EU AI Act + Colorado + NIST in One Report

A US company. EU customers. AI in hiring.

That’s three regulations on day one. EU AI Act because the system processes EU resident data. Colorado AI Act because the company has a Denver office and the system makes “consequential decisions” about employment. NIST AI RMF because Colorado’s safe harbor provision – Section 6-1-1703(1) – turns NIST’s voluntary framework into something a state AG can reference when asking whether you’ve done the work.

334 obligations from the EU AI Act. 24 from Colorado. 137 from NIST. Total: 495.

Except the total isn’t 495. Because Article 9 of the EU AI Act requires a risk management system. NIST’s Govern function requires a risk management framework. Colorado requires a risk management program. Three obligations. One control. Assessed three times in three separate workstreams if you’re managing each regulation independently.

This is how most compliance programs operate. Separate spreadsheets. Separate consultants. Separate timelines. The same control documented three different ways for three different frameworks, none of which reference each other.

We built something different.

The Overlap Problem Nobody Quantifies

We wrote about regulation overlaps in the EU context – where GDPR, EU AI Act, and DORA share 1,570 obligations with significant cross-references. The US domestic picture has the same structural problem, amplified by fragmentation.

There is no US federal AI law. Instead, there are state laws that reference federal frameworks that reference international standards. Colorado cites NIST. NIST aligns with ISO 42001. ISO 42001’s risk management requirements parallel EU AI Act Article 9. Follow the reference chain far enough and you’re mapping the same underlying obligation across four regulatory documents written by different bodies in different jurisdictions with different enforcement mechanisms.

A compliance consultant managing this by reading each regulation sequentially will produce thorough work. She’ll also spend three times longer than necessary, because she’s re-analyzing overlapping requirements without recognizing the overlaps.

The question isn’t whether regulations overlap. The question is: by how much, where, and what does the consultant do about it?

How Cross-Regulation Detection Works

Our cross-regulation engine uses a two-stage pipeline to detect obligation overlaps across any pair of regulations in the system.

Stage 1: Semantic Similarity

Every obligation in ReguLume has a vector embedding – a numerical representation of its meaning. When we compare two regulations, we search for obligations that address the same topic using similarity matching.

This stage generates candidate pairs – obligation A from the EU AI Act and obligation B from NIST AI RMF that appear to address the same requirement. But semantic similarity isn’t semantic equivalence. “Risk management” in Article 9 and “risk management” in NIST Govern are similar. They’re not identical. The scope, specificity, and enforcement implications differ.

That’s what stage 2 resolves.

Stage 2: AI Validation

Candidate pairs get reviewed by AI, which reads both obligation texts and classifies the relationship. Are these two obligations equivalent – meaning one satisfies the other? Overlapping – meaning they address the same area but differ in scope? Related – meaning they’re connected but require different actions? Or a false positive – “transparency” in a disclosure context and “transparency” in a model interpretability context sound similar but aren’t?

The distinction matters. EU AI Act Article 11’s documentation requirement and ISO 42001 Clause 7.5’s documented information requirement are functionally equivalent – one control satisfies both. Colorado’s risk management requirement is narrower than EU AI Act Article 9’s – meeting Article 9 satisfies Colorado, but not the reverse. NIST Govern 1.1 (risk framework) is a prerequisite for NIST Measure 2.6 (performance monitoring) – order matters.

Every classification is logged in the audit trail with its reasoning.

What the Unified Assessment Shows

Once cross-references exist between regulations, we can build something a spreadsheet can’t: a unified view of compliance posture across every applicable framework.

The unified assessment aggregates completed gap analyses for a single client across all their regulations. It answers questions that per-regulation reports can’t:

Overall readiness: Not “78% compliant with EU AI Act and 62% compliant with Colorado and 71% compliant with NIST” – but a single view showing all three scores side by side, with the control families that drive each score visible in one table.

Control families: Where obligations from different regulations map to the same underlying control, the unified assessment groups them. “Risk management” isn’t three separate findings in three separate reports. It’s one control family with three regulatory perspectives, a single worst-case severity, and one remediation path.

Consolidation opportunities: The practical payoff. If meeting EU AI Act Article 9 also satisfies Colorado’s risk management requirement and NIST Govern 1.1 – then one remediation project closes three gaps. The unified assessment surfaces these overlaps explicitly. Instead of three projects, you staff one.

This isn’t theoretical efficiency. A consultant who identifies 15 consolidation opportunities across three frameworks saves her client 15 redundant workstreams. At $150/hour for remediation support, that’s real money and real time recovered.

The Colorado Deadline Makes This Urgent

86 days until Colorado’s AI Act takes effect on June 30, 2026.

We covered the 24 obligations in detail. The safe harbor referencing NIST AI RMF turns those 24 into 161. But here’s what matters for cross-regulation mapping: most organizations subject to Colorado are also subject to at least one other AI framework.

A financial services firm in Colorado using AI for credit decisions? Colorado AI Act + NIST AI RMF + CCPA/CPRA (if they serve California residents) + potentially EU AI Act (if they serve EU customers). Four frameworks. The overlaps aren’t edge cases – they’re the baseline.

Running four independent assessments against four regulations with four separate remediation tracks is how compliance budgets explode and deadlines get missed. Running one assessment that maps all four frameworks against the same system inventory, identifies the overlaps, and produces one remediation roadmap? That’s how 86 days becomes manageable.

Where Overlap Maps and Where It Doesn’t

Not everything overlaps. The relationship types matter.

EU AI Act prohibitions – Article 5’s banned practices like social scoring and certain biometric categorization – have no Colorado equivalent. Colorado doesn’t prohibit AI practices. It regulates disclosure and risk management for consequential decisions. A prohibition is a prohibition. There’s no overlap to consolidate.

Similarly, Colorado’s consumer notification requirements – telling individuals that AI was used in a consequential decision – are specific to Colorado’s enforcement framework. EU AI Act has its own transparency requirements in Article 13, but they address system-level interpretability, not individual notification. Related, but not consolidatable. Meeting one doesn’t meet the other.

Where overlap is densest: risk management, documentation, human oversight, and monitoring. These four obligation types account for the majority of cross-references between EU AI Act, NIST AI RMF, and Colorado. They’re also the four most labor-intensive remediation categories. Which means the consolidation savings concentrate exactly where the spending is highest.

One Report, Three Frameworks

The cross-regulation PDF report compiles everything into one deliverable.

Per-regulation summaries with readiness scores. An obligation overlap matrix showing which requirements from different frameworks map to the same control. A combined gap inventory organized by system – not by regulation. Unified remediation priorities ranked by cross-framework impact.

One report. One meeting. One remediation roadmap that addresses three regulatory frameworks simultaneously.

The alternative is three reports, three meetings, and three remediation tracks that independently discover – weeks apart – that they’re all trying to fix the same risk management gap.

The consultant’s client doesn’t care which regulation required the risk management system. The client cares that it’s built, documented, and audit-ready. Cross-regulation mapping gets there faster by recognizing that Article 9, NIST Govern, and Colorado Section 6-1-1703 all point to the same room – and you only need to walk there once.

Cross-regulation analysis uses semantic embeddings for similarity matching and AI for relationship classification. All classifications and reasoning are stored in the audit trail. The unified assessment is a read-time aggregation – no new data is generated, only existing gap analyses are combined. Learn more about our AI validation approach.