June 30 marked the date Colorado's original AI Act was set to take effect. It did not, because Colorado replaced it in May with a narrower transparency framework. August 2 is when the EU's high-risk AI obligations kick in for financial services. Between those two dates sits a five-week window that every PE ops partner with financial-services portcos should treat as a planning deadline, not a holding period.
The Colorado reset does not mean regulators backed down. SB 26-189, signed by Governor Polis in May, stripped the Colorado AI Act's heavy risk management programs and algorithmic discrimination duties in favor of disclosure and transparency requirements. But the underlying question has not changed: can you show what your AI system decided, and why, before it affected a customer? Baker McKenzie flagged this regulatory trajectory in their "Financial Institutions in a Digital and Regulatory Reset" report published in January. The instrument changed. The accountability expectation did not.
The EU has not retreated at all. On August 2, full compliance obligations under Articles 9 through 15 of the EU AI Act come into force for high-risk AI systems. In financial services, that covers credit scoring tools, fraud detection systems, and insurance underwriting models. The full suite of requirements applies: risk management documentation, audit logging, technical traceability, and mandatory human oversight controls. Penalties reach €15 million or 3% of global annual turnover, whichever is higher. Any firm with EU customers or EU-regulated entities is in scope regardless of where you are headquartered.
Here is the central insight for AI compliance across PE portfolios: neither regulator is checking which foundation model a portco selected. They are checking the runtime supervision layer around it. Human-in-the-loop controls, audit logs that capture what the system decided and when, explainability hooks that let someone reconstruct a decision after the fact. That is the compliance surface. A portco running GPT-4o with a proper oversight architecture is in stronger regulatory standing than one running a bespoke open-source model with no logging and no human review checkpoint.
This gap becomes visible fast when examiners arrive. The SEC's AI enforcement actions in 2024 went after firms not for using the wrong model, but for making AI capability claims their governance structures could not substantiate. EU AI Act high-risk enforcement will probe the same structural gap at a larger scale and with much larger penalties.
For financial services AI governance, the minimum baseline per portco is: a documented risk classification for every AI application that touches a customer decision, an audit log with enough fidelity to reconstruct any decision the system influenced, a human review checkpoint before adverse outcomes reach customers, and a named owner for AI governance separate from the product team that built the tool. That structure satisfies the core requirements across both Colorado's revised framework and the EU Act's high-risk tier.
If you manage PE portcos in financial services, add the oversight layer to your governance checklist before August 2. The five-week window between the Colorado reset and the EU deadline is when AI compliance is still a proactive choice. Once EU enforcement begins, the choice becomes reactive and expensive. The supervision architecture you build this month is not a compliance cost. It is the thing that turns a regulator's question from a crisis into a conversation.
Regulators are not confused about what they want. They want proof that someone is watching the machine, can explain what it decided, and can intervene when it goes wrong. That proof lives in your supervision architecture, not in your model selection.
