Colorado’s AI law just changed. On May 14, 2026, Governor Jared Polis signed SB 26-189 into law, repealing and replacing the original SB 24-205 entirely. The compliance deadline is January 1, 2027. If your team built a compliance plan around SB 24-205’s risk management programs and impact assessments, you’ll need to rethink that plan.
SB 26-189 strips out those broad obligations and replaces them with four targeted operational duties focused on transparency, disclosure, data accuracy, and human review. Trustible’s AI Compliance Frameworks module now maps SB 26-189 alongside the EU AI Act, NIST AI RMF, ISO 42001, and 10+ other frameworks, so compliance teams can update their governance posture in one place rather than starting over.
TL;DR: SB 24-205 is repealed. SB 26-189 is current Colorado law. The new law replaces risk management programs and impact assessments with four specific operational duties: notify users when AI is involved, disclose adverse outcomes within 30 days, correct inaccurate personal data on request, and provide meaningful human review. Effective January 1, 2027.
What was Colorado SB 205, and what happened to it?
On May 17, 2024, Governor Polis signed SB 24-205 into law, making Colorado the first U.S. state to impose broad AI governance obligations on both developers and deployers of high-risk AI systems. The law required risk management programs, impact assessments, consumer disclosures, and a duty of care to prevent algorithmic discrimination. It was scheduled to take effect February 1, 2026.
But SB 24-205 never took effect. Governor Polis signed it while expressing reservations about its breadth and potential to stifle innovation, asking the legislature to fine-tune the provisions before implementation. Industry groups, technology companies, and legal practitioners raised concerns that the law’s obligations were operationally infeasible at scale. The 2025 legislative session failed to produce agreed amendments. A special session in August 2025 extended the effective date to June 30, 2026 but made no substantive changes.
Then the litigation arrived. On April 9, 2026, xAI filed a federal lawsuit challenging SB 24-205’s constitutionality on First Amendment, Dormant Commerce Clause, due process, and equal protection grounds. The U.S. Department of Justice intervened in support of xAI on April 24, 2026, the first time the federal government has moved to invalidate a state AI law. A federal magistrate judge stayed enforcement on April 27, 2026. Rather than defend the original statute, the Colorado legislature rewrote it entirely. Governor Polis signed SB 26-189 on May 14, 2026.
Colorado is now the first U.S. state to enact a broad AI governance law, watch it fail to take effect, and substantially rewrite it. The result is a leaner, more targeted framework.
What does SB 26-189 require?
SB 26-189 replaces SB 24-205’s broad governance mandates with four specific operational duties for deployers of covered automated decision-making technology (ADMT), the new statutory term that replaces “high-risk AI system.”
1. Notify users when they interact with AI. Before a consumer interacts with covered ADMT, deployers must provide clear notice that AI is involved. This isn’t a buried disclosure in terms of service. It’s a pre-interaction notification the consumer sees before the ADMT processes their information or influences a decision.
2. Disclose adverse outcomes within 30 days. When covered ADMT produces an adverse outcome for a consumer (a denied loan, a rejected job application, an unfavorable insurance decision), the deployer must disclose that outcome and the role ADMT played within 30 days.
3. Correct inaccurate personal data on request. Consumers can request correction of inaccurate personal data used by covered ADMT. Deployers must have a process to receive these requests, verify the data, and correct inaccuracies.
4. Provide meaningful human review and reconsideration. Consumers affected by adverse ADMT outcomes can request human review. Rubber-stamping the original AI decision doesn’t satisfy this requirement. The human reviewer needs enough context to genuinely reconsider the outcome and the authority to override it.
What SB 26-189 removes from SB 24-205
Three of the original law’s most operationally intensive requirements are gone:
Risk management programs are no longer required. Impact assessments are eliminated. The broad duty of care to prevent algorithmic discrimination is removed and replaced with more specific, bounded obligations.
The 90-day incident reporting requirement to the Colorado Attorney General is also gone. And the affirmative defense, the rebuttable presumption of compliance for organizations aligned with NIST AI RMF or ISO 42001, has been removed entirely. There is no statutory safe harbor in SB 26-189.
SB 24-205 vs. SB 26-189: key differences
| Attribute | SB 24-205 (repealed) | SB 26-189 (current law) |
|---|---|---|
| Effective date | February 1, 2026 (never took effect) | January 1, 2027 |
| Key scope term | High-risk AI system | Covered automated decision-making technology (ADMT) |
| Core deployer obligations | Risk management program, impact assessments, consumer notice, duty of care | AI interaction notice, 30-day adverse outcome disclosure, data correction, human review |
| Developer obligations | Model documentation, known risk disclosures | Statutory baseline documentation (model documentation, intended uses, known risks, training data categories, human oversight instructions) |
| NIST/ISO safe harbor | Yes, rebuttable presumption of compliance | Removed |
| Incident reporting | 90-day report to AG for algorithmic discrimination | Removed |
| Penalties | Not specified (AG rulemaking expected) | Up to $20,000 per violation |
| Liability shifting | Not addressed | Anti-liability-shifting provision voids contract clauses that shift liability for discriminatory ADMT use |
Who does the Colorado AI Act apply to?
