Algorithmic impact assessment for consequential decisions

ai-impact-assessmentDomain: ai-transparencyType: process

Description

The Algorithmic Impact Assessment is the AI compliance world's awkward cousin to the GDPR Data Protection Impact Assessment, and the family resemblance is more than cosmetic. GDPR Article 35 established the template a decade ago: when a processing activity poses high risk to data subjects, the controller documents the operation, identifies the risks, names the mitigations, and consults the supervisory authority if residual risk remains high. The Colorado AI Act and EU AI Act Article 27 have built on that template for consequential automated decisions, with a few characteristic additions: a description of the system's intended use, the categories of personal data the system processes, the foreseeable impacts on fundamental rights or protected classes, and a documented mitigation plan with named owners. The pattern of regulators copying the DPIA shape rather than inventing a new instrument is itself revealing about how AI law is going to evolve; the AIA is essentially the DPIA with a model-specific data sheet stapled to it. A working AIA program has four operational layers. The intake layer triages which deployed AI systems cross the threshold that triggers the assessment requirement (high-risk under Annex III for the EU AI Act, consequential decisions in the seven Colorado covered domains (employment, housing, lending, insurance, healthcare, educational opportunities, essential government services) under SB 26-189, decisions producing legal or similarly significant effects under GDPR Article 22). The assessment layer is the document itself: system purpose and intended use, training-data sources and categories, foreseeable risks to fundamental rights, mitigation measures, residual risk, and a re-assessment cadence. The notification layer is the consumer-facing disclosure that an automated decision occurred and the appeal route the consumer can invoke; this is where Colorado AI Act diverges most sharply from GDPR, because the consumer notice is a per-decision artifact rather than a privacy-policy paragraph. The maintenance layer is the calendar: AIAs require re-assessment on schedule and after any material modification to the system, with the prior assessment preserved as an audit artifact rather than overwritten in place. The thresholds and timelines are concrete. Colorado AI Act SB 26-189 (repealing and replacing SB 24-205 in May 2026; effective 2027-01-01) substantially NARROWED the original framework: the mandatory pre-deployment + annual impact-assessment obligation from SB 24-205 was ELIMINATED. SB 26-189 retains a narrower notice-and-disclosure regime for ADMT used in seven covered domains. Operators that built impact-assessment infrastructure for SB 24-205 should repurpose it as evidence under EU AI Act Article 27 or Connecticut SB 1103-modeled state regimes rather than under the now-narrowed Colorado framework. EU AI Act Article 27 requires bodies governed by public law and private operators providing public services to conduct a fundamental-rights impact assessment before deploying a high-risk AI system, with high-risk-system obligations applicable 2026-08-02. GDPR Article 35 has been in force since 2018-05-25 and remains the operative instrument when the AI system processes personal data, with the EDPB Guidelines 1/2024 confirming that AIAs and DPIAs can be combined into a single document where the scopes overlap. California AB 2013 layers a training-data documentation obligation that flows into the AIA's assessment layer, effective 2026-01-01 for generative AI systems made available to Californians. The genuinely uncertain piece is how the three regimes will treat each other's assessments. EDPB guidance suggests a combined DPIA and AIA is acceptable; Colorado's implementing regulations are still being drafted as of 2026-05; the EU AI Act's fundamental-rights impact assessment is a distinct instrument from its conformity assessment, and the relationship between the two is not fully settled. Operators running consequential AI across all three jurisdictions are producing assessments in parallel and reconciling them at the document layer rather than waiting for the regimes to harmonize, on the assumption that a thorough Colorado AIA is easier to reformat for the EU than to rebuild from a thin GDPR DPIA.

Applicability

Applies when: features include automated-decisions.

How predicates are evaluated

Required by (6 regulations)

