Veridom Ltd

LondonUnited Kingdomtolulope@veridom.io

Veridom Ltd

AwkaNigeriaropo@veridom.io

Veridom Ltd

TorontoCanadafestus@veridom.io

Security Internet Engineering Task Force Colorado AI Act high-risk AI cross-sector impact assessment algorithmic discrimination consumer rights NIST AI RMF audit trail tamper-evident operating model protocol This document defines a domain profile of the Operating Model Protocol (OMP) for high-risk AI systems subject to the Colorado Artificial Intelligence Act (SB 24-205, effective June 1, 2026), which requires deployers of high-risk AI systems in consequential decisions affecting Colorado consumers to implement risk management programmes, provide consumer disclosures, conduct impact assessments, and implement discrimination mitigation measures. The profile -- designated ColoradoMark -- specifies how OMP's deterministic routing invariant, Watchtower enforcement framework, and three-layer cryptographic integrity architecture satisfy the Colorado AI Act's per-decision accountability obligations and align with the NIST AI RMF 1.0, providing a unified cross-sector accountability evidence architecture for the six Colorado AI Act consequential decision domains. The OMP core specification is defined in the Operating Model Protocol Internet-Draft (draft-veridom-omp).

Introduction This document specifies the ColoradoMark domain profile for OMP, covering high-risk AI systems under the Colorado Artificial Intelligence Act (SB 24-205) , which requires deployers of high-risk AI in consequential decisions to implement risk management programmes aligned with the NIST AI RMF 1.0 . The full specification is provided in the plain-text version of this Internet-Draft. ColoradoMark addresses the six Colorado AI Act consequential decision domains, including employment (see also ), housing finance (see also ), healthcare (see also ), and cross-jurisdiction EU AI Act obligations (see also ). Audit Trace payloads are canonicalized per . Audit Traces are timestamped per . Sealed Audit Traces are verifiable using the OMP Reference Validator . The OMP specification is also archived at . The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

Profile Specification The complete profile specification -- including all terminology, regulatory framework analysis, routing state definitions, Watchtower definitions, Audit Trace schema extensions, deployment category mappings, invariant definition, and security considerations -- is provided in the companion plain-text specification for this Internet-Draft. This XML rendition provides the structured metadata, references, and IANA considerations for the IETF Datatracker and xml2rfc processing pipeline.

The Profile Invariant Implementations of this profile MUST satisfy the two-property invariant specified in the plain-text companion document: (1) every consequential AI decision generates a sealed Audit Trace documenting the decision, human oversight applied, and applicable regulatory evidence fields; and (2) the Audit Trace is sealed with the three-layer integrity architecture defined in Section 7, detectable as modified by any third party without access to the operator's infrastructure.

Security Considerations The security considerations of apply in full. Operators MUST implement appropriate access controls and data protection measures for Audit Trace storage, access, and disclosure consistent with applicable jurisdiction law.

IANA Considerations This document has no IANA actions.

References Normative References Informative References Colorado General Assembly National Institute of Standards and Technology Veridom Ltd