What is AI regulation in Colombia?
Global AI regulation
Colombia does not yet have a single enacted AI Act. As of 4 June 2026, AI is governed mainly through existing data protection, consumer, transparency and public sector rules, while Congress is still processing Bill 043/2025 Senate and 324/2025 Chamber, a proposed comprehensive framework. If enacted, that bill would regulate AI across the full lifecycle, classify systems by risk, require impact assessment for high-risk uses, assign MinCiencias as the national AI authority, and preserve sector regulators' powers.
What this means
In practice, Colombia is moving on two tracks. The first track is already live: general laws and official guidance apply today, especially on personal data, consumer treatment, state transparency and the use of automated systems by public bodies. That means organisations in Colombia are not operating in a legal vacuum just because a dedicated AI law has not yet passed.
The second track is legislative. The main omnibus proposal is Bill 043/2025 Senate and 324/2025 Chamber. The official Chamber dossier still listed it as "Tramite en Comision" on 4 June 2026, so it is not binding law yet. Still, it is the clearest signal of where Colombia is heading.
If enacted, the proposal would create a broad, risk-based framework. It would cover developers, providers, implementers and users, including some foreign systems that create effects in Colombia or rely on Colombian data or infrastructure.
Why it matters
This matters because Colombia's AI debate is no longer just about innovation policy. It now affects procurement, product design, data governance, customer service, workplace change, public sector transparency and cross-border operations.
For organisations, the practical question is not only "Is there an AI law yet?" It is also "Which rules already apply to the way we train, buy, deploy and supervise AI in Colombia?" A company using personal data for model training, a contact centre automating customer interactions, a public body using automated decision tools, or an employer introducing AI into workforce management each faces a different mix of binding duties today, and an even broader set of likely duties if the bill passes.
The proposed framework also matters because it is lifecycle-based and risk-based. That means compliance would not sit only with the original developer. It would also sit with sellers, deployers and other actors whose decisions shape how the system is actually used in Colombia.
How it works
What is binding now, and what is still policy or proposal
Colombia does not yet have a single comprehensive AI statute in force. What is already binding comes from general regimes and official instruments that apply to AI today. The most important are personal data law, consumer law, public information law and constitutional principles for state use of automated systems.
The data protection side is especially important. The Superintendence of Industry and Commerce, SIC, says Colombia's personal data rules apply to personal data used to develop, test, monitor or deploy AI. Its 2024 circular treats AI as fully inside the existing habeas data regime and pushes accountability, privacy by design and by default, risk management, security controls and privacy impact studies where high-risk processing is likely.
For the state, the Constitutional Court has already made algorithmic transparency a constitutional issue. In Sentencia T-067 de 2025, the Court treated algorithmic transparency as part of the right of access to public information. After that, the Procuraduria and Defensoria issued Directiva Conjunta 007 de 2025, which sets minimum transparency standards for covered algorithmic systems used by the state and requires annual reporting.
Alongside those binding rules, Colombia now has a national AI policy. CONPES 4144, approved in February 2025, is a policy roadmap to 2030 rather than an Act of Congress. It is still important because it organises the public agenda around ethics and governance, data and infrastructure, research and innovation, digital talent, risk mitigation, and AI use and adoption. The later bill is drafted to operate in coherence with that policy.
How broad the proposed bill is
The committee text of Bill 043/2025 Senate and 324/2025 Chamber is deliberately broad. It is not confined to one sector, one model type or one procurement route. It would apply to public and private actors involved in any stage of the AI lifecycle, including design, development, training, testing, validation, deployment, operation, monitoring, maintenance, commercialisation, importation, distribution and use.
Its territorial logic is also wide. The draft reaches systems physically developed, trained, implemented or used in Colombia. It also reaches systems that create legal, economic, social or environmental effects in Colombia, systems that use inputs drawn from Colombian persons, entities, works or protected information, and systems that depend on essential inputs supplied from Colombia or by actors subject to Colombian law.
That matters for foreign suppliers and multinationals. Under the bill's current drafting, Colombian exposure would depend less on where a model provider is headquartered and more on whether the system affects people, data, markets or infrastructure in Colombia.
The risk-based structure
The proposed framework is explicitly risk-based. In broad terms, it creates four bands.
The first band is critical risk. These systems are generally not allowed for ordinary deployment because of their potential to conflict with fundamental rights, human dignity or the superior public interest. The committee text gives examples such as subliminal manipulation that can cause serious and verifiable harm, public authority social scoring, and real-time remote biometric identification in public spaces by authorities, except in narrow, judicially authorised urgent cases.
The second band is high risk. These are systems whose nature, context and intended purpose create a high likelihood of adverse effects on health, safety or fundamental rights. The bill points to safety components in regulated products, critical infrastructure, education access and assessment, employment and worker management, access to essential public benefits, law enforcement uses that interfere with rights, justice, democratic processes and certain biometric uses.
