The regulatory signals are not subtle, and they are not synchronized.
Colorado replaced its entire AI law in May. Governor Polis signed SB 26-189 on May 14, overwriting the original Colorado AI Act. The replacement targets automated decision-making technology broadly and takes effect January 1, 2027. Financial services applications sit squarely in scope: credit decisions, underwriting, fraud detection, and customer risk scoring all fall within its reach.
Across the Atlantic, the EU AI Act's Digital Omnibus cleared its final legislative hurdle on June 29. High-risk Annex III obligations for financial services applications are now deferred to December 2, 2027. August 2 remains a live compliance date, but for transparency and generative AI disclosure rules only. The full high-risk framework applies from December.
For AI compliance PE ops partners managing financial-services portcos, this is not a "wait and see" moment.
Both frameworks are asking the same question. Not 'which model are you using?' but 'who is watching it, and what can they do when something goes wrong?' The pattern across Colorado and Brussels is consistent: what both have legislated is the supervision and audit wrapper around AI systems, not the algorithm inside them. A high-accuracy credit-scoring model with no human escalation path, no decision logging, and no documented review process is non-compliant under both regimes. A simpler system with proper oversight infrastructure is not. Financial services AI governance, under both frameworks, is defined by the supervision layer, not the model.
The model is table stakes. The supervision wrapper is the compliance surface.
Under the EU AI Act, financial services applications fall into the EU AI Act high-risk category under Annex III. Credit decisions, insurance risk assessment, KYC workflows, and fraud screening trigger the full Article 9 through 15 obligation set: technical documentation, human oversight built into system design, logged operation records, and conformity assessments. Colorado's SB 26-189 takes a different approach. It is an ADMT transparency law with no high-risk tier. But the underlying expectation is consistent: a human must be able to review what the system decided, and explain why.
The EU penalty tier for high-risk non-compliance is up to 15 million euros or 3% of total worldwide annual turnover, whichever is higher. For a mid-market portco with 100 million euros in global revenue, 3% of worldwide turnover is 3 million euros. Because 15 million exceeds 3 million, the applicable ceiling is 15 million euros.
The Annex III deferral to December 2027 sounds like runway. It is not. Conformity assessments require technical documentation that does not exist in most portcos today. Human oversight must be built into system design, not retrofitted after the model is in production. Decision logs must capture inputs, outputs, and the deployed model version at the time of each decision. That requires infrastructure decisions made before the system goes live, not after.
The portcos that wait until late 2026 to start will spend 2027 rebuilding. The ones that start now will spend 2027 certifying.
Regardless of which deadline applies, four capabilities define an auditable AI program in financial services:
- •Human escalation paths that are tested. Not written into a policy document, but actually exercised with a documented record.
- •Decision logging that captures model inputs, outputs, and version at time of decision. Reconstruction after the fact is not logging.
- •A documented review process for disputed or appealed decisions. Both frameworks assume regulators or consumers will ask for this.
- •Technical documentation covering system architecture, training data lineage, performance metrics, and known failure modes. This is what a conformity assessment or a regulatory inquiry asks for first.
When you review your financial-services portcos this quarter, the right question is not "which AI models are deployed?" It is "where is the supervision layer, and can it be demonstrated?"
The regulatory reset across Colorado and Brussels is not moving toward lighter oversight. The deadlines shifted; the compliance obligations did not shrink. The portcos building audit infrastructure now are not just avoiding penalties. They are not rebuilding under deadline pressure in 18 months.
