Internet Engineering Task Force T. Adebayo Internet-Draft O. Apalowo Intended status: Informational F. Makanjuola Expires: 7 October 2026 Veridom Ltd 5 April 2026 OMP Domain Profile: Cross-Sector High-Risk AI Accountability Under the Colorado Artificial Intelligence Act (SB 24-205) and Alignment with NIST AI RMF 1.0 draft-veridom-omp-coloai-00 Abstract This document defines a domain profile of the Operating Model Protocol (OMP) for high-risk AI systems subject to the Colorado Artificial Intelligence Act (SB 24-205, effective June 1, 2026), which requires deployers of high-risk AI systems in consequential decisions affecting Colorado consumers to implement risk management programmes, provide consumer disclosures, conduct impact assessments, and implement discrimination mitigation measures. The profile -- designated ColoradoMark -- specifies how OMP's deterministic routing invariant, Watchtower enforcement framework, and three-layer cryptographic integrity architecture satisfy the Colorado AI Act's per-decision accountability obligations and align with the NIST AI RMF 1.0, providing a unified cross-sector accountability evidence architecture for the six Colorado AI Act consequential decision domains. The OMP core specification is defined in the Operating Model Protocol Internet-Draft (draft-veridom-omp). Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." Adebayo, et al. Expires 7 October 2026 [Page 1] Internet-Draft OMP Colorado AI Act Profile April 2026 This Internet-Draft will expire on 7 October 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Profile Specification . . . . . . . . . . . . . . . . . . . . 3 3. The Profile Invariant . . . . . . . . . . . . . . . . . . . . 3 4. Security Considerations . . . . . . . . . . . . . . . . . . . 3 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 3 6.1. Normative References . . . . . . . . . . . . . . . . . . 3 6.2. Informative References . . . . . . . . . . . . . . . . . 4 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction This document specifies the ColoradoMark domain profile for OMP, covering high-risk AI systems under the Colorado Artificial Intelligence Act (SB 24-205) [CO-SB-24-205], which requires deployers of high-risk AI in consequential decisions to implement risk management programmes aligned with the NIST AI RMF 1.0 [NIST-AI-RMF]. The full specification is provided in the plain-text version of this Internet-Draft. ColoradoMark addresses the six Colorado AI Act consequential decision domains, including employment (see also [I-D.veridom-omp-employ]), housing finance (see also [I-D.veridom-omp-fhfa]), healthcare (see also [I-D.veridom-omp-clinical]), and cross-jurisdiction EU AI Act obligations (see also [I-D.veridom-omp-euaia]). Audit Trace payloads are canonicalized per [RFC8785]. Audit Traces are timestamped per [RFC3161]. Sealed Audit Traces are verifiable using the OMP Reference Validator [OMP-OPEN-CORE]. The OMP specification is also archived at [ZENODO-OMP]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] [RFC8174]. Adebayo, et al. Expires 7 October 2026 [Page 2] Internet-Draft OMP Colorado AI Act Profile April 2026 2. Profile Specification The complete profile specification -- including all terminology, regulatory framework analysis, routing state definitions, Watchtower definitions, Audit Trace schema extensions, deployment category mappings, invariant definition, and security considerations -- is provided in the companion plain-text specification for this Internet- Draft. This XML rendition provides the structured metadata, references, and IANA considerations for the IETF Datatracker and xml2rfc processing pipeline. 3. The Profile Invariant Implementations of this profile MUST satisfy the two-property invariant specified in the plain-text companion document: (1) every consequential AI decision generates a sealed Audit Trace documenting the decision, human oversight applied, and applicable regulatory evidence fields; and (2) the Audit Trace is sealed with the three- layer integrity architecture defined in [I-D.veridom-omp] Section 7, detectable as modified by any third party without access to the operator's infrastructure. 4. Security Considerations The security considerations of [I-D.veridom-omp] apply in full. Operators MUST implement appropriate access controls and data protection measures for Audit Trace storage, access, and disclosure consistent with applicable jurisdiction law. 5. IANA Considerations This document has no IANA actions. 6. References 6.1. Normative References [I-D.veridom-omp] Adebayo, T., Apalowo, O., and F. Makanjuola, "Operating Model Protocol (OMP): A Deterministic Decision-Enforcement Protocol with Externalized Proof-of-Integrity", Work in Progress, Internet-Draft, draft-veridom-omp-00, March 2026, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, . Adebayo, et al. Expires 7 October 2026 [Page 3] Internet-Draft OMP Colorado AI Act Profile April 2026 [RFC3161] Adams, C., Cain, P., Pinkas, D., and R. Zuccherato, "Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)", RFC 3161, August 2001, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, May 2017, . [RFC8785] Rundgren, A., Jordan, B., and S. Erdtman, "JSON Canonicalization Scheme (JCS)", RFC 8785, June 2020, . 6.2. Informative References [CO-SB-24-205] Colorado General Assembly, "Artificial Intelligence Act (SB 24-205)", 2026. [I-D.veridom-omp-clinical] Adebayo, T., Apalowo, O., and F. Makanjuola, "OMP Domain Profile: Clinical AI Decision Accountability", Work in Progress, Internet-Draft, draft-veridom-omp-clinical-00, 2026, . [I-D.veridom-omp-employ] Adebayo, T., Apalowo, O., and F. Makanjuola, "OMP Domain Profile: Automated Decision Systems Accountability in Employment", Work in Progress, Internet-Draft, draft- veridom-omp-employ-00, 2026, . [I-D.veridom-omp-euaia] Adebayo, T., Apalowo, O., and F. Makanjuola, "OMP Domain Profile: EU AI Act Article 12 Logging and Traceability Requirements", Work in Progress, Internet-Draft, draft- veridom-omp-euaia-00, 2026, . Adebayo, et al. Expires 7 October 2026 [Page 4] Internet-Draft OMP Colorado AI Act Profile April 2026 [I-D.veridom-omp-fhfa] Adebayo, T., Apalowo, O., and F. Makanjuola, "OMP Domain Profile: AI Governance and Accountability Evidence for US Housing Finance Under FHFA Bulletin 2025-16", Work in Progress, Internet-Draft, draft-veridom-omp-fhfa-00, 2026, . [NIST-AI-RMF] National Institute of Standards and Technology, "Artificial Intelligence Risk Management Framework (AI RMF 1.0)", 2023. [OMP-OPEN-CORE] Veridom Ltd, "OMP Open Core: Reference Validator and Schema Library", Apache 2.0, https://github.com/veridomltd/omp-open-core, 2026. [ZENODO-OMP] Adebayo, T., Apalowo, O., and F. Makanjuola, "OMP -- Operating Model Protocol", Zenodo DOI 10.5281/zenodo.19140948, March 2026. Authors' Addresses Tolulope Adebayo Veridom Ltd London United Kingdom Email: tolulope@veridom.io Oluropo Apalowo Veridom Ltd Awka Nigeria Email: ropo@veridom.io Festus Makanjuola Veridom Ltd Toronto Canada Email: festus@veridom.io Adebayo, et al. Expires 7 October 2026 [Page 5]