The third band is not fully "low risk", but systems with specific transparency duties. These include AI systems that interact directly with people and systems that generate or manipulate image, audio or video in ways that appear authentic, including deepfake-type content. The draft expects clear disclosure so that users know they are dealing with AI or with synthetically generated material.
The fourth band is minimal or no risk. These systems would mainly sit under voluntary codes of conduct and good practice.
This structure is important, but it is not fully fixed. The draft says the national authority would later establish and update a more detailed list of high-risk uses through administrative action after public consultation. So the bill creates the architecture, while some of the operational detail would come later.
The main duties the bill would create
The centrepiece for high-risk systems is an impact assessment before implementation and after any substantial modification. In practice, this is an AI impact assessment by another name. The draft says it must at least cover the system's purpose, potential risks including algorithmic discrimination, mitigation measures, data quality and representativeness, performance and accuracy, transparency and explainability, and human oversight with continuous monitoring. It must then be reviewed periodically, at least once a year, or sooner if the system changes materially.
The bill also imposes role-based responsibility. It distinguishes among developers, providers, implementers and users, and says obligations should reflect each actor's role and degree of control over risk. That matters because liability and governance would not stop at the model builder. A deployer that configures and uses a system in a sensitive context could carry major responsibilities of its own.
Public administration receives special treatment. The draft says AI-supported decisions used by public bodies should be clear, understandable and open to review. Civil servants and public authorities would remain responsible for their acts. Public entities would also need governance mechanisms that include supervision, auditability and risk mitigation, and systems should undergo impact assessment before use in the public sector.
The bill also reaches workforce change. It requires the government to define "just transition" guidance on AI and work, and it would require employers that introduce AI capable of materially displacing or transforming existing functions to adopt retraining or reallocation plans for affected workers.
Who would be in charge
The bill would make the Ministry of Science, Technology and Innovation, MinCiencias, the national AI authority. MinCiencias would guide implementation of the law, coordinate AI governance, issue technical lineamientos, standards and good practices, and align the framework with CONPES 4144 and later updates.
The proposal also creates institutional layers around MinCiencias. One is an Intersectoral Coordination Committee for AI, bringing together DNP, the ministries of Education, ICT, Commerce, Culture, Foreign Affairs and Labour, plus representatives from academia, the productive sector and civil society. Another is a National Advisory Council of Experts on AI within the national science, technology and innovation system.
For regulatory experimentation, the draft creates a National Technical Committee for AI sandboxes, coordinated by MinCiencias. Sandboxes would be supervised test environments for experimenting with high-impact AI under defined legal and technical conditions. Notably, the committee text says high-risk systems should be tested in sandboxes, under ethical and technical supervision, rather than treated as automatically off limits.
This is a comparatively collaborative governance design. It does not build a single all-purpose super-regulator. Instead, it combines a central technical authority with intersector coordination and leaves room for existing sector bodies to keep acting inside their own legal mandates.
Enforcement, sanctions and near-term uncertainty
The proposal keeps enforcement distributed. The SIC would continue exercising inspection, surveillance and control within its existing powers over personal data, consumer protection and competition. The Ministry of Labour would monitor the labour transition duties attached to workplace automation. If the issue involves a public authority, the committee text routes the matter to the Procuraduria rather than using the bill's private-sector sanction article.
For private actors, the bill proposes a graduated sequence. It starts with improvement requirements and written warnings, then moves to fines of up to 3,000 monthly legal minimum wages, suspension of activities for up to 24 months, and temporary or permanent closure of the AI operation, including blocking access in Colombia when risks are grave, deliberate or irreversible. The procedure is meant to include warning, technical advice and progressive improvement before severe sanctions, unless there is grave risk or damage already done.
There is also real drafting uncertainty. The project is still pending. Important mechanics are left to later regulation within 24 months of enactment. And the committee text is not perfectly clean: the classification chapter speaks mainly of "critical risk", while an enforcement clause still refers to "unacceptable risk". That kind of terminology drift is normal in live legislative drafting, but it is a reminder that the final architecture can still move.
Examples
A Colombian or Colombia-facing contact centre that wants to use AI-generated calls is already inside an active compliance perimeter. The SIC has issued concepts on AI in consumer services and commercial activities that stress transparency, privacy, security and child protection, alongside the general data protection regime. Even before the omnibus bill passes, this kind of deployment needs documented legal and governance checks.
A public authority using an algorithmic system that affects citizens cannot treat the system as an internal black box. After Sentencia T-067 de 2025, Directiva Conjunta 007 de 2025 requires minimum algorithmic transparency standards for covered state systems, including active and passive transparency duties and annual reporting. The later bill would add another layer by requiring auditability, governance and impact assessment for higher-risk public uses.
An employer introducing AI that could substantially reshape jobs would face a bigger governance task under the current bill text than simple software rollout. The proposal says affected workers should be covered by retraining or relocation plans, and CONPES 4144 already includes a national action line to monitor labour displacement and protect workers' rights as AI adoption expands.
Common misunderstandings
Myth: Colombia already has a comprehensive AI Act. Correction: it does not. The main omnibus framework is still a bill in Congress and was still listed as in committee on 4 June 2026.
