Colorado's original AI Act, SB 24-205 — passed in May 2024 and the first comprehensive state AI law in the United States — no longer exists. On 14 May 2026, Governor Jared Polis signed Senate Bill 26-189, which fully repeals SB 24-205 and replaces it with a materially different regulatory framework. The replacement takes effect 1 January 2027.
What led here
SB 24-205 was always contested. When Polis signed it in 2024, he did so with a public letter urging the legislature to revisit the approach. A special session in August 2025 extended the effective date from 1 February 2026 to 30 June 2026 without changing the substance. In early April 2026, Elon Musk's xAI sued in federal court to enjoin enforcement on First Amendment and dormant commerce clause grounds — the first major challenge to a state AI law. The Trump Department of Justice intervened on 24 April 2026, marking the federal government's first move to invalidate a state AI law under the December 2025 AI executive order. On 27 April, a federal magistrate stayed enforcement while litigation proceeded. With the law frozen and its core framework under sustained attack from both the courts and a governor-appointed working group, the legislature moved fast: SB 26-189 was introduced, passed 34-1 in the Senate and 57-6 in the House, and signed within two weeks.
What the replacement law requires
SB 26-189 regulates "automated decision-making technology" (ADMT) — defined as technology that processes personal data to produce outputs used to "materially influence" a "consequential decision." Consequential decisions include employment (hiring, promotion, discipline, termination), housing, financial services, insurance, healthcare, and education.
The threshold — material influence — matters. ADMT that plays an incidental role in a decision process is not necessarily covered. The focus is on systems that meaningfully alter the outcome of a consequential decision affecting an individual.
For covered uses, the law requires: consumer-facing notices disclosing that ADMT is being used and the categories of data processed; a mechanism for consumers to opt out of ADMT use for consequential decisions; and, in some circumstances, a right to receive a meaningful explanation of a consequential decision and to appeal it. Developers of ADMT must provide deployers with information sufficient to allow compliance. Enforcement is by the Attorney General as an unfair trade practice, with a cure period through end of 2027 and no private right of action.
What the replacement law drops
Gone entirely: the duty of reasonable care to prevent algorithmic discrimination; mandatory risk management programmes aligned to NIST AI RMF or ISO 42001; annual impact assessments within 90 days of deployment; impact assessment disclosure obligations; and the high-risk AI system classification regime. The original SB 24-205 was architecturally similar to the EU AI Act — risk-based, with affirmative obligations on developers and deployers. