AI Governance

Colorado AI Act Compliance Playbook: SB 24-205 and SB 26-189

· 13 min read · Updated June 2, 2026

Bottom Line Up Front

Colorado's AI Act (SB 205) takes effect June 30, 2026, making it the first US state law requiring deployers of high-risk AI systems to implement risk management policies, impact assessments, consumer notifications, and appeal processes. Deployers who satisfy all six obligations earn a rebuttable presumption of reasonable care. An affirmative defense adds legal protection through NIST AI RMF or ISO 42001 compliance.

Editor’s Note, June 2, 2026. This playbook was originally written for Colorado SB 24-205 as first enacted. That version of the law no longer controls. A federal court stayed enforcement of SB 24-205 on April 27, 2026, in litigation brought by xAI and joined by the U.S. Department of Justice. On May 14, 2026, Governor Polis signed SB 26-189, which repeals and reenacts the Colorado AI Act as a narrower automated decision-making technology (ADMT) law, with obligations that take effect January 1, 2027. We have rewritten this playbook to SB 26-189. The original deadline, impact-assessment, rebuttable-presumption, and affirmative-defense guidance no longer applies and is retained only as historical context where noted. For the framework that still carries weight across jurisdictions, see our NIST AI RMF affirmative-defense guidance.

Colorado AI Act compliance just changed at the foundation. The state rewrote its AI law before the first version ever took effect. Governor Polis signed SB 24-205 in May 2024 and set a 2026 compliance date. Litigation and a second bill overtook it. A federal magistrate judge stayed enforcement of SB 24-205 on April 27, 2026. Three weeks later, on May 14, 2026, the Governor signed SB 26-189, which repeals the original framework and reenacts a narrower one. The obligations under the new law apply beginning January 1, 2027.

The shift is structural, not cosmetic. SB 24-205 built a risk-based duty of care: a risk management program, an annual impact assessment, a rebuttable presumption of reasonable care, and an affirmative defense keyed to recognized frameworks. SB 26-189 discards that architecture. In its place sits a notice-and-transparency model: tell people when an automated system shapes a decision about them, explain adverse outcomes, let them fix bad data, and give them a path to human review. The covered conduct is similar. The compliance machine you build to meet it is different.

Colorado AI Act compliance now runs through SB 26-189 (signed May 14, 2026), which repealed and reenacted SB 24-205 after a federal court stayed the original law on April 27, 2026. The new obligations take effect January 1, 2027. SB 26-189 drops the risk-management program, impact assessment, rebuttable presumption, and affirmative defense. It imposes four consumer-facing duties on deployers of covered automated decision-making technology (ADMT), a documentation duty on developers, and centralizes enforcement with the Colorado Attorney General. Build the inventory and the notice-and-review workflows now; rulemaking will fill in the detail.

What SB 26-189 Changed

SB 26-189 repeals and reenacts the Colorado AI Act. That drafting choice matters. The legislature did not amend SB 24-205 clause by clause. It replaced the statute, which lets it retire the parts that drew constitutional challenge while keeping the consumer-protection spine. Law firms tracking the bill, including Crowell & Moring and Holland & Knight, describe the result as a reset toward a notice-based regime.

Four pillars of the original law are gone. The duty of care to protect consumers from algorithmic discrimination is gone. The mandatory risk management program is gone. The annual impact assessment is gone. The rebuttable presumption and the affirmative defense at former C.R.S. 6-1-1703 under SB 24-205, the safe harbor that rewarded NIST AI RMF or ISO/IEC 42001 alignment, are both gone. (The reenacted statute reuses the number 6-1-1703 for a deployer record-keeping duty, so cite the affirmative defense to the original act, not to the current code.) Organizations that built that governance infrastructure for Colorado have not wasted the effort. The same controls map to Texas, to federal procurement expectations, and to the EU AI Act. They simply no longer earn a specific Colorado safe harbor, because Colorado no longer offers one.

What Counts as Covered ADMT and a Consequential Decision

SB 26-189 trades the phrase “high-risk artificial intelligence system” for “automated decision-making technology,” or ADMT. The statute defines covered ADMT as technology that uses computation, including machine learning, to process personal data and materially influence a consequential decision. The trigger is influence over the decision, not the sophistication of the model.

A consequential decision is one with a material legal or similarly significant effect on a consumer’s access to one of seven domains: employment, housing, lending and other financial services, insurance, health care, education, and essential government services. Routine functions sit outside the definition. Spam filters, spell-checkers, firewalls, calculators, databases, scheduling tools, customer-service triage, search, content moderation, and advertising do not make consequential decisions. The carve-outs narrow the field that SB 24-205 had drawn wide.

The audit fix. Build an AI system inventory keyed to the seven domains. For each system, answer two questions. Does it process personal data using computation or machine learning? Does it materially influence a decision about employment, housing, lending, insurance, health care, education, or government services? If both answers are yes, the system is covered ADMT and the notice, disclosure, correction, and human-review duties attach. Document the systems you exclude and why, because the carve-outs are the first place an enforcement inquiry will probe.

