Colorado AI Act Documentation: What Property Managers Must Build Before June 30, 2026

What Does Colorado's AI Act Require Property Managers to Document?

SB 24-205 requires any PM deploying high-risk AI systems to maintain three records: an impact assessment, a risk management policy, and consumer disclosure logs for every adverse decision where AI was a factor.

Most PMs I've talked to don't even know they fall under this. They think "AI regulation" means tech companies building chatbots. It doesn't. If your screening software uses algorithmic scoring, automated recommendations, or any form of machine learning to evaluate tenant applications, you're a deployer. The law doesn't care that you didn't build the algorithm. You chose to use it. That makes the documentation your problem.

I've spent years watching compliance obligations pile up in property management. Habitability documentation standards that courts now enforce aggressively. Evidentiary standards for maintenance records that keep tightening. The Colorado AI Act is different. It's the first time a state has told PMs: you need to document not just what you did, but how your software made its recommendations and what you did about it.

What Goes Into the Impact Assessment?

An impact assessment is a written evaluation of how your AI system affects the people it makes decisions about. Colorado requires your first one before you deploy, or by June 30 for existing deployments. Then annually. And within 90 days of any material change to the system.

This isn't a checkbox. The assessment has to cover the purpose of the AI system, how it was evaluated for potential bias, what data it uses, what outputs it generates, and how those outputs factor into your actual decisions. If you're using a screening tool that scores applicants on creditworthiness, criminal history, rental history, or income verification, every one of those scoring dimensions needs to be addressed in writing.

The part that trips up most PMs is "material change." Your software vendor pushes an algorithm update? Material change. They add a new data source to their scoring model? Material change. They adjust how they weight criminal history after a regulatory update? Material change. Each one triggers a new assessment within 90 days.

I had a contractor's liability policy lapse once, and nobody noticed for three months. During that window, his crew damaged a tenant's car in the parking lot. We were staring at a potential $200K claim before our own policy covered it. Compliance gaps work the same way. They sit there quietly until enforcement shows up and asks for the file you don't have.

What Your Impact Assessment Must Include

Your assessment needs to cover these elements for each AI system you deploy:

• The system's purpose and intended use in your screening or leasing workflow

• What data inputs the system uses and where that data comes from

• How the system was tested or evaluated for algorithmic discrimination before you adopted it

• Known limitations and what categories of applicants could be disproportionately affected

• A description of how you monitor the system's outputs for bias or errors over time

• The date of your last assessment and what triggered it

Don't write this in legalese. Write it the way you'd explain your screening process to a housing authority investigator who's sitting across from you. Clear, specific, tied to your actual workflow. If you can't explain what the tool does in plain language? That's a bigger problem than the documentation.

What Does the Risk Management Policy Need to Cover?

A risk management policy is a written framework describing how you identify, monitor, and mitigate risks created by your AI systems. SB 24-205 requires this policy to align with the NIST AI Risk Management Framework or ISO 42001.

That sounds intimidating, but "align with" doesn't mean "certify under." You don't need an ISO audit or a NIST certification. You need a written policy that addresses the same risk categories those frameworks cover. For a PM, that breaks down into four things you put on paper:

Governance. Who in your organization is responsible for AI compliance? If it's you, say so. Document who decided to adopt the screening tool, who reviews its outputs, who handles complaints from denied applicants. One page is enough if it's specific.

Use case mapping. List every AI-powered tool you use that touches tenant decisions. Screening software. Automated pricing tools. Chatbots that pre-qualify applicants. If it uses algorithmic logic and affects whether someone gets housing, it's in scope.

Performance monitoring. How do you know the tool is working correctly? Do you review denial rates quarterly? Do you compare the tool's recommendations against your actual decisions? After we started tracking first-visit resolution rates for our vendors, we dropped average job completion from 4.2 days to 1.8. Turned out two of our five regulars were dragging every job to a second visit. Same principle here. You don't know what's broken until you measure it and write down what you found.

Mitigation procedures. When you spot a problem (denial patterns that skew against a protected class, an error in how income is calculated, a data source that's unreliable), what do you do? Document your response plan. "We review quarterly and escalate to our attorney" is fine. "We haven't thought about it" isn't.

Consumer Disclosures: The Per-Applicant Record That Catches Most PMs

Consumer disclosure documentation is the set of records proving you notified a tenant applicant that AI influenced an adverse decision and gave them the information needed to contest it. You must maintain these records for every denial, conditional approval, or other adverse action where AI was a substantial factor.

This is where the exposure stacks up. You're already supposed to follow FCRA adverse action requirements: pre-adverse notice, waiting period, final adverse notice. Colorado layers an additional disclosure on top. You must tell the applicant that AI was a substantial factor, describe the type of AI system used, and explain how to contest the decision or request a human review.

Your documentation per adverse action needs:

• A copy of the disclosure you provided to the applicant

• The date and method of delivery

• The applicant's response, including any request for human review

• If human review was requested, who conducted it and what the outcome was

• The AI system's output or recommendation for that specific applicant

Getting three quotes when you know who you're going to use anyway feels pointless. But the documentation matters for the owner. Same logic here. The disclosure feels like overhead until someone challenges a denial two years later and your file either has the records or it doesn't.

Building the Compliance File: What Goes Where

Your Colorado AI Act compliance file should live in three sections. You should be able to hand the whole thing to the AG's office within 72 hours of a request.

Section 1: System inventory and impact assessments. One sub-folder per AI tool. Each contains the current impact assessment, all prior versions with dates, and the vendor's technical documentation about how the system works. If your vendor won't give you documentation about their algorithm's decision factors, that's a red flag. And it's your liability, not theirs.

Section 2: Risk management policy. One document, version-controlled with dates. Governance structure, use case map, monitoring procedures, mitigation plan. Updated annually at minimum.

Section 3: Adverse action disclosure log. One entry per adverse decision. Date, applicant identifier, AI system used, disclosure delivered, human review requested, outcome. This is the section that gets pulled first in an investigation, so keep it clean.

The business records doctrine applies here. Ad-hoc notes in a spreadsheet won't hold up. Your records need to be systematic, created in the ordinary course of business, and maintained by someone with knowledge of the process. That's the standard courts and regulators use to decide whether your documentation counts.

What If I'm Using a Vendor's Tool — Isn't This Their Problem?

No. SB 24-205 distinguishes between "developers" (who build the AI) and "deployers" (who use it). Both have obligations. Your vendor has to provide you with technical documentation about their system. You have to use that documentation to complete your impact assessment, build your risk management policy, and deliver disclosures to applicants.

If your vendor hasn't contacted you about SB 24-205 compliance support, call them this week. Ask for their algorithmic impact disclosure, their bias testing results, and their data source documentation. If they can't provide it, you've got a decision to make about whether you can keep using their tool and stay compliant. That conversation is uncomfortable. The one with the AG's office is worse.

The June 30 Deadline: What Noncompliance Costs

Colorado's Attorney General can investigate complaints and impose penalties under the Consumer Protection Act — up to $20,000 per violation. Each denied applicant without proper documentation could be a separate violation. If you're screening 15 applicants per month across a Colorado portfolio, the math gets ugly fast.

But the bigger risk is the private right of action. Denied applicants can sue directly. Their attorneys will request your impact assessment, your risk management policy, and your disclosure records. If you can't produce them, you've lost before the hearing starts. I've watched the same pattern play out with just cause eviction documentation. The PM who shows up without a documented chain loses the case regardless of the merits.

You've got about eight weeks. Same logic as building an audit file before the auditor arrives. That's enough to build it if you start now. Not enough if you wait until June.