AI Policy Defined: Deployers & High-Risk Systems

Key Takeaways

• Most state AI laws draw a clear line between developers who build AI systems and deployers who use them. Under Colorado's law, any business using a high-risk AI system to make consequential decisions — think loan approvals, hiring, or tenant screening — can qualify as a deployer with real compliance obligations.

• The definition of "high-risk" varies by state, but most proposals follow Colorado's lead in focusing on AI systems that serve as a substantial factor in consequential decisions affecting consumers in areas like housing, employment, health care, and financial services.

• States are also experimenting with regulating other actors in the AI supply chain. Some proposals have introduced categories like "integrators" and "distributors" to capture companies that embed or resell AI tools, though these classifications haven't yet made it into enacted law.

• Nearly all state bills now rely on the OECD's definition of artificial intelligence as their baseline, making it the de facto standard across the country. That said, some states have tested their own language, which can meaningfully shift which systems fall under regulation.

• Outside of Colorado, no state has enacted a broad high-risk AI framework into law, and even Colorado's law is still being revised before it takes effect. How states define deployers, high-risk systems, and consequential decisions will be worth watching closely as new proposals emerge.

• If you're a subscriber, click here for the full edition of this update. Or, click here to learn more about our MultiState.ai+ subscription.

Artificial intelligence regulation is beginning to take shape in the states, but with different approaches. California's first-in-the-nation AI safety law targets the largest developers, requiring transparency and safety reporting for so-called "frontier models." Colorado's law, which is set to take effect in June 2026, instead focuses on "high-risk" systems and creates obligations for both the developers who build them and the deployers who use them to make "consequential decisions." Additional laws more narrowly focus on specific use cases of deployer use of AI. What these and other efforts have in common is that they hinge on how lawmakers define the scope of regulation.

This week, we'll begin a multi-part series examining how enacted laws define important terms in AI policy. This first article will focus on the "deployers" and "integrators" of artificial intelligence models. Next week, we will focus on definitions relating to model-developer regulation.

For companies adopting AI tools, one of the most important questions under recent state laws is whether they count as a "deployer" of artificial intelligence. Colorado's law (CO SB 205) doesn't just regulate model developers; it imposes obligations on businesses that use AI systems in ways that can materially affect people's lives. That means a bank using an algorithm to screen loan applicants, an HR platform reviewing resumes, or even a landlord applying automated tenant scoring could all fall within the scope of a "deployer" under these laws.

Defining AI Deployers, Integrators, and Distributors

States generally define "deployers" as those who use — rather than develop — an artificial intelligence system. For example, the Colorado law defines "deployer" simply as "a person doing business in this state that deploys a high-risk artificial intelligence system" and defines "deploys" as "to use a high-risk artificial intelligence system." While this definition is straightforward, it's also very broad.

Some proposals have also explored regulating additional actors in the AI supply chain. An earlier version of the Virginia algorithmic discrimination legislation (VA HB 2094), which Gov. Glenn Youngkin (R) ultimately vetoed, included language defining and regulating "integrators" of AI systems (although those particular provisions were removed before reaching the governor's desk). It would have imposed regulations on those who "integrate" an AI system into software and sell that software commercially, such as an HR-software company that embeds a third-party resume-scoring model into its applicant-tracking system.

While we've seen the integrator language spread to additional proposals, other lawmakers have tested the waters with new classifications that we haven't seen elsewhere quite yet. For instance, the original version of Texas Rep. Giovanni Capriglione's (R) TRAIGA legislation (TX HB 1709) would have regulated "distributors" as well, which were defined as those selling AI systems. We're still in the relatively early stages of AI regulation, and policymakers are still working with stakeholders to identify, differentiate, and define the important players in this emerging ecosystem.

How State Laws Define Artificial Intelligence Systems

Defining what "artificial intelligence" means is a fundamental question in regulating AI. In fact, we covered this very topic in only our second publication of MultiState.ai. Since those early days, state lawmakers have become more consistent with their definition of AI, typically leaning on the standard established by the Organisation for Economic Co-operation and Development (OECD) in its 2019 AI Principles, a definition that was later echoed by the National Institute of Standards and Technology (NIST) in its 2023 AI Risk Management Framework. Both describe artificial intelligence as "an engineered or machine-based system that can, for a given set of objectives, generate outputs such as predictions, recommendations, or decisions influencing real or virtual environments." This phrasing now appears nearly verbatim in most state bills, including the Colorado law, making it the de facto national baseline.

However, state lawmakers will occasionally stray from this definition. For example, a Georgia bill (GA SB 167) defined AI as a system that "emulates the capability of a person to receive audio, visual, text, or any other form of information and use the information received to emulate a human cognitive process."

