Colorado AI Act compliance starts with a revised deadline and a fundamentally changed legal landscape. Governor Polis signed SB 24-205 on May 17, 2024. The original effective date was February 1, 2026. Then the August 2025 special session produced SB 25B-004, pushing enforcement to June 30, 2026. On May 9, 2026, the Colorado General Assembly passed SB 26-189, pushing the effective date again to January 1, 2027 and replacing the original risk-based compliance architecture with a disclosure and transparency framework (Colorado SB 24-205; SB 25B-004; SB 26-189). Before SB 26-189 was passed, a federal magistrate judge had already stayed enforcement of the original Colorado AI Act on April 27, 2026.
The compliance gap has shifted in character. Colorado’s AI Act targets every AI system that makes or substantially influences a “consequential decision” covering employment, lending, insurance, housing, healthcare, education, essential government services, and legal services under Colorado SB 24-205, Section 6-1-1702. Those eight protected domains survive SB 26-189’s framework replacement. What is changing is the compliance architecture: the original six-obligation structure based on a risk management policy, annual impact assessment, and affirmative defense built around NIST AI RMF is being repealed and replaced with disclosure and transparency obligations. The Colorado Attorney General retains exclusive enforcement authority with penalties reaching $20,000 per violation under the Colorado Consumer Protection Act.
The Colorado AI Act (SB 24-205, as amended by SB 26-189) takes effect January 1, 2027. SB 26-189 (passed May 9, 2026) replaces the original risk-based framework with a disclosure and transparency approach. The eight protected consequential-decision domains and Colorado Attorney General enforcement authority remain. Organizations should confirm compliance obligations against SB 26-189 final text before designing a compliance architecture (Colorado SB 24-205; SB 25B-004; SB 26-189).
What Does the Colorado AI Act Classify as High-Risk?
The Colorado AI Act uses a two-part classification test that catches more systems than most compliance teams expect. First, the system must make or be a “substantial factor” in making a consequential decision. “Substantial factor” means the system assists in the decision and is capable of altering the outcome under Colorado SB 24-205, Section 6-1-1702. Second, the decision must carry a “material legal or similarly significant effect” on one of eight protected domains: education enrollment, employment, financial or lending services, essential government services, healthcare, housing, insurance, or legal services. These eight domains survive SB 26-189. The classification mechanism (high-risk AI in consequential decisions) remains the organizing principle; the disclosure and transparency obligations that flow from that classification have changed.
What counts as a consequential decision under SB 24-205?
The statute defines consequential decision as any decision with a material legal or similarly significant effect on provision, denial, cost, or terms of the eight protected domains under Colorado SB 24-205, Section 6-1-1702. A pricing algorithm that adjusts insurance premiums based on behavioral data is making a consequential decision about the “cost” of insurance. A resume screening tool that filters out 70% of applicants before a human reviews the remaining 30% is making a consequential decision about employment opportunity. The “substantial factor” qualifier means the AI must be capable of altering the outcome.
The practical test: remove the AI system from the process. Does the outcome change? If yes, the system is a substantial factor. If the same human would reach the same decision with or without the AI output, the system is informational, not consequential.
What is algorithmic discrimination under Colorado law?
Colorado defines algorithmic discrimination as any condition in which AI use results in unlawful differential treatment or impact disfavoring an individual or group based on protected classifications under Colorado SB 24-205, Section 6-1-1702. The protected classes are extensive: age, color, disability, ethnicity, genetic information, limited English proficiency, national origin, race, religion, reproductive health, sex, veteran status, and any other class protected under Colorado or federal law. The word “unlawful” is load-bearing. Differential treatment that does not violate existing antidiscrimination law is not algorithmic discrimination under the Act.
The audit fix. Inventory every AI system in your organization that influences decisions in the eight protected domains. For each system: (1) Document whether the system makes or substantially factors into a consequential decision. Apply the removal test: does removing the AI change the outcome? (2) Identify which protected domain the decision falls within. (3) Classify the system as high-risk or not. This inventory becomes the foundation for every compliance obligation under SB 26-189 once final text is available.
