| Internet-Draft | OMP Colorado AI Act Profile | April 2026 |
| Adebayo, et al. | Expires 7 October 2026 | [Page] |
This document defines a domain profile of the Operating Model Protocol (OMP) for high-risk AI systems subject to the Colorado Artificial Intelligence Act (SB 24-205, effective June 1, 2026), which requires deployers of high-risk AI systems in consequential decisions affecting Colorado consumers to implement risk management programmes, provide consumer disclosures, conduct impact assessments, and implement discrimination mitigation measures.¶
The profile -- designated ColoradoMark -- specifies how OMP's deterministic routing invariant, Watchtower enforcement framework, and three-layer cryptographic integrity architecture satisfy the Colorado AI Act's per-decision accountability obligations and align with the NIST AI RMF 1.0, providing a unified cross-sector accountability evidence architecture for the six Colorado AI Act consequential decision domains.¶
The OMP core specification is defined in the Operating Model Protocol Internet-Draft (draft-veridom-omp).¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
This document specifies the ColoradoMark domain profile for OMP, covering high-risk AI systems under the Colorado Artificial Intelligence Act (SB 24-205) [CO-SB-24-205], which requires deployers of high-risk AI in consequential decisions to implement risk management programmes aligned with the NIST AI RMF 1.0 [NIST-AI-RMF]. The full specification is provided in the plain-text version of this Internet-Draft.¶
ColoradoMark addresses the six Colorado AI Act consequential decision domains, including employment (see also [I-D.veridom-omp-employ]), housing finance (see also [I-D.veridom-omp-fhfa]), healthcare (see also [I-D.veridom-omp-clinical]), and cross-jurisdiction EU AI Act obligations (see also [I-D.veridom-omp-euaia]). Audit Trace payloads are canonicalized per [RFC8785]. Audit Traces are timestamped per [RFC3161]. Sealed Audit Traces are verifiable using the OMP Reference Validator [OMP-OPEN-CORE]. The OMP specification is also archived at [ZENODO-OMP].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] [RFC8174].¶
The complete profile specification -- including all terminology, regulatory framework analysis, routing state definitions, Watchtower definitions, Audit Trace schema extensions, deployment category mappings, invariant definition, and security considerations -- is provided in the companion plain-text specification for this Internet-Draft. This XML rendition provides the structured metadata, references, and IANA considerations for the IETF Datatracker and xml2rfc processing pipeline.¶
Implementations of this profile MUST satisfy the two-property invariant specified in the plain-text companion document: (1) every consequential AI decision generates a sealed Audit Trace documenting the decision, human oversight applied, and applicable regulatory evidence fields; and (2) the Audit Trace is sealed with the three-layer integrity architecture defined in [I-D.veridom-omp] Section 7, detectable as modified by any third party without access to the operator's infrastructure.¶
The security considerations of [I-D.veridom-omp] apply in full. Operators MUST implement appropriate access controls and data protection measures for Audit Trace storage, access, and disclosure consistent with applicable jurisdiction law.¶
This document has no IANA actions.¶