What is an AI Impact Assessment?

Definition

An AI impact assessment is a structured review of how an automated system affects people. It records what data the system uses, what decisions it influences, what could go wrong, and what the company does to lower risk. Several state laws expect a written assessment before or during use of higher-risk AI in consequential decisions.

See also our AI compliance glossary for short definitions of common terms.

Which regulations require this

• Colorado AI Act (SB 24-205)

  Requires developers and deployers of high-risk AI systems to use reasonable care to protect consumers from algorithmi...

  COAI-specificHighUpcoming
• CCPA/CPRA Automated Decision-Making Technology Regulations

  Grants California consumers the right to opt out of automated decision-making, request access to information about al...

  CAPrivacy ADMHighIn effect
• Colorado Privacy Act - Profiling & ADM Provisions

  Grants Colorado consumers the right to opt out of profiling in furtherance of automated decisions that produce legal...

  COPrivacy ADMHighIn effect
• Connecticut SB 1103 - Automated Employment Decision Tools

  Requires employers using automated decision tools in employment to conduct impact assessments, provide notices, and a...

  CTAI-specificMediumIn effect
• EEOC Guidance on AI in Employment Selection

  EEOC guidance clarifying that Title VII and ADA apply to employer use of algorithmic decision-making and AI in hiring...

  FEDERALFederalMediumIn effect
• Maryland Online Data Privacy Act - ADM and profiling provisions

  Maryland's privacy law requires controllers to handle profiling and automated decision-making with stronger consumer...

  MDPrivacy ADMMediumIn effect
• New York Responsible AI Safety and Education Act (RAISE Act, A 9449)

  Requires developers of frontier AI models operating in New York to implement safety protocols, conduct impact assessm...

  NYAI-specificMediumUpcoming
• Connecticut Public Act 25-113 (SB 1295) - CTDPA and profiling amendments

  Amends the Connecticut Data Privacy Act and related law. Expands applicability, strengthens minors and online safety...

  CTPrivacy ADMMediumIn effect
• Virginia Consumer Data Protection Act - Profiling Provisions

  Grants Virginia consumers the right to opt out of profiling in furtherance of decisions that produce legal or signifi...

  VAPrivacy ADMMediumIn effect
• Nebraska Data Privacy Act - ADM and profiling provisions

  Nebraska requires consumer opt-out rights and risk assessments for qualifying profiling and automated decisions with...

  NEPrivacy ADMMediumIn effect
• NIST AI Risk Management Framework (AI RMF 1.0)

  NIST AI RMF is a voluntary framework used as a practical benchmark by regulators and lawmakers. Following it can supp...

  FEDERALFederalLowIn effect

Which states reference this obligation

What you should do next

• Inventory the system, owners, and data sources tied to the automated decision.
• Document who is affected, which outcomes matter, and known limits of the model or rules.
• Compare against applicable protected classes and fairness expectations in each state you touch.
• Keep the assessment updated when the model, data, or use case changes in a meaningful way.
• Line up retention and access rules so you can show regulators or counsel the file on request.