AI Legal
What Is the FAIIR Framework? AI Compliance for Colorado Businesses
Zachariah Crabill, JD
•April 11, 2026 (Updated June 10, 2026)
FAIIR is the Foundation for AI Integrity & Regulation — five pillars (Fitness for Purpose, Accountability, Integrity of Data, Informed Use, Risk Management) built to help Colorado businesses meet the Colorado AI Act and the wider AI-regulation patchwork.
FAIIR is the Foundation for AI Integrity & Regulation — the compliance framework we built at Available Law around five pillars: Fitness for Purpose, Accountability, Integrity of Data, Informed Use, and Risk Management. It exists to help Colorado businesses meet — and go past — the requirements of the new Colorado AI Act (SB 26-189), without drowning in legalese or six-figure consulting engagements.
SB 26-189 creates obligations for businesses that deploy covered ADMT— automated decision-making technology that materially influences a consequential decision about a consumer. The statute tells you what to disclose, when to send notices, and how to handle adverse outcomes — but it leaves the operational details (who reviews what, what to document, how to monitor for disparate impact) to the deployer. FAIIR fills that gap and adds best-practice pillars the statute doesn't require but that any well-run business should have anyway.
The five pillars
F — Fitness for Purpose
Most AI liability does not come from exotic failures. It comes from deploying a general-purpose model in a domain where it was never validated — a chatbot acting as a customer-service policy, a language model acting as a screener of real people. Fitness for Purpose asks you to prove you thought about the match between the tool and the job, and to test it. That includes bias: SB 26-189 dropped the prior law's algorithmic-discrimination duty of care, but it expressly preserved liability under state anti-discrimination laws for outcomes materially influenced by ADMT — and made indemnity for the deployer's own discriminatory conduct unenforceable. FAIIR operationalizes this pillar with a structured fitness and disparate-impact review: we identify the decision categories your AI touches, map the protected classes at risk, and test for differential outcomes using the data you actually have. The output is a documented analysis that gives you a real defense, not a vague promise that your vendor “tested for bias.”
A — Accountability
Accountability means someone in your organization owns AI compliance — and can prove it. FAIIR establishes a clear chain of responsibility: who approved the covered ADMT, who monitors its performance, who reviews consumer complaints, who conducts the meaningful human review of adverse outcomes, and who has authority to shut a system down. Even though SB 26-189 doesn't mandate a formal accountability program, having one is how you survive a 60-day AG cure notice without scrambling.
I — Integrity of Data
This is the pillar most small businesses fail on — because most of their employees are pasting customer data, internal documents, and trade secrets into free AI tools every day without anyone tracking it. Integrity of Data is about knowing your data perimeter and enforcing it: which systems see what data, which vendors can train on it (and whether you opted out), and where personal data flows when an ADMT makes a decision. SB 26-189 gives consumers the right to access and correct the personal data a covered ADMT relied on — a right you cannot honor if you do not know where that data lives.
I — Informed Use
Most AI liability cases turn on a surprised person — a customer surprised the chatbot was AI, an applicant surprised an algorithm screened them. Informed Use is the pillar that prevents surprise, and SB 26-189 makes it concrete. Deployers must post a clear and conspicuous pre-use notice that covered ADMT is in use and send a 30-day adverse-outcome notice in plain language when ADMT contributes to a denial or unfavorable decision. FAIIR delivers templates calibrated to your actual systems — the consumer-facing language has to track what your ADMT does and what inputs it relies on. Generic privacy policy language is not sufficient, and the AG will know the difference.
R — Risk Management
Risk Management is the audit-trail pillar — it converts “we're being careful” into “here is the evidence we were being careful.” FAIIR produces a documented risk management program that covers ongoing monitoring, complaint handling, employee orientation, vendor oversight, periodic re-assessment, and written system reviews for each covered ADMT. SB 26-189 did away with the prior law's mandatory annual impact assessments and doesn't require a formal risk-management program — but it does require three years of records and a meaningful human-review process, which together functionally demand one. This is not a static document — it is a living program that evolves as your AI usage changes and regulatory expectations sharpen.
How the FAIIR process works
- Discovery call — We learn about your business, your AI systems, and your current compliance posture. This is free and takes about 30 minutes. You can book one here.
- Readiness assessment — We audit your ADMT inventory, vendor documentation, consumer notices, human-review process, and records against each of the five FAIIR pillars. You get a scored report that tells you exactly where you stand and what needs to change.
- Remediation plan — We build a prioritized action plan: what to fix now, what to fix next quarter, and what can wait. Every item maps to a specific SB 26-189 duty or a best-practice pillar so you can see why it matters.
- Implementation support — We help you execute. That might mean drafting pre-use and adverse-outcome notices, negotiating vendor contract amendments to secure developer documentation, building human-review workflows, or writing internal governance policies. We do the legal work; you focus on running your business.
- Ongoing membership — After the initial assessment, our FAIIR Compliance Membership keeps you current with quarterly notice and process reviews, regulatory update briefings, on-call attorney Q&A, and refreshed risk documentation.
Who needs FAIIR?
Not every business needs a full compliance program. SB 26-189 targets covered ADMT — technology that materially influences consequential decisions in education, employment, housing, lending, insurance, healthcare, or government services. If your AI usage is limited to internal productivity tools (scheduling, spell-check, code completion), you are likely outside the scope.
You probably need FAIIR if your business:
- Uses AI to screen job applicants, evaluate employees, or make hiring recommendations
- Uses AI to assess creditworthiness, set insurance rates, or approve loans
- Uses AI to determine eligibility for housing, education, or government services
- Deploys consumer-facing AI that provides personalized recommendations with material consequences
- Contracts with AI vendors whose tools make decisions about your customers
Not sure whether your AI systems qualify as covered ADMT? Our free Colorado AI Act Checker walks you through a quick self-assessment.
FAIIR vs. other frameworks
You may have seen references to the NIST AI Risk Management Framework, the EU AI Act, or ISO 42001. Those are valuable standards — and they are designed for multinational enterprises with dedicated compliance teams. FAIIR is different because it is:
- Colorado-specific — mapped directly to the statutory language of SB 26-189, not generalized across fifty jurisdictions
- Built for small and mid-size businesses — the companies most affected by the Act and least likely to have in-house AI counsel
- Attorney-delivered — every assessment is conducted by a licensed Colorado attorney, not a software tool or a compliance vendor selling certifications
- Actionable — the output is a remediation plan you can execute, not a 200-page risk register you file and forget
Get started
SB 26-189 takes effect January 1, 2027, and enforcement discretion runs out fast: the AG's 60-day cure window sunsets entirely on January 1, 2030. If your business deploys covered ADMT, the cost of compliance now is a fraction of the cost of an enforcement action later. Start with a free FAIIR discovery call or explore the full FAIIR Compliance Membership.
Need AI Legal Guidance?
Get personalized advice on AI compliance, contracts, and risk management from Zachariah Crabill, JD.
Schedule a Consultation