High-Risk AI Systems Under State Regulation

The Colorado law, and many proposals such as bills in Connecticut (CT SB 2) and Virginia, seek to regulate a "high-risk" artificial intelligence system, defined as one that is a substantial factor in making a consequential decision affecting a consumer. A bill in Maryland (MD SB 936) would also include systems that are "specifically intended to autonomously make" a consequential decision. A Massachusetts bill (MA HB 94) would use a lower threshold, requiring only that the system "materially influence" — rather than be a substantial factor in — consequential decisions.

An Oklahoma proposal (OK HB 1916) takes a different approach, establishing four risk tiers modeled loosely on the European Union's AI Act: "unacceptable risk" systems that are "incompatible with social values and fundamental rights" (and therefore prohibited); "high-risk" systems with "significant potential to impact safety, civil liberties, or fundamental rights"; "limited-risk" systems posing moderate risks such as manipulation or deceit; and "minimal-risk" systems presenting little or no user risk.

AI System Exemptions Across State Proposals

Definitions also typically explicitly exclude systems not intended to be regulated. Colorado's law articulated a list of exempted systems, which has become a template for other state policymakers to use. The exemptions include anti-fraud technology that does not use facial recognition, anti-malware and anti-virus software, firewalls, spam or robocall filters, calculators, databases, data storage, networking, data-caching, hosting, domain registration, spell-checking, spreadsheets, website loading, and customer chat interfaces, subject to acceptable-use policies. It also excludes technologies that perform narrow procedural tasks or detect patterns.

Connecticut's 2025 proposal copied most of Colorado's exempted list but went further by explicitly exempting internal business systems, such as those used for ordering office supplies or processing payments. Other technologies explicitly exempt from regulation in various bills include autonomous vehicles (MD SB 936 and VA HB 2094), search engines (IA HSB 2094), auto-correct functions and electronic communications (NY A 8884), and "operational technology" (TX HB 1709).

Understanding Substantial Factors and Consequential Decisions

What Qualifies as a Substantial Factor in AI Decision-Making

Many state proposals designate a system as "high-risk" when it makes a consequential decision or serves as a substantial factor in that decision. Colorado defines a "substantial factor" as one that (1) is generated by an AI system, (2) assists in making a consequential decision, and (3) is capable of altering the outcome. Maryland's proposal was narrower, requiring that the factor be the "principal basis" for the decision, a significantly higher threshold than Colorado. Some bills, like the ones proposed in Connecticut and Rhode Island (RI SB 627), will also exclude those decisions that have had an opportunity for some sort of human oversight.

Categories of Consequential Decisions in State AI Laws

Not every AI system that influences a decision will trigger regulation under these broad algorithmic discrimination bills. Rather, states would determine the threshold by specifying which categories of decisions count as consequential. The Colorado law defines a consequential decision as one that has a material legal effect or a similarly significant effect on the provision or denial to a consumer, or the cost or terms of:

- Education; - Employment; - Financial or lending services; - Essential government services; - Health care services; - Housing; - Insurance; or - Legal services

This is already a very broad list of industries that would encompass much of the economy, yet several proposals would have gone further. The bills in Maryland and Virginia would also have included decisions related to incarceration, such as parole, pardon, and probation decisions, as well as those affecting marital status. A Texas bill (TX HB 1709) would have also included decisions affecting transportation services, residential utility services, or "constitutionally protected services or products." The introduced version of the proposed Connecticut bill would have also applied to "any automated task allocation that limits, segregates or classifies employees" as well as education decisions that include plagiarism detection, accreditations, certifications, and assessments.

The Future of AI Deployer Regulation

Ultimately, these definitions are critical because they determine the true scope of AI regulation and who must comply under certain obligations. Small drafting differences can meaningfully broaden or narrow the reach of a law, shifting whole categories of tools into or out of the "high-risk" bucket. As states take up new proposals next year, these threshold choices will be essential to watch.

However, outside of the Colorado law, these proposals broadly attempting to regulate "high-risk" AI systems did not catch on, and no states enacted them into law this year. The Colorado law itself has yet to go into effect, and lawmakers further delayed the law's effective date (CO SB 4) as they negotiate significant changes, which we expect will remove its most onerous provisions on deployers and replace them with heightened transparency requirements. Nonetheless, we don't expect these concepts to disappear; instead, they'll likely reappear in novel forms as policymakers attempt to solve the same issues with new solutions.

If you're a subscriber, click here for the full edition of this update. Or, click here to learn more about our MultiState.ai+ subscription.