Colorado AI Act
SB 26-189 narrowed Colorado AI Act scope substantially: the mandatory pre-deployment impact assessment + duty-of-reasonable-care obligations from SB 24-205 were ELIMINATED. SB 26-189 retains a narrower notice-and-disclosure regime for automated decision-making technology (ADMT) used in seven covered domains (employment, housing, lending, insurance, healthcare, educational opportunities, essential government services). Operators that built impact-assessment infrastructure should now repurpose it as evidence for the narrower SB 26-189 disclosure obligations rather than as the operational mandate it was under SB 24-205.
Colorado AI Act (SB 26-189, repealing and replacing SB 24-205); effective 2027-01-01; codification sections pending Governor signature and AG rulemaking
Source →
EU AI Act
Article 27 requires bodies governed by public law and private operators providing public services to conduct a fundamental-rights impact assessment before deploying a high-risk AI system. The assessment covers the deployment context, categories of natural persons affected, specific risks of harm, human-oversight measures, and measures to be taken if the risks materialize. The deployer notifies the national market-surveillance authority of the assessment results.
Regulation (EU) 2024/1689 of the European Parliament and of the Council (AI Act); high-risk-system obligations applicable 2026-08-02
GDPR
Article 35 requires controllers to conduct a Data Protection Impact Assessment where processing is likely to result in a high risk to the rights and freedoms of natural persons, including systematic and extensive evaluation based on automated processing that produces legal or similarly significant effects. The DPIA documents processing purposes, necessity and proportionality, risks to data subjects, and mitigating safeguards. EDPB Guidelines 1/2024 allow combination of a DPIA and AI impact assessment into a single document where scope overlaps.
Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation); in force 2018-05-25
California AB 2013
Developers of generative AI systems made available to Californians must post documentation describing the data used to train the system, including data sources, categories of data, whether the data included personal information, copyrighted material, and information generated by the system itself. The documentation feeds the data-sources section of any AIA covering downstream use of the model.
California AB 2013 (generative AI training-data transparency); effective 2026-01-01 for systems made available to Californians
Source →
California SB 53
California SB 53 frontier-model transparency and safety-framework obligations align with a documented AI risk and impact assessment.
California SB 53 (2025), codified at Cal. Bus. & Prof. Code §§22757.10 et seq.
Source →
Connecticut PA 23-16
Connecticut's AI provisions contemplate impact assessment of consequential automated decision systems.
Connecticut Public Act 23-16 (2023 Session); An Act Concerning Artificial Intelligence, Automated Decision-Making and Personal Data Privacy. Originally introduced as Senate Bill 1103. Signed by Governor Ned Lamont 2023-06-07.
Source →

Evidence formats

completed AIA document per deployed high-risk system covering purpose, data sources, risks, and mitigations
consumer-notification copy delivered before a regulated automated decision
AIA review SOP with intake triage, assessment template, sign-off chain, and re-assessment cadence
impact-assessment calendar showing per-system review dates and material-change triggers
consumer-appeal log linking each appeal to the AIA assessment of the underlying system
training-data documentation referenced by the assessment (data sources, categories, protected-attribute handling)

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Description

Required by (6 regulations)

Colorado AI Act

SB 26-189 narrowed Colorado AI Act scope substantially: the mandatory pre-deployment impact assessment + duty-of-reasonable-care obligations from SB 24-205 were ELIMINATED. SB 26-189 retains a narrower notice-and-disclosure regime for automated decision-making technology (ADMT) used in seven covered domains (employment, housing, lending, insurance, healthcare, educational opportunities, essential government services). Operators that built impact-assessment infrastructure should now repurpose it as evidence for the narrower SB 26-189 disclosure obligations rather than as the operational mandate it was under SB 24-205.

Colorado AI Act (SB 26-189, repealing and replacing SB 24-205); effective 2027-01-01; codification sections pending Governor signature and AG rulemaking

Source →

EU AI Act

Article 27 requires bodies governed by public law and private operators providing public services to conduct a fundamental-rights impact assessment before deploying a high-risk AI system. The assessment covers the deployment context, categories of natural persons affected, specific risks of harm, human-oversight measures, and measures to be taken if the risks materialize. The deployer notifies the national market-surveillance authority of the assessment results.

Regulation (EU) 2024/1689 of the European Parliament and of the Council (AI Act); high-risk-system obligations applicable 2026-08-02

GDPR

Article 35 requires controllers to conduct a Data Protection Impact Assessment where processing is likely to result in a high risk to the rights and freedoms of natural persons, including systematic and extensive evaluation based on automated processing that produces legal or similarly significant effects. The DPIA documents processing purposes, necessity and proportionality, risks to data subjects, and mitigating safeguards. EDPB Guidelines 1/2024 allow combination of a DPIA and AI impact assessment into a single document where scope overlaps.

Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation); in force 2018-05-25

California AB 2013

Developers of generative AI systems made available to Californians must post documentation describing the data used to train the system, including data sources, categories of data, whether the data included personal information, copyrighted material, and information generated by the system itself. The documentation feeds the data-sources section of any AIA covering downstream use of the model.

California AB 2013 (generative AI training-data transparency); effective 2026-01-01 for systems made available to Californians

Source →

California SB 53

California SB 53 frontier-model transparency and safety-framework obligations align with a documented AI risk and impact assessment.

California SB 53 (2025), codified at Cal. Bus. & Prof. Code §§22757.10 et seq.

Source →

Connecticut PA 23-16

Connecticut's AI provisions contemplate impact assessment of consequential automated decision systems.

Connecticut Public Act 23-16 (2023 Session); An Act Concerning Artificial Intelligence, Automated Decision-Making and Personal Data Privacy. Originally introduced as Senate Bill 1103. Signed by Governor Ned Lamont 2023-06-07.

Source →

Evidence formats

completed AIA document per deployed high-risk system covering purpose, data sources, risks, and mitigations

consumer-notification copy delivered before a regulated automated decision

AIA review SOP with intake triage, assessment template, sign-off chain, and re-assessment cadence

impact-assessment calendar showing per-system review dates and material-change triggers

consumer-appeal log linking each appeal to the AIA assessment of the underlying system

training-data documentation referenced by the assessment (data sources, categories, protected-attribute handling)