Process or Activity
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Privacy protection for information and data	Data and Information Management
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Privacy protection for information and data	Data and Information Management
Define the appeal process based on the applicable law. CC ID 00506 [On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: An opportunity to appeal an adverse consequential decision concerning the consumer arising from the deployment of a high-risk artificial intelligence system, which appeal must, if technically feasible, allow for human review unless providing the opportunity for appeal is not in the best interest of the consumer, including in instances in which any delay might pose a risk to the life or safety of such consumer. 6-1-1703. (4)(b)(III)]	Privacy protection for information and data	Establish/Maintain Documentation
Define the fee structure for the appeal process. CC ID 16532	Privacy protection for information and data	Process or Activity
Define the time requirements for the appeal process. CC ID 16531	Privacy protection for information and data	Process or Activity
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [On and after February 1, 2026, a deployer that has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer shall, if the consequential decision is adverse to the consumer, provide to the consumer: A statement disclosing the principal reason or reasons for the consequential decision, including: An opportunity to appeal an adverse consequential decision concerning the consumer arising from the deployment of a high-risk artificial intelligence system, which appeal must, if technically feasible, allow for human review unless providing the opportunity for appeal is not in the best interest of the consumer, including in instances in which any delay might pose a risk to the life or safety of such consumer. 6-1-1703. (4)(b)(III)]	Privacy protection for information and data	Communicate
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Privacy protection for information and data	Communicate
Establish, implement, and maintain organizational documents. CC ID 16202	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Write organizational documents using clear and conspicuous language. CC ID 16281 [Except as provided in subsection (4)(c)(ii) of this section, a deployer shall provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section: In plain language; 6-1-1703. (4)(c)(I)(B)]	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Write organizational documents using information that is free from bias. CC ID 16341	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Structure the language of compliance documents. CC ID 06098	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Standardize word usage. CC ID 06104	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Write policies and instructions using clear and conspicuous language. CC ID 16286 [Except as provided in subsection (4)(c)(ii) of this section, a deployer shall provide the notice, statement, contact information, and description required by subsections (4)(a) and (4)(b) of this section: In all languages in which the deployer, in the ordinary course of the deployer's business, provides contracts, disclaimers, sale announcements, and other information to consumers; and 6-1-1703. (4)(c)(I)(C)]	Harmonization Methods and Manual of Style	Establish/Maintain Documentation