Myth: CONPES 4144 is the same thing as an AI law. Correction: it is a national public policy roadmap, not a statute. It helps organise budgets, institutions and priorities, but it does not replace binding legal duties.
Myth: Only AI developers would be covered. Correction: the proposal is lifecycle-based and role-based. It reaches developers, providers, implementers and users, depending on the role each one plays.
Myth: If a system is not high risk, nothing applies. Correction: some systems still trigger transparency duties, and existing data protection, consumer and public transparency rules can apply regardless of formal risk banding.
Myth: The bill would replace existing regulators with one new AI watchdog. Correction: MinCiencias would coordinate the framework, but bodies such as the SIC and the Ministry of Labour would keep their own sector powers.
Risks and boundaries
The most important boundary is legal status. The broad framework discussed here is still proposed law, not enacted law. It can still change in committee, in later debates, during conciliation or through later implementing rules if passed. Treat it as the likely direction of travel, not as final wording.
The second boundary is institutional overlap. Colombia's AI governance is not one instrument doing one job. CONPES 4144 is policy. SIC Circular 002/2024 is about personal data in AI. Directiva Conjunta 007/2025 is about transparency for state algorithmic systems. The MinTIC ethical guide is public sector guidance. The bill would sit on top of these, not erase them.
The third boundary is delegated detail. The bill would leave important operational points to later regulation, including detailed technical and operational rules and the ongoing list of high-risk uses. That means organisations will need to watch both Congress and later executive rulemaking.
There is also some drafting uncertainty inside the current committee text itself. The core classification chapter uses "critical risk", while one enforcement clause still uses "unacceptable risk". That is a sign that the text is still live and can be cleaned up, or changed more materially, before enactment.
Finally, this article explains the framework at a practical level. It is not legal advice, and it should not substitute for sector-specific review where AI intersects with employment, health, finance, public procurement, national security or regulated consumer activity.
What to do next
Start with an inventory. Map every AI system that your organisation develops, buys, customises or uses in Colombia, and record where it sits in the lifecycle: training, deployment, operation, monitoring and user interaction all matter under the bill's logic.
Then run a risk triage. Even before the bill passes, classify systems against the draft's categories and existing live rules. Pay particular attention to systems touching employment, public services, justice, biometrics, education, safety-critical products and essential benefits.
If personal data is involved, align now with SIC's accountability model. Build privacy by design into procurement, vendor assessment, model development and deployment. Where the use is likely to create serious risk for data subjects, document a privacy impact study rather than waiting for an enforcement question later.
If you sell to, supply, or work with public entities, prepare for transparency and auditability. Public sector buyers in Colombia increasingly need explainability, documentation, response processes for information requests and evidence of human oversight.
If your AI plans could reshape jobs, treat labour transition as a governance issue rather than just a people issue. Build internal criteria for when a role has been substantially transformed and plan retraining, relocation and consultation steps early.
Finally, monitor the actual rulemaking path. For this topic, the smart watchlist is Congress, MinCiencias, MinTIC, SIC, the Procuraduria, the Defensoria and the Constitutional Court. In Colombia, the live compliance picture is already being shaped before the omnibus bill has become law.
FAQs
Does Colombia already have an AI Act in force?
Not a single omnibus act. The key binding rules today come from general regimes such as data protection, consumer law, public information and constitutional law, while the omnibus AI bill remains pending.
What is the main comprehensive AI bill in Colombia?
It is Bill 043/2025 Senate and 324/2025 Chamber, titled "Por medio de la cual se regula la Inteligencia Artificial en Colombia para garantizar su desarrollo etico, responsable, competitivo e innovador, y se dictan otras disposiciones."
Would the proposed bill cover foreign companies?
In many cases, yes. The draft reaches systems that create effects in Colombia, use Colombian inputs or depend on essential inputs supplied from Colombia, even if the provider is not headquartered there.
What systems would face the heaviest duties under the proposal?
High-risk systems. They would face impact assessment, stronger governance, human oversight and, in the committee text, testing in regulatory sandboxes. Critical-risk systems are generally not allowed for ordinary deployment.
Are chatbots and deepfakes covered?
Yes. The draft requires disclosure when people interact directly with AI, and synthetic image, audio or video that appears authentic must be clearly labelled, subject to limited exceptions tied to fundamental rights or public interest.
Is an AI impact assessment already mandatory in Colombia?
Not as a universal duty under a general AI law. Under the bill, it would apply to high-risk systems if enacted. Separately, SIC's 2024 circular already expects privacy impact studies where AI data processing is likely to create high risk for data subjects.
Who would supervise AI under the proposed law?
MinCiencias would act as the national AI authority and coordinate the framework, but sector enforcement would stay distributed. The SIC, labour authorities and other competent bodies would keep their own powers.
Is CONPES 4144 enough on its own for compliance?
No. It is important because it sets Colombia's policy roadmap to 2030, but it does not replace binding duties under statutes, circulars, court decisions and sector rules.