Requirements Checklist
Original SB 24-205 vs. Revised Working Group Framework
Impact Assessment
Original Law
Developers and deployers must complete impact assessments for all high-risk AI systems before deployment
Revised Framework
Risk-tiered approach: full assessment for high-risk only; streamlined assessment for medium-risk; self-certification for low-risk
Agency Action Required
Categorize all AI systems by risk tier; complete appropriate assessment level
Transparency & Notice
Original Law
Consumers must be notified when interacting with AI and when AI makes consequential decisions
Revised Framework
Maintains consumer notification requirements; adds specific disclosure templates for government use
Agency Action Required
Implement disclosure notices on all citizen-facing AI systems
Human Review
Original Law
Meaningful human review required for all consequential AI decisions
Revised Framework
Risk-proportionate human oversight; high-risk requires human-in-the-loop; medium-risk allows human-on-the-loop
Agency Action Required
Establish review protocols matched to risk level of each system
Data Correction
Original Law
Individuals must be able to correct data used by AI systems that affect them
Revised Framework
Maintains correction rights; adds 30-day response requirement and appeal process
Agency Action Required
Create data correction request workflows for each high-risk system
Bias Testing
Original Law
Regular testing for algorithmic discrimination required
Revised Framework
Annual bias audits for high-risk systems; defines protected classes and testing methodology
Agency Action Required
Schedule annual audits; document testing methodology and results
Incident Reporting
Original Law
Not explicitly required
Revised Framework
New requirement: AI-related incidents must be reported to AG within 72 hours
Agency Action Required
Establish incident response plan and reporting pipeline
Vendor Obligations
Original Law
AI developers must provide documentation to deployers
Revised Framework
Enhanced: developers must provide model cards, testing results, and known limitations; state contracts must include AI disclosure clauses
Agency Action Required
Update procurement contracts to include AI disclosure requirements
Enforcement
Original Law
AG exclusive enforcement; private right of action for violations
Revised Framework
AG enforcement with safe harbor for good-faith compliance efforts; no private right of action during 18-month transition
Agency Action Required
Document good-faith compliance efforts for safe harbor eligibility