SB 26-189 applies to two categories of entities: developers (organizations that build, train, or substantially modify covered ADMT) and deployers (organizations that use covered ADMT to make or substantially inform decisions affecting consumers).
What is covered ADMT?
Covered automated decision-making technology includes any computational process that makes or substantially informs consequential decisions in specific high-stakes domains:
- Employment decisions (hiring, promotion, termination)
- Credit and lending decisions
- Insurance underwriting
- Health care services
- Housing eligibility
- Educational opportunities
- Legal services
If your organization uses AI, machine learning models, or algorithmic systems to make or substantially inform decisions in any of these areas, you’re likely operating covered ADMT under SB 26-189.
Developer vs. deployer obligations
Most organizations are deployers. Their obligations center on the four operational duties: notice, disclosure, data correction, and human review.
Developers build, train, or substantially modify the ADMT itself. SB 26-189 makes developer documentation a statutory baseline requirement, not a best practice. Developers must provide deployers with structured documentation covering five categories: model documentation, intended uses, known risks, training data categories, and human oversight instructions.
Some organizations are both. If you build AI systems internally and deploy them for consequential decisions, you carry both sets of obligations.
Small business provisions
SB 26-189 includes provisions for smaller entities that may qualify for reduced obligations. Enterprise organizations with 1,000+ employees should assume full compliance obligations apply.
Enforcement and penalties
The Colorado Attorney General enforces SB 26-189. Civil penalties can reach up to $20,000 per violation. The AG must provide a notice-and-cure period before assessing penalties, giving organizations an opportunity to remediate before fines are levied.
Enforcement is also currently subject to an ongoing legal challenge. The AG has committed not to promulgate implementing rules until after the current legislative session concludes and any resulting rulemaking is complete. The practical effect is that enforcement timing remains uncertain beyond the January 1, 2027 effective date. But the underlying obligations don’t change based on when enforcement begins. The compliance work required is the same regardless.
How does SB 26-189 compare to the EU AI Act?
The core focus of SB 26-189 is narrower than the EU AI Act. The EU Act takes a risk-tiered approach (unacceptable, high, limited, minimal risk) and imposes extensive conformity assessments, technical documentation requirements, post-market monitoring, and phased enforcement that runs from 2025 through 2027. The most operationally significant EU AI Act deadline, full compliance for high-risk AI systems, arrived August 2, 2026.
Colorado’s new law is more targeted. It focuses on specific consumer-facing operational duties rather than prescriptive governance programs. This makes SB 26-189 operationally lighter, but it also means there’s less prescriptive guidance on how to build your governance program. You’ll need to make those design decisions yourself.
The practical takeaway for multi-jurisdictional organizations: a governance program built to the most structured standard (typically the EU AI Act or NIST AI RMF) can generally be adapted to meet Colorado’s more targeted obligations. Going the other direction is harder. Starting with the more structured standard future-proofs your compliance investment.
Colorado also has sector-specific AI regulation that runs alongside SB 26-189. The state’s Division of Insurance finalized a regulation governing AI in life insurance underwriting, adding another layer of obligations for insurers operating in the state. Teams in regulated industries should map both.
How to prepare for Colorado AI Act compliance
The January 1, 2027 deadline gives compliance teams approximately seven months. That’s enough time to build a defensible compliance posture, but not enough to start from scratch in Q4. Here’s what to prioritize now.
Start with an AI inventory. Catalog every AI system, machine learning model, and algorithmic tool in use across your organization. Identify which qualify as covered ADMT under SB 26-189’s scope criteria. You can’t comply with a law about AI decisions if you don’t know where AI is making decisions.
Classify each system’s decision context. For every item in your inventory, determine whether it makes or substantially informs consequential decisions in a covered domain. Systems outside these domains are generally not covered.
Map your role for each system. Determine whether you’re the developer, deployer, or both for each covered ADMT. Your obligations differ by role.
Build pre-interaction notification workflows. For every consumer-facing touchpoint where covered ADMT operates, design and implement the required AI interaction notice. Test it. Document that it works.
Design the 30-day adverse outcome disclosure process. This requires monitoring ADMT-driven decisions for adverse outcomes, triggering disclosures within 30 days, and documenting compliance with the timeline. If you don’t have visibility into your AI decision pipeline today, this is your highest-priority operational gap.
