What Is the FAIIR Framework? AI Compliance for Colorado Businesses

FAIIR stands for Fairness, Accountability, Impact assessment, Informed consent, and Risk management. It is the compliance framework we built at Available Law to help Colorado businesses meet — and go past — the requirements of the new Colorado AI Act (SB 26-189), without drowning in legalese or six-figure consulting engagements.

SB 26-189 creates obligations for businesses that deploy covered ADMT— automated decision-making technology that materially influences a consequential decision about a consumer. The statute tells you what to disclose, when to send notices, and how to handle adverse outcomes — but it leaves the operational details (who reviews what, what to document, how to monitor for disparate impact) to the deployer. FAIIR fills that gap and adds best-practice pillars the statute doesn't require but that any well-run business should have anyway.

The five pillars

F — Fairness

Fairness is the foundation. SB 26-189 dropped the prior law's algorithmic-discrimination duty of care, but it expressly preserved liability under state anti-discrimination laws for outcomes materially influenced by ADMT — and made indemnity for the deployer's own discriminatory conduct unenforceable. FAIIR operationalizes fairness with a structured disparate-impact review: we identify the decision categories your AI touches, map the protected classes at risk, and test for differential outcomes using the data you actually have. The output is a documented fairness analysis that gives you a real defense, not a vague promise that your vendor “tested for bias.”

A — Accountability

Accountability means someone in your organization owns AI compliance — and can prove it. FAIIR establishes a clear chain of responsibility: who approved the covered ADMT, who monitors its performance, who reviews consumer complaints, who conducts the meaningful human review of adverse outcomes, and who has authority to shut a system down. Even though SB 26-189 doesn't mandate a formal accountability program, having one is how you survive a 60-day AG cure notice without scrambling.

I — Impact assessment

Before you deploy (or continue deploying) covered ADMT, you need to understand the impact it has on consumers. FAIIR walks you through a structured assessment that documents the purpose of the system, the categories of decisions it influences, the data it ingests, the populations it affects, and the potential for harm. SB 26-189 did away with the mandatory annual impact assessment of the prior law — but the document itself remains the single most useful artifact you can produce when a regulator or plaintiff comes asking how your AI works.

I — Informed consent

SB 26-189 makes this pillar concrete. Deployers must post a clear and conspicuous pre-use notice that covered ADMT is in use and send a 30-day adverse-outcome notice in plain language when ADMT contributes to a denial or unfavorable decision. FAIIR delivers templates calibrated to your actual systems — the consumer-facing language has to track what your ADMT does and what inputs it relies on. Generic privacy policy language is not sufficient, and the AG will know the difference.

R — Risk management

Risk management ties everything together. FAIIR produces a documented risk management program that covers ongoing monitoring, complaint handling, employee orientation, vendor oversight, and periodic re-assessment. SB 26-189 doesn't require a formal risk-management program — but it does require three years of records and a meaningful human-review process, which together functionally demand one. This is not a static document — it is a living program that evolves as your AI usage changes and regulatory expectations sharpen.

How the FAIIR process works

1. Discovery call — We learn about your business, your AI systems, and your current compliance posture. This is free and takes about 30 minutes. You can book one here.
2. Readiness assessment — We audit your ADMT inventory, vendor documentation, consumer notices, human-review process, and records against each of the five FAIIR pillars. You get a scored report that tells you exactly where you stand and what needs to change.
3. Remediation plan — We build a prioritized action plan: what to fix now, what to fix next quarter, and what can wait. Every item maps to a specific SB 26-189 duty or a best-practice pillar so you can see why it matters.
4. Implementation support — We help you execute. That might mean drafting pre-use and adverse-outcome notices, negotiating vendor contract amendments to secure developer documentation, building human-review workflows, or writing internal governance policies. We do the legal work; you focus on running your business.
5. Ongoing membership — After the initial assessment, our FAIIR Compliance Membership keeps you current with quarterly notice and process reviews, regulatory update briefings, on-call attorney Q&A, and refreshed risk documentation.

Who needs FAIIR?

Not every business needs a full compliance program. SB 26-189 targets covered ADMT — technology that materially influences consequential decisions in education, employment, housing, lending, insurance, healthcare, or government services. If your AI usage is limited to internal productivity tools (scheduling, spell-check, code completion), you are likely outside the scope.

You probably need FAIIR if your business:

• Uses AI to screen job applicants, evaluate employees, or make hiring recommendations
• Uses AI to assess creditworthiness, set insurance rates, or approve loans
• Uses AI to determine eligibility for housing, education, or government services
• Deploys consumer-facing AI that provides personalized recommendations with material consequences
• Contracts with AI vendors whose tools make decisions about your customers

Not sure whether your AI systems qualify as covered ADMT? Our free Colorado AI Act Checker walks you through a quick self-assessment.

FAIIR vs. other frameworks

You may have seen references to the NIST AI Risk Management Framework, the EU AI Act, or ISO 42001. Those are valuable standards — and they are designed for multinational enterprises with dedicated compliance teams. FAIIR is different because it is:

• Colorado-specific — mapped directly to the statutory language of SB 26-189, not generalized across fifty jurisdictions
• Built for small and mid-size businesses — the companies most affected by the Act and least likely to have in-house AI counsel
• Attorney-delivered — every assessment is conducted by a licensed Colorado attorney, not a software tool or a compliance vendor selling certifications
• Actionable — the output is a remediation plan you can execute, not a 200-page risk register you file and forget

Get started

SB 26-189 takes effect January 1, 2027, and enforcement discretion runs out fast: the AG's 60-day cure window sunsets entirely on January 1, 2030. If your business deploys covered ADMT, the cost of compliance now is a fraction of the cost of an enforcement action later. Start with a free FAIIR discovery call or explore the full FAIIR Compliance Membership.