The Original Six Deployer Obligations Under SB 24-205 (Being Replaced by SB 26-189)
Under the original SB 24-205, compliance obligations formed a six-part structure. Meeting all six created a rebuttable presumption that the deployer used reasonable care to protect consumers from algorithmic discrimination under Colorado SB 24-205, Section 6-1-1702. The six obligations were: (1) a risk management policy governing deployment, (2) an annual impact assessment evaluating algorithmic discrimination potential, (3) consumer notification before each consequential decision, (4) a public disclosure statement on the deployer’s website, (5) a data correction process for consumers to correct incorrect personal data, and (6) a human appeal process for adverse consequential decisions. SB 26-189 replaces this structure.
| Obligation | Status Under SB 26-189 | Original SB 24-205 Requirement |
|---|---|---|
| Risk management policy | Repealed (framework shift) | Written policy and program governing deployment |
| Impact assessment | Repealed (framework shift) | Evaluate algorithmic discrimination potential annually |
| Consumer notification | Preserved under SB 26-189 disclosure framework; notice required at point of interaction | Disclose purpose, nature, contact info before each consequential decision |
| Public statement | Preserved under SB 26-189 transparency framework | Publish AI system types, discrimination risk management, data practices |
| Data correction | Preserved; consumers retain right to request correction of personal data under SB 26-189 | Allow consumers to correct incorrect personal data |
| Human appeal | Preserved in revised form; consumers may request meaningful human review of adverse decisions under SB 26-189 | Provide human review for adverse decisions (if technically feasible) |
Developer Obligations: What Your Vendors Owe You
Colorado’s AI Act does not stop at deployers. Developers of high-risk AI systems carry independent obligations that directly affect your compliance posture under Colorado SB 24-205. Under SB 26-189’s signed framework, developer documentation obligations survive in form: developers must provide technical documentation covering intended uses, training data categories, known limitations, and human oversight instructions. The structural logic (that vendors developing AI systems you deploy must provide documentation sufficient for you to meet your own obligations) is likely to survive in some form under any disclosure/transparency framework.
Under the original SB 24-205, developers were required to provide deployers with technical documentation covering foreseeable harmful uses, data governance measures, evaluation methodology, intended outputs, and model/dataset cards. Developers discovering algorithmic discrimination must notify the AG and all known deployers within 90 days. Build that 90-day notification expectation into your vendor contracts now, regardless of SB 26-189’s final text.
How does the small deployer exemption work?
Organizations with fewer than 50 full-time employees received limited disclosure exemptions under the original SB 24-205, but only under specific conditions. The small deployer must not use its own data to train or fine-tune the system. The critical nuance: customizing a model with proprietary data removes the exemption. SB 26-189’s signed text applies its obligations to “deployers” without the same explicit small-deployer carve-out structure as the original law; organizations under 50 employees should treat the full disclosure and transparency framework as applicable unless legal counsel identifies a specific exemption.
The audit fix. For deployers working with third-party AI vendors: (1) Identify every vendor developing AI systems you deploy for consequential decisions. (2) Add a contractual clause requiring 90-day notification of any discovered algorithmic discrimination. (3) Verify whether the vendor has published any required public disclosure. (4) Confirm vendor agreement to provide documentation you need for compliance once SB 26-189’s final framework is established.
