Log in
Sign up
Colorado AI Act compliance, a Rocky Mountain peak in sumi-e ink

Sections

The Colorado AI Act After SB 26-189: What ADMT Compliance Requires in 2027

Key takeaways

  • Colorado rewrote its AI law in 2026: SB 26-189 repealed and reenacted the original 2024 statute (SB 24-205), and the new version takes effect on January 1, 2027.
  • The Colorado AI Act now governs automated decision-making technology (ADMT) used in consequential decisions, replacing the earlier focus on high-risk artificial intelligence systems.
  • Deployers face four operational duties: advance notice, a plain-language disclosure within 30 days of an adverse outcome, data access and correction, and meaningful human review.
  • The revision removed the original mandates for impact assessments, risk management programs, and the duty of reasonable care against algorithmic discrimination.
  • Those dropped obligations still bind many organizations through other laws, so a working AI governance program remains the rational baseline before 2027.
Colorado AI Act compliance, a Rocky Mountain peak in sumi-e ink

What the Colorado AI Act is now: from SB 24-205 to SB 26-189

When Governor Jared Polis signed SB 24-205 in May 2024, Colorado became the first US state to pass a broad, cross-sector law on artificial intelligence. That original statute imposed heavy duties on developers and deployers of high-risk AI systems, including a duty of reasonable care to protect consumers from algorithmic discrimination.

The law never took effect in that form. Its start date was pushed back twice, and in early 2026 a court temporarily paused enforcement after a lawsuit by xAI that the US Department of Justice supported. A stakeholder working group of legislators, the Governor’s office, and the Attorney General’s office negotiated a replacement and released a proposal in March 2026.

The result is SB 26-189, titled Automated Decision-Making Technology. It repeals and reenacts the original Colorado AI Act rather than amending it. According to the Colorado General Assembly bill record, the bill was introduced on May 1, 2026, passed the Senate on May 7, passed the House on May 9, and was signed on May 14, 2026, with prime sponsors Senators Robert Rodriguez and James Coleman and Representatives Monica Duran and Jennifer Bacon. Its general provisions take effect on January 1, 2027.

The practical lesson is that most of the analysis written about the original law now describes obligations that no longer exist. Any organization building an AI governance program around Colorado needs to work from the reenacted text, not the 2024 version.

From high-risk AI to automated decision-making technology

The central change in the Colorado AI Act is conceptual. The original law regulated high-risk artificial intelligence systems. The reenacted law regulates covered automated decision-making technology, which Crowell and Moring describe as any system using computation or machine learning to process personal data and materially influence a consequential decision.

That definition is broader than it first appears. It drops the earlier requirement that a system infer from inputs to generate outputs, so even a rules-based tool that checks whether an answer falls within an acceptable range can qualify if it materially influences a covered decision.

A consequential decision is one that has a material legal or similarly significant effect on a consumer’s access to, cost of, or terms of education, employment, housing, financial or lending services, insurance, health-care services, or essential government services and public benefits. These domains carried over from the original statute.

The reenacted law also lists what falls outside scope. Routine functions such as scheduling, customer-service triage, advertising, product recommendations, search, and content moderation are excluded, as are firewalls, spam filters, spell-checkers, web hosting, calculators, databases, spreadsheets, and tools used solely to summarize or present information for human review. Mapping your systems against these boundaries is the first step toward an accurate AI system inventory.

Who is covered: developers, deployers, and sector safe harbors

The Colorado AI Act keeps the two-role structure that most modern AI laws use. A developer builds or substantially modifies a covered ADMT. A deployer puts that technology to use in Colorado to influence consequential decisions about residents. A single company can be both at once, for example when it builds an internal hiring model and also runs it.

The reenacted law changed how exemptions work. The 2024 version offered broad conditional carve-outs for federally regulated entities. As the Consumer Finance Monitor analysis notes, the rewrite narrows those blanket exemptions, which pulls more organizations into scope, and replaces them with targeted deemed-compliance pathways.

Those pathways recognize controls that regulated sectors already run. Insurers that comply with Colorado’s existing rules on algorithmic discrimination are treated as compliant, except for their own employment decisions. HIPAA-covered health-care entities are largely outside scope except for consequential employment decisions and financial-assistance determinations. FDA-regulated medical-device and pharmaceutical activity is excluded. Creditors that already issue adverse-action notices under ECOA and FCRA can use those processes to satisfy the disclosure duty, and FERPA-compliant schools are deemed compliant on notice and human review when they already run correction and review processes. Confirming which pathway applies to each system belongs in your AI governance documentation.

What deployers must do: the four operational duties

Deployers carry the duties most consumers will notice. The reenacted Colorado AI Act sets out four of them, described in plain operational terms by Norton Rose Fulbright.

