UK technology firms selling into the United States are used to navigating federal and state rules on data privacy. AI is adding another layer. The Colorado AI Act, which takes effect on 30 June 2026, is one of the first state-level AI laws with real teeth, and it is unlikely to be the last.
A 2026 regulatory preview from SearchCANS notes that the Colorado Act requires reasonable care when developers and deployers use AI for consequential automated decisions. That includes decisions about employment, housing, education, financial services, healthcare and insurance. The law also imposes disclosure, discrimination and transparency obligations.
What the Colorado AI Act requires
The Act applies to developers of high-risk AI systems and to deployers that use those systems in Colorado. Key obligations include:
- Using reasonable care to avoid algorithmic discrimination.
- Providing clear notices to consumers when AI is used for consequential decisions.
- Conducting impact assessments for high-risk systems.
- Maintaining documentation and governance programmes.
- Reporting discovered discrimination to the Colorado Attorney General.
For UK vendors, the most important point is that liability can attach to both the developer of the AI system and the company that deploys it. Even if you are based in London, if your product makes or supports consequential decisions about Colorado residents, you may be in scope.
A broader state-level trend
Colorado is not alone. Several other US states are considering or passing AI-related legislation covering bias, transparency, deepfakes, automated employment decisions and consumer rights. Unlike the EU, the United States is not moving toward a single federal AI law in the near term. That means firms will face a patchwork of state requirements.
This creates two practical problems. First, it is hard to build a single compliance posture that satisfies every jurisdiction. Second, the rules are evolving quickly, so a product that is compliant today may not be compliant next year.
What UK vendors should do
If you sell or plan to sell AI-powered products in the US, three steps reduce risk.
Identify whether your system makes consequential decisions. Be honest about what the product does. A recommendation engine is different from a system that approves or rejects loan applications. The closer you are to a decision with legal or material consequences, the more likely you are to be in scope.
Build an AI risk assessment process. Document how the model was trained, tested and validated. Record the demographic groups you considered, the metrics you tracked, and the mitigation steps you took. This is the kind of evidence regulators and enterprise buyers will ask for.
Review customer contracts. Make sure your contracts allocate responsibility clearly. If a US customer deploys your system in a way that creates liability, you do not want to be left holding the entire risk because the contract was silent.
The bottom line
The Colorado AI Act is a sign of things to come. UK firms that treat US AI compliance as a 2027 problem may find themselves scrambling. Firms that address it now — with clear risk assessments, contracts and governance — will find it easier to sell to US enterprises and easier to defend their position if questions arise.