



Internet Engineering Task Force                               T. Adebayo
Internet-Draft                                                O. Apalowo
Intended status: Informational                             F. Makanjuola
Expires: 7 October 2026                                      Veridom Ltd
                                                            5 April 2026


 OMP Domain Profile: Cross-Sector High-Risk AI Accountability Under the
Colorado Artificial Intelligence Act (SB 24-205) and Alignment with NIST
                               AI RMF 1.0
                      draft-veridom-omp-coloai-00

Abstract

   This document defines a domain profile of the Operating Model
   Protocol (OMP) for high-risk AI systems subject to the Colorado
   Artificial Intelligence Act (SB 24-205, effective June 1, 2026),
   which requires deployers of high-risk AI systems in consequential
   decisions affecting Colorado consumers to implement risk management
   programmes, provide consumer disclosures, conduct impact assessments,
   and implement discrimination mitigation measures.

   The profile -- designated ColoradoMark -- specifies how OMP's
   deterministic routing invariant, Watchtower enforcement framework,
   and three-layer cryptographic integrity architecture satisfy the
   Colorado AI Act's per-decision accountability obligations and align
   with the NIST AI RMF 1.0, providing a unified cross-sector
   accountability evidence architecture for the six Colorado AI Act
   consequential decision domains.

   The OMP core specification is defined in the Operating Model Protocol
   Internet-Draft (draft-veridom-omp).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."




Adebayo, et al.          Expires 7 October 2026                 [Page 1]

Internet-Draft         OMP Colorado AI Act Profile            April 2026


   This Internet-Draft will expire on 7 October 2026.

Copyright Notice

   Copyright (c) 2026 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Profile Specification . . . . . . . . . . . . . . . . . . . .   3
   3.  The Profile Invariant . . . . . . . . . . . . . . . . . . . .   3
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   3
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   4
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   This document specifies the ColoradoMark domain profile for OMP,
   covering high-risk AI systems under the Colorado Artificial
   Intelligence Act (SB 24-205) [CO-SB-24-205], which requires deployers
   of high-risk AI in consequential decisions to implement risk
   management programmes aligned with the NIST AI RMF 1.0 [NIST-AI-RMF].
   The full specification is provided in the plain-text version of this
   Internet-Draft.

   ColoradoMark addresses the six Colorado AI Act consequential decision
   domains, including employment (see also [I-D.veridom-omp-employ]),
   housing finance (see also [I-D.veridom-omp-fhfa]), healthcare (see
   also [I-D.veridom-omp-clinical]), and cross-jurisdiction EU AI Act
   obligations (see also [I-D.veridom-omp-euaia]).  Audit Trace payloads
   are canonicalized per [RFC8785].  Audit Traces are timestamped per
   [RFC3161].  Sealed Audit Traces are verifiable using the OMP
   Reference Validator [OMP-OPEN-CORE].  The OMP specification is also
   archived at [ZENODO-OMP].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119] [RFC8174].



Adebayo, et al.          Expires 7 October 2026                 [Page 2]

Internet-Draft         OMP Colorado AI Act Profile            April 2026


2.  Profile Specification

   The complete profile specification -- including all terminology,
   regulatory framework analysis, routing state definitions, Watchtower
   definitions, Audit Trace schema extensions, deployment category
   mappings, invariant definition, and security considerations -- is
   provided in the companion plain-text specification for this Internet-
   Draft.  This XML rendition provides the structured metadata,
   references, and IANA considerations for the IETF Datatracker and
   xml2rfc processing pipeline.

3.  The Profile Invariant

   Implementations of this profile MUST satisfy the two-property
   invariant specified in the plain-text companion document: (1) every
   consequential AI decision generates a sealed Audit Trace documenting
   the decision, human oversight applied, and applicable regulatory
   evidence fields; and (2) the Audit Trace is sealed with the three-
   layer integrity architecture defined in [I-D.veridom-omp] Section 7,
   detectable as modified by any third party without access to the
   operator's infrastructure.

4.  Security Considerations

   The security considerations of [I-D.veridom-omp] apply in full.
   Operators MUST implement appropriate access controls and data
   protection measures for Audit Trace storage, access, and disclosure
   consistent with applicable jurisdiction law.