Clear and conspicuous notice

Before a covered ADMT is used to influence a consequential decision, the deployer must give the consumer clear and conspicuous notice that the technology is in use. This is an upfront transparency duty, not an after-the-fact explanation.

The 30-day adverse-outcome disclosure

When a covered decision produces an adverse outcome, the deployer has 30 days to deliver a plain-language disclosure. It must explain the decision, describe the role the ADMT played, and tell the individual how to exercise their rights. This duty is the operational heart of the law, and it forces deployers to know which systems drove which decisions.

Access and correction of personal data

Individuals can ask to access the personal data used in a decision and request correction of inaccurate data, to the extent commercially reasonable. Deployers therefore need a way to trace the data behind a given output.

Meaningful human review and reconsideration

After an adverse decision, an individual may request meaningful human review and reconsideration, again to the extent commercially reasonable. Review and reconsideration are two distinct entitlements, so a deployer must be able to re-examine a case and genuinely change the result. Building these request channels into your workflow is far easier when an AI governance platform already tracks each system and its decisions.

What developers must do: documentation duties

Developers carry a lighter but specific load focused on documentation. Beginning January 1, 2027, a developer must give deployers the technical documentation they need to use a covered ADMT responsibly. That package covers the intended uses, the categories of personal data used in training, the known limitations and risks, and instructions that enable appropriate use and human oversight.

Developers must also notify deployers of material updates or modifications, since a change to the model can change its risks and its proper use. The reenacted law keeps the original three-year record-retention expectation, so developers should preserve the documentation and update history that proves what a system did and when.

For a developer, the cleanest way to meet these duties is to treat documentation as a product artifact rather than a compliance afterthought. Model cards, data summaries, and use instructions that live alongside the system make the handoff to deployers routine and keep your AI governance records audit-ready.

What the Colorado AI Act dropped, and why it still matters

The most consequential edits are the deletions. The reenacted Colorado AI Act removed three obligations that defined the 2024 law: the mandatory risk management program, the impact assessment requirement, and the duty of reasonable care to prevent algorithmic discrimination. It also dropped the annual review and public summary requirements. Crowell and Moring describe the discrimination duty as the single largest source of liability exposure under the prior statute.

It would be a mistake to read those deletions as permission to stop governing AI. The duties left Colorado law, not the wider compliance picture. The EU AI Act still requires deployers of high-risk systems to run a fundamental rights impact assessment under Article 27, with elements set out in the ECNL and Danish Institute for Human Rights FRIA guide. The NIST AI Risk Management Framework still defines risk management as the baseline for trustworthy AI. Other US states regulate the same systems, and federal anti-discrimination and consumer-protection laws still apply to automated decisions.

The rational response is to keep the controls Colorado dropped, because they remain the cheapest way to satisfy every other regime at once and to stay ready for the Attorney General rules due in 2027. An impact assessment, bias testing, and a documented risk program are not Colorado mandates anymore, but they are still how you prove a covered ADMT is fair, accurate, and defensible.

How to prepare before January 1, 2027: an operational playbook

The compliance window is short, and the new consumer-facing workflows take months to build. The following steps turn the Colorado AI Act into an action plan.

  1. Build an ADMT inventory. List every system that uses computation or machine learning to process personal data and influence a covered decision. An accurate AI system inventory is the foundation for every other step.
  2. Classify each system. Decide whether it is covered ADMT, whether you are a developer or deployer for it, and whether a sector deemed-compliance pathway applies.
  3. Stand up the notice workflow. Add clear and conspicuous notice wherever a covered ADMT touches a consequential decision.
  4. Build the 30-day disclosure process. Create a template and an owner so adverse-outcome disclosures go out on time and explain the ADMT role accurately.
  5. Wire correction and human-review channels. Give consumers a route to access and correct data and to request meaningful human review, and give your staff the authority to change a result.
  6. Keep a voluntary governance baseline. Maintain impact assessments, bias testing, and a risk program even though Colorado no longer mandates them.
  7. Collect developer documentation. If you deploy third-party systems, demand the technical documentation the law now requires of developers.
  8. Assign accountable owners. Name a person for each duty so compliance does not stall when the rules are published.

A single AI governance platform that holds the inventory, the assessments, and the decision records turns this list from a scramble into a repeatable process.

Colorado in the US and EU AI law landscape

The Colorado AI Act no longer stands alone. Texas enacted the Responsible Artificial Intelligence Governance Act, Utah passed its Artificial Intelligence Policy Act, and California adopted rules on automated decision-making technology through its privacy regulator. The EU AI Act remains the most comprehensive regime, with risk tiers, conformity assessments, and impact assessments for high-risk systems.