The Four Deployer Duties

SB 26-189 imposes four consumer-facing duties on deployers of covered ADMT. These are the operative obligations. Plan against them, not against the repealed six.

Duty What the deployer must do Trigger
Notice at interaction Provide clear and conspicuous notice that a covered ADMT is being used to materially influence a decision. A prominent public notice with a link to detail satisfies the duty. Before or at the point of interaction
Adverse-outcome disclosure Explain the decision in plain language, describe the ADMT’s role in it, and tell the consumer how to ask for more information. The statute fixes the window at 30 calendar days. After an adverse consequential decision
Data correction Let the consumer access and correct personal data that is factually incorrect or materially inaccurate and that fed the decision. On consumer request
Human review and reconsideration Provide meaningful human review and reconsideration, to the extent commercially reasonable, by a trained reviewer who can change the outcome and does not rubber-stamp the system. On consumer request after an adverse outcome

Two phrases carry the weight. “Materially influence” defines which systems trigger the duties. “Commercially reasonable” qualifies the human-review duty, and the forthcoming rules will shape how far it reaches. Until the Attorney General publishes that detail, design the review workflow to a defensible standard: a named reviewer, authority to overturn the automated result, and a record of the reconsideration.

Developer Documentation Duties

SB 26-189 keeps a documentation duty on the upstream side, and it carries a firm start date. Beginning January 1, 2027, a developer that makes a covered ADMT available for use in consequential decisions must give deployers technical documentation. That documentation covers the intended uses, the categories of training data, known limitations, and instructions for appropriate use and human review. Developers must notify deployers of material updates and retain records for at least three years.

The practical risk is supply. Most vendors do not ship this documentation today. A deployer cannot meet its own duties without it, so the gap becomes a contracting problem before it becomes a compliance problem.

The audit fix. For every vendor whose automated system you deploy in a consequential decision, add a contract clause that requires the SB 26-189 developer documentation set, delivered before January 1, 2027, with an obligation to notify you of material updates. Confirm the vendor retains records for the three-year window. Where a vendor cannot or will not commit, treat that as a sourcing decision, not a paperwork delay.

Enforcement: What the Attorney General Can Do

Enforcement sits exclusively with the Colorado Attorney General. There is no private right of action. A violation of the act is a deceptive trade practice under the Colorado Consumer Protection Act, which carries civil penalties of up to $20,000 per violation. The per-violation structure is where exposure compounds, because each covered interaction can stand as its own violation.

The act gives deployers a runway before a penalty lands. The Attorney General must provide 60 days’ notice and an opportunity to cure, except for knowing or repeated violations. That cure right sunsets on January 1, 2030. After that date, the cure window closes.

Much of the operational detail is deferred to rulemaking. The Attorney General is directed to adopt rules that define disclosure content and the mechanics of the consumer rights, including sector-specific guidance, by January 1, 2027. Treat the statute as the floor and the rules as the specification. The compliance build you start now should be structured to absorb rule detail, not to assume it.

On discrimination, SB 26-189 sets fault-based apportionment. Where an algorithmic-discrimination claim reaches both a developer and a deployer, liability is allocated by relative responsibility rather than imposed jointly without regard to fault. The act also voids contract clauses that try to shift liability for a party’s own discriminatory use of ADMT onto another party. A deployer cannot indemnify its way out of its own conduct, and neither can a developer.

The Litigation Backdrop and Why It Still Matters

The new law did not arrive in a vacuum. xAI sued in federal court in Colorado on April 9, 2026, challenging SB 24-205 on constitutional grounds. The Department of Justice moved to intervene on April 24, 2026, the first time the DOJ has stepped into a challenge to a state AI law. On April 27, 2026, Magistrate Judge Cyrus Chung granted a joint motion that stayed enforcement of the original act. Norton Rose Fulbright tracks the procedural posture in detail.

The stay reached SB 24-205, the law SB 26-189 has now replaced. The new act sets its own start date of January 1, 2027 and is the operative statute going forward. The constitutional questions the litigation raised, compelled speech in the disclosure duties and the treatment of protected classes in the discrimination provisions, did not disappear with the rewrite. They are the reason to watch the Attorney General’s rulemaking closely, because the rules are where those questions get tested next.

Bottom Line Up Front

Colorado refined its approach rather than abandoning AI regulation. The duty of care is gone; the notice, disclosure, correction, and human-review duties remain and apply January 1, 2027. The organizations that inventory their automated systems and stand up the four consumer-facing workflows now are positioned for that date, whatever the rulemaking adds.

The Compliance Playbook: What to Do Before January 1, 2027

SB 26-189 is signed and the framework is known, so Colorado AI Act compliance is now a planning exercise rather than a guessing game. The runway is real, and the work divides into three phases.

Phase 1 (now through the third quarter of 2026): Foundation

  • AI system inventory. Catalog every automated system that processes personal data and materially influences a decision in the seven covered domains. This inventory underpins every duty.
  • Coverage analysis. Apply the two-part test to each system and record the result. Document the carve-outs you rely on, because the exclusions are where scrutiny starts.
  • Vendor documentation clauses. Add SB 26-189 developer-documentation requirements to contracts, with delivery before January 1, 2027 and a duty to notify you of material updates.