Establish a data correction intake process. Build the intake channel, the verification workflow, and the correction mechanism before the law takes effect.
Implement meaningful human review procedures. Define who reviews adverse ADMT outcomes, what information they receive, and what authority they have to override decisions. Document the process and train the reviewers.
Request developer documentation from AI vendors. SB 26-189 makes documentation a statutory requirement for developers. Start requesting model documentation, intended use descriptions, known risk disclosures, training data categories, and human oversight instructions from every vendor whose ADMT you deploy in covered domains.
Review contracts for liability-shifting clauses. SB 26-189’s anti-liability-shifting provision voids contract terms that attempt to shift liability for discriminatory ADMT use. Review your AI vendor agreements and flag any clauses that may be unenforceable under the new law.
Document everything in an audit-ready record. When the Attorney General investigates, the first question is “show us your documentation.” Every step above should produce a documented artifact. Governance without documentation is governance that can’t be proven.
How Trustible helps
SB 26-189’s four operational duties all start with the same question: where is covered ADMT operating in your organization? You can’t notify consumers about AI interactions you don’t know about. You can’t disclose adverse outcomes from systems you haven’t inventoried. And you can’t provide human review for decisions you can’t trace back to a specific ADMT deployment.
Trustible’s AI Inventory gives compliance teams a single, continuously updated catalog of every AI system, model, and algorithmic tool in use across the organization. For SB 26-189, this means identifying which systems qualify as covered ADMT, mapping them to covered decision domains, and classifying your role for each one.
Trustible’s AI Compliance Frameworks module maps SB 26-189 alongside the EU AI Act, NIST AI RMF, ISO 42001, and 10+ other frameworks simultaneously. When your team documents compliance with SB 26-189’s deployer notification requirement, that same evidence can satisfy parallel obligations under other frameworks. Document once, comply at scale.
Trustible’s Model and Vendor Evaluations module gives compliance teams a structured way to assess AI vendors against SB 26-189’s documentation requirements and flag gaps before they become compliance risks. And Trustible’s Risk Management module produces defensible records that demonstrate governance maturity even without a statutory safe harbor.
Contact us to see how Trustible maps your AI systems against Colorado’s AI Act and every other framework your team is managing.
FAQ
SB 26-189 is Colorado’s current AI law, signed by Governor Jared Polis on May 14, 2026. It repealed and replaced the original SB 24-205 with a restructured set of obligations for developers and deployers of covered automated decision-making technology. The law takes effect January 1, 2027.
SB 24-205 was repealed entirely by SB 26-189. It never took effect. The original February 1, 2026 effective date was delayed to June 30, 2026 after a failed special legislative session. A federal lawsuit filed by xAI, supported by the U.S. Department of Justice, resulted in a court stay on April 27, 2026. The Colorado legislature then rewrote the law rather than defend the original statute.
Covered automated decision-making technology includes any computational process that makes or substantially informs consequential decisions in high-stakes domains: employment, credit, insurance, health care, housing, education, and legal services. This term replaces SB 24-205’s “high-risk AI system.”
Deployers must: notify consumers before they interact with covered ADMT; disclose adverse ADMT outcomes within 30 days; correct inaccurate personal data on request; and provide meaningful human review of adverse decisions. The broad risk management programs and impact assessments from SB 24-205 were removed.
No. SB 24-205 included a rebuttable presumption of compliance for organizations aligned with NIST AI RMF or ISO 42001. SB 26-189 removed this affirmative defense. Framework alignment is still valuable for building a defensible governance posture, but it’s no longer a statutory safe harbor.
The Colorado Attorney General can impose civil penalties of up to $20,000 per violation. The AG must provide a notice-and-cure period before assessing penalties, giving organizations an opportunity to remediate before fines are levied.
Yes. Employment decisions are one of the explicitly covered consequential decision domains under SB 26-189. Deployers using AI in hiring, promotion, or termination decisions must provide pre-interaction notice, disclose adverse outcomes within 30 days, honor data correction requests, and offer meaningful human review.
SB 26-189 is a full replacement, not an amendment. It removes SB 24-205’s risk management programs, impact assessments, duty of care to prevent algorithmic discrimination, 90-day incident reporting, and NIST/ISO safe harbor. In their place, it establishes four targeted operational duties: AI interaction notice, 30-day adverse outcome disclosure, data correction rights, and meaningful human review. Civil penalties of up to $20,000 per violation are now specified.
Start with an AI inventory to identify every covered ADMT in use. Classify systems by decision domain. Build notification, disclosure, data correction, and human review workflows for each covered system. Request SB 26-189’s statutory documentation from AI vendors. Review contracts for liability-shifting clauses. Document everything. The January 1, 2027 deadline is seven months away.
