Navigating AI Laws: Unclear Definitions, High Stakes — What Leaders Need to Know Now

Colorado’s AI Act takes effect in February 2026. Here’s what leaders need to

know now, and how to prepare for a wave of state and global AI regulations. Watch the 6.5 min highlight reel from our recent webinar - "From Principles to Practice: How Leaders Govern AI in Banking and Lending" below.

Webinar Recap

In our recent webinar, "From Principles to Practice: How Leaders Govern AI in Banking and Lending", experts explored how organizations can prepare for rapidly emerging AI regulations. A central focus was the Colorado AI Act, which takes effect in February 2026 and introduces new obligations for companies with customers or employees in Colorado.

This portion of our discussion, led by Bart Layton (AI Guardian) with insights from Scott Weber (Upstart) and Brian Stucky (DecisionX/MISMO), revealed just how complex regulatory readiness is becoming.

Scott Weber: Undefined Terms in the Colorado AI Act

[00:06 – 03:35]
Scott Weber pointed out a core challenge: the Colorado AI Act leaves key terms undefined, including:

• Unlawful discrimination

• Consequential decision

• Significant factor

While the Act prohibits algorithmic discrimination, it doesn’t specify what constitutes unlawful discrimination or set thresholds for disparate impact. Federal agencies are also inconsistent—some question whether disparate impact is a viable legal theory, while states appear to assume it is.

Recommendation: Organizations should not wait for regulators to clarify. Instead, cross-functional leadership, legal counsel, and AI experts must agree internally on how to define these terms and determine whether their AI systems qualify as “significant factors” in consequential decisions.

Brian Stucky: Why AI Impact Assessments Matter

[03:35 – 05:14]
Brian Stucky emphasized that more regulations will require AI Impact Assessments—formal reviews to classify system risk. But their value extends beyond compliance:

• They help organizations identify and manage risk across their AI portfolio.

• They provide a framework for ongoing oversight and accountability.

Recommendation: Establish an AI Impact Assessment process now and refine it over time. Stucky suggests leveraging frameworks from the EU AI Act, the Colorado AI Act, and NIST/ISO standards to create consistency and credibility.

Bart Layton: Colorado and Beyond

[05:14 – 06:25]
Bart Layton reminded attendees that the Colorado AI Act takes effect in February 2026, but the law is already evolving. A special legislative session convened on August 21, 2025 to clarify definitions and obligations.

More importantly, Colorado is not alone:

• Dozens of states have AI laws in motion.

• Texas passed an AI regulatory measure this year, showing that regulation

is not confined to “blue states.”

• States including Massachusetts, Oregon, and New Jersey are issuing new guidance on how existing laws apply to AI and algorithmic discrimination.

Recommendation: Organizations must look beyond new bills. They should

monitor both new legislation and reinterpretations of existing laws—and

prepare for a patchwork of rules across the U.S.

Key Takeaways

1. Don’t wait for clarity. The Colorado AI Act leaves terms undefined—companies must set internal definitions.

2. Build processes early. AI Impact Assessments are becoming mandatory and are essential for managing risk.

3. Stay vigilant. Regulations are spreading rapidly across states, and existing laws are being reinterpreted for AI.

Final Word

Regulatory readiness can’t be left to chance. Firms that act now — defining terms,

documenting systems, and building assessment processes — will be better

positioned when compliance deadlines arrive.