Phase 2 (third quarter of 2026 through year end): Build the four workflows

  • Notice at interaction. Design the clear-and-conspicuous notice for each point where a covered ADMT influences a consequential decision.
  • Adverse-outcome disclosure. Stand up a plain-language explanation workflow that fires after an adverse decision and names the ADMT’s role, inside the statute’s fixed 30-calendar-day window. The rulemaking will govern the disclosure content, not the deadline.
  • Data correction. Build the intake and correction path for consumers to fix inaccurate personal data that fed a decision.
  • Human review. Define the meaningful-review process: a trained reviewer with authority to overturn the result and a record of the reconsideration.

Phase 3 (fourth quarter of 2026): Validate against the rules

  • Rule mapping. Track the Attorney General’s rulemaking and reconcile your workflows to the disclosure content and consumer-rights mechanics the rules specify.
  • Tabletop exercise. Simulate an Attorney General inquiry. Test whether your records answer the questions the statute and rules imply.
  • Board reporting. Brief leadership on the posture and document the briefing.

The audit fix. Start Phase 1 of your Colorado AI Act compliance work now. The inventory and the coverage analysis are required under any reading of the law and gate everything downstream. The four consumer-facing workflows take months to build well, and the January 1, 2027 date does not move on its own.

Colorado’s path from SB 24-205 to SB 26-189 is a recalibration, not a retreat. The infrastructure that transfers unchanged is the part worth building first: the inventory of automated systems, the coverage methodology, the vendor-documentation program, and the consumer-facing notice and review workflows. The risk-management and impact-assessment apparatus that the original law mandated is no longer required in Colorado, though it still earns its keep under other frameworks. Build to the duties that apply.

Frequently Asked Questions

When does the Colorado AI Act take effect?

The obligations under SB 26-189, the law that repealed and reenacted the Colorado AI Act, take effect January 1, 2027. Governor Polis signed SB 26-189 on May 14, 2026. The earlier 2026 compliance date belonged to the original SB 24-205, which a federal court stayed on April 27, 2026 and which SB 26-189 has now replaced.

What is covered ADMT under SB 26-189?

Covered automated decision-making technology (ADMT) is technology that uses computation, including machine learning, to process personal data and materially influence a consequential decision. A consequential decision is one with a material effect on access to employment, housing, lending, insurance, health care, education, or essential government services. Routine tools such as spam filters, spell-checkers, and search fall outside the definition.

What duties does SB 26-189 impose on deployers?

Four. Provide clear notice that a covered ADMT is in use at the point of interaction. After an adverse decision, explain it in plain language and describe the system’s role, within the statute’s 30-calendar-day window. Let consumers correct inaccurate personal data. Provide meaningful human review and reconsideration, to the extent commercially reasonable.

What happened to the affirmative defense and the impact assessment?

SB 26-189 repealed both. The risk management program, the annual impact assessment, the rebuttable presumption of reasonable care, and the affirmative defense at former C.R.S. 6-1-1703 under SB 24-205 (tied to NIST AI RMF or ISO/IEC 42001) no longer exist under Colorado law. That governance work still maps to other frameworks, but it no longer earns a Colorado-specific safe harbor.

What penalties does the Colorado AI Act impose?

A violation is a deceptive trade practice under the Colorado Consumer Protection Act, which carries civil penalties of up to $20,000 per violation. Only the Colorado Attorney General enforces the act; there is no private right of action. The Attorney General must give 60 days’ notice and a chance to cure, except for knowing or repeated violations, and that cure right sunsets January 1, 2030.

When do developer documentation duties begin?

January 1, 2027. From that date, a developer that makes a covered ADMT available for consequential decisions must provide deployers with documentation covering intended uses, training-data categories, known limitations, and instructions for appropriate use and human review, and must retain records for at least three years.

How is discrimination liability allocated?

By fault. Where an algorithmic-discrimination claim reaches both a developer and a deployer, liability is apportioned by relative responsibility. SB 26-189 also voids contract clauses that try to shift liability for a party’s own discriminatory use of ADMT onto another party.

Did the federal court stay end Colorado’s AI law?

No. The April 27, 2026 stay paused enforcement of the original SB 24-205. SB 26-189 then replaced that law and set its own start date of January 1, 2027. The constitutional questions raised in the xAI litigation, which the Department of Justice joined, remain live and are likely to shape the Attorney General’s rulemaking.

Discipline in preparation. Confidence in the room.

Josef Kamara, CPA, CISSP, CISA, Security+
Josef Kamara
Josef Kamara
CPA · CISSP · CISA · Security+ · MBA

15+ years in Technology Risk Consulting, External and Internal Audit across KPMG (Financial Audit), BDO (Senior Manager across the Third-Party Risk Management practice and IS Assurance, leading technology assurance audits of public and private companies), and Stryker (Head of SOX IT Audit). Founded The Audit Defense Library in 2024 after 50+ SOC 1, SOC 2, HITRUST, and HIPAA attestation engagements plus multiple SOX and IT assurance projects.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.