5.  IANA Considerations

   This document has no IANA actions.

6.  References

6.1.  Normative References

   [I-D.veridom-omp]
              Adebayo, T., Apalowo, O., and F. Makanjuola, "Operating
              Model Protocol (OMP): A Deterministic Decision-Enforcement
              Protocol with Externalized Proof-of-Integrity", Work in
              Progress, Internet-Draft, draft-veridom-omp-00, March
              2026, <https://datatracker.ietf.org/doc/html/draft-
              veridom-omp-00>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.



Adebayo, et al.          Expires 7 October 2026                 [Page 3]

Internet-Draft         OMP Colorado AI Act Profile            April 2026


   [RFC3161]  Adams, C., Cain, P., Pinkas, D., and R. Zuccherato,
              "Internet X.509 Public Key Infrastructure Time-Stamp
              Protocol (TSP)", RFC 3161, August 2001,
              <https://www.rfc-editor.org/info/rfc3161>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, May 2017,
              <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8785]  Rundgren, A., Jordan, B., and S. Erdtman, "JSON
              Canonicalization Scheme (JCS)", RFC 8785, June 2020,
              <https://www.rfc-editor.org/info/rfc8785>.

6.2.  Informative References

   [CO-SB-24-205]
              Colorado General Assembly, "Artificial Intelligence Act
              (SB 24-205)", 2026.

   [I-D.veridom-omp-clinical]
              Adebayo, T., Apalowo, O., and F. Makanjuola, "OMP Domain
              Profile: Clinical AI Decision Accountability", Work in
              Progress, Internet-Draft, draft-veridom-omp-clinical-00,
              2026, <https://datatracker.ietf.org/doc/html/draft-
              veridom-omp-clinical-00>.

   [I-D.veridom-omp-employ]
              Adebayo, T., Apalowo, O., and F. Makanjuola, "OMP Domain
              Profile: Automated Decision Systems Accountability in
              Employment", Work in Progress, Internet-Draft, draft-
              veridom-omp-employ-00, 2026,
              <https://datatracker.ietf.org/doc/html/draft-veridom-omp-
              employ-00>.

   [I-D.veridom-omp-euaia]
              Adebayo, T., Apalowo, O., and F. Makanjuola, "OMP Domain
              Profile: EU AI Act Article 12 Logging and Traceability
              Requirements", Work in Progress, Internet-Draft, draft-
              veridom-omp-euaia-00, 2026,
              <https://datatracker.ietf.org/doc/html/draft-veridom-omp-
              euaia-00>.










Adebayo, et al.          Expires 7 October 2026                 [Page 4]

Internet-Draft         OMP Colorado AI Act Profile            April 2026


   [I-D.veridom-omp-fhfa]
              Adebayo, T., Apalowo, O., and F. Makanjuola, "OMP Domain
              Profile: AI Governance and Accountability Evidence for US
              Housing Finance Under FHFA Bulletin 2025-16", Work in
              Progress, Internet-Draft, draft-veridom-omp-fhfa-00, 2026,
              <https://datatracker.ietf.org/doc/html/draft-veridom-omp-
              fhfa-00>.

   [NIST-AI-RMF]
              National Institute of Standards and Technology,
              "Artificial Intelligence Risk Management Framework (AI RMF
              1.0)", 2023.

   [OMP-OPEN-CORE]
              Veridom Ltd, "OMP Open Core: Reference Validator and
              Schema Library",  Apache 2.0,
              https://github.com/veridomltd/omp-open-core, 2026.

   [ZENODO-OMP]
              Adebayo, T., Apalowo, O., and F. Makanjuola, "OMP --
              Operating Model Protocol", Zenodo DOI
              10.5281/zenodo.19140948, March 2026.

Authors' Addresses

   Tolulope Adebayo
   Veridom Ltd
   London
   United Kingdom
   Email: tolulope@veridom.io


   Oluropo Apalowo
   Veridom Ltd
   Awka
   Nigeria
   Email: ropo@veridom.io


   Festus Makanjuola
   Veridom Ltd
   Toronto
   Canada
   Email: festus@veridom.io







Adebayo, et al.          Expires 7 October 2026                 [Page 5]