After the rewrite, Colorado sits at the lighter end of this spectrum. It is now primarily a consumer-transparency and contestability law rather than a full risk-governance regime. For multistate and global operators, that makes Colorado a floor rather than a ceiling. A program designed to the stricter EU standard generally covers Colorado with room to spare, which is why anchoring compliance to the most demanding applicable regime is usually the efficient choice. Our other AI governance insights track these regimes as they evolve.

FAQ

When does the Colorado AI Act take effect? The reenacted Colorado AI Act, SB 26-189, takes effect on January 1, 2027. The Attorney General must complete mandatory rulemaking by the same date, so detailed disclosure and consumer-rights requirements will be defined close to the compliance deadline.

What are the penalties under the Colorado AI Act? The Colorado Attorney General enforces the law exclusively, treating violations as deceptive trade practices under the Colorado Consumer Protection Act. The statute does not set separate fixed fines, and penalty details are expected in the Attorney General rules. A 60-day notice-and-cure period applies to many violations, but not to knowing or repeated ones, and the cure right sunsets on January 1, 2030.

Is there a private right of action? No. The reenacted law states explicitly that it does not create a private right of action, so only the Attorney General can bring enforcement actions. Individuals can still pursue claims under other laws, such as existing anti-discrimination statutes.

How does the Colorado AI Act affect employment decisions? Employment is a covered domain, so using ADMT to influence hiring, promotion, or termination triggers the deployer duties: advance notice, a 30-day adverse-outcome disclosure, data correction, and meaningful human review. Insurers and HIPAA-covered entities lose their safe harbors specifically for their own consequential employment decisions.

How is SB 26-189 different from the original Colorado AI Act? The original SB 24-205 regulated high-risk AI systems and required risk management programs, impact assessments, and a duty of reasonable care against algorithmic discrimination. SB 26-189 reframes the law around automated decision-making technology and removes those three obligations, replacing them with four consumer-facing duties focused on notice, disclosure, correction, and human review.

Which businesses are exempt from the Colorado AI Act? There is no blanket small-business exemption. Instead, the law offers sector-specific deemed-compliance pathways for insurers, HIPAA-covered health entities, FDA-regulated products, ECOA and FCRA creditors, and FERPA-compliant schools, generally for the activities those federal regimes already govern. Their own employment decisions usually remain in scope.

Conclusion

The Colorado AI Act of 2026 is a lighter law than the one Colorado passed in 2024, but lighter is not the same as absent. SB 26-189 still demands that organizations know which systems make consequential decisions, tell people when ADMT is used, explain adverse outcomes, and offer a real human second look. The obligations Colorado dropped did not vanish from the rest of the regulatory world, so the organizations that stay calm in 2027 will be the ones that kept governing their AI all along. Start with an inventory of your automated decisions, then build the governance program once and map it to every regime that applies. See how an AI governance platform can carry that work.

Dr. Sarah Mitchell

AI Governance & Risk Lead at AI Sigil. Sarah holds a PhD in Computer Science from Imperial College London with a thesis on machine learning model interpretability. Before joining AI Sigil she spent six years in Deloitte's AI Risk Advisory practice, leading high-risk AI system audits across financial services and healthcare. She is IAPP AIGP certified and a frequent contributor to industry working groups on the EU AI Act and NIST AI Risk Management Framework. Based in London.

The Colorado AI Act After SB 26-189: What ADMT Compliance Requires in 2027

The Colorado AI Act was rewritten by SB 26-189, effective January 1, 2027. See what the new ADMT law requires of developers and deployers, and how to comply.

NIST Risk Management Framework: From Systems to AI

Understand the NIST Risk Management Framework: its seven RMF steps, SP 800-37 and 800-53, and how the NIST AI RMF extends risk management to AI systems.

Ethical AI: From Principles to an Auditable Operating Model

Ethical AI is more than a values list. See how to turn fairness, transparency and accountability into auditable controls under the EU AI Act and ISO 42001.

What Is a Frontier Model? Definition, Risks, and Rules

A frontier model is the most capable class of AI. See how it differs from foundation models and LLMs, and how the EU AI Act governs systemic risk.

Privacy Impact Assessment Meaning: PIA, DPIA, FRIA

Privacy impact assessment meaning, explained: what a PIA is, how it differs from a GDPR DPIA, and when the EU AI Act adds a fundamental rights assessment (FRIA).

NIST Risk Management Framework: Explained for AI Systems

Understand the NIST Risk Management Framework (SP 800-37), its seven steps, and how it connects to the NIST AI RMF and EU AI Act for governing AI systems.