The Affirmative Defense Under the Original SB 24-205 (Being Repealed by SB 26-189)
Under the original SB 24-205, an affirmative defense under Section 6-1-1703 provided legal protection through two prongs. Prong A required proof the organization discovered and cured the violation through adversarial testing or internal review. Prong B required compliance with the NIST AI Risk Management Framework, ISO/IEC 42001, or a substantially equivalent framework under Colorado SB 24-205, Section 6-1-1703. SB 26-189’s framework shift to a disclosure/transparency model makes the continued availability of this affirmative defense uncertain. Organizations that built NIST AI RMF compliance for the affirmative defense retain that governance infrastructure as a valuable asset regardless of Colorado’s legislative evolution, because the NIST AI RMF also serves as the safe harbor in Texas TRAIGA, aligns with federal procurement expectations, and maps to EU AI Act requirements.
Enforcement: What the Attorney General Can and Cannot Do
Colorado’s enforcement model is AG-exclusive with no private right of action under Colorado SB 24-205. Consumers cannot sue deployers directly under the AI Act. Only the Colorado Attorney General initiates enforcement actions, and violations are treated as unfair trade practices under the Colorado Consumer Protection Act. The AG has published pre-rulemaking considerations. Formal rulemaking on the SB 26-189 framework has not started as of May 2026.
How are penalties calculated under the Colorado AI Act?
The penalty structure derives from the Colorado Consumer Protection Act: up to $20,000 per violation under the Colorado CPA. The per-violation structure is where exposure multiplies. Each undisclosed consequential decision is potentially a separate violation. SB 26-189 retains the 60-day cure period before enforcement action. The AG must notify the deployer of the alleged violation and allow 60 days to cure before commencing enforcement. The cure period sunsets January 1, 2030.
What about federal preemption and the April 2026 stay?
Two separate developments now complicate enforcement. First, the December 11, 2025 Executive Order on AI (“Ensuring a National Policy Framework for Artificial Intelligence”) signals federal intent to preempt state AI laws [EO 14365, December 2025]. The DOJ AI Litigation Task Force was directed to be established within 30 days of the December 11 order, targeting approximately January 10, 2026. The Commerce Department was directed to identify burdensome state laws by March 11, 2026, 90 days after the EO. The legal reality: executive orders lack the force of law, Congress has not authorized preemption, and no federal AI regulatory scheme exists as of May 2026.
Second, a federal magistrate judge issued an order staying enforcement of the original Colorado AI Act on April 27, 2026. The stay relates to the original SB 24-205 framework and the litigation that preceded SB 26-189’s passage. The relationship between the stay and SB 26-189’s new framework requires tracking as litigation develops.
Federal preemption of state AI laws is a political signal, not a legal fact. SB 26-189 represents Colorado’s legislature choosing to refine its approach rather than abandon AI regulation. The organizations building disclosure and transparency capabilities now are positioned for the January 1, 2027 effective date regardless of which specific obligations SB 26-189’s final text imposes.
The Compliance Playbook: What to Do Before January 1, 2027
With SB 26-189 signed on May 14, 2026, compliance planning can now proceed against the confirmed disclosure and transparency framework, with the January 1, 2027 effective date providing meaningful runway.
Phase 1 (Now through Q3 2026): Framework foundation
- AI system inventory: Catalog every AI system that makes or substantially influences consequential decisions across the eight protected domains. This inventory is required under any version of Colorado AI regulation.
- High-risk classification: Apply the two-part test to every inventoried system. Document the “substantial factor” analysis and the consequential decision domain.
- Vendor documentation: Obtain technical documentation from every developer whose AI systems you deploy. This is required under the original statute and likely under SB 26-189’s successor framework.
- Framework mapping: Map your current compliance posture against SB 26-189’s signed disclosure and transparency framework. Identify the delta from any prior risk-based compliance work.
Phase 2 (Upon SB 26-189 signature through Q3 2026): Framework-specific compliance build
- Disclosure framework implementation: Build the disclosure and transparency controls SB 26-189 requires: consumer notice at point of interaction, a 30-day post-adverse-decision explanation workflow, consumer data correction procedures, and a meaningful human review request process.
- Consumer notification workflow: Design the notification mechanism for every decision point where a high-risk system influences a consequential decision. Pre-decision notification has been a consistent element across both SB 24-205 and the disclosure/transparency model.
- Public statement: SB 26-189 retains a public-facing transparency requirement; draft and publish the required website disclosure describing your AI use in consequential decisions.
Phase 3 (Q4 2026 through December 31, 2026): Validation and enforcement readiness
- Tabletop exercise: Simulate an AG investigation against SB 26-189’s framework. Test whether your evidence package answers the questions the statute implies.
- Board reporting: Present the compliance posture to the board or executive leadership. Document the briefing.
- Vendor confirmation: Verify developers have met their statutory obligations. Confirm you have received the required technical documentation.
The audit fix. SB 26-189 was signed May 14, 2026. Complete the AI system inventory and classification now. These deliverables are required under any version of Colorado AI law. Map your compliance posture against the signed SB 26-189 disclosure and transparency framework. The January 1, 2027 effective date provides meaningful runway if Phase 1 work begins immediately.
Colorado’s legislative evolution from SB 24-205 to SB 26-189 is not a retreat from AI regulation. It is a recalibration toward a disclosure/transparency model that other states have also adopted. The compliance infrastructure that transfers unchanged: the AI system inventory, the classification methodology, the vendor documentation program, and the consumer-facing notification workflows. SB 26-189’s signed framework confirms the direction. Build now.
Frequently Asked Questions
When does the Colorado AI Act take effect?
The Colorado AI Act (SB 24-205, as amended by SB 26-189) now has an effective date of January 1, 2027 per SB 26-189 (signed by Governor Polis on May 14, 2026). The prior effective date of June 30, 2026 was established by SB 25B-004 from the August 2025 special session. SB 26-189 also changes the substantive framework from risk-based obligations to disclosure and transparency.
What is a high-risk AI system under Colorado law?
A high-risk AI system is any system that makes or is a substantial factor in making a consequential decision. A consequential decision has a material legal or similarly significant effect on education, employment, financial services, government services, healthcare, housing, insurance, or legal services under Colorado SB 24-205, Section 6-1-1702. This classification framework survives SB 26-189.
What penalties does the Colorado AI Act impose?
Violations are treated as unfair trade practices under the Colorado Consumer Protection Act, carrying penalties up to $20,000 per violation. Each undisclosed consequential decision is potentially a separate violation. Whether a 60-day cure period survives under SB 26-189 requires verification against the final signed text [Colorado CPA; Colorado SB 24-205].
Can consumers sue under the Colorado AI Act?
No. The Colorado AI Act provides no private right of action. Only the Colorado Attorney General initiates enforcement actions under Colorado SB 24-205. This AG-exclusive enforcement model is expected to survive SB 26-189.
Does the six-obligation framework still apply?
No. SB 26-189 (signed May 14, 2026) repeals the original risk-based six-obligation framework (risk management policy, annual impact assessment, rebuttable presumption, affirmative defense) and replaces it with a disclosure and transparency framework. The operative compliance obligations under the signed law are: consumer notice at point of interaction, plain-language explanation within 30 days of adverse decisions, consumer data correction rights, and meaningful human review rights.
Does the small deployer exemption apply if I fine-tune a model?
Under the original SB 24-205, the exemption for organizations with fewer than 50 employees required that you not use your own data to train or fine-tune the AI system. SB 26-189 restructures obligations around the “deployer” role without a corresponding explicit small-deployer carve-out; organizations relying on this exemption should confirm applicability with legal counsel against the enrolled SB 26-189 text.
Will federal preemption override the Colorado AI Act?
Not as of May 2026. The December 2025 Executive Order signals federal intent to preempt state AI laws, but executive orders lack the force of law and no court has struck down a state AI law on preemption grounds. A separate federal magistrate court order stayed enforcement of the original Colorado AI Act on April 27, 2026, but SB 26-189’s new framework is not directly affected by that stay. Colorado’s law, as amended by SB 26-189, remains operative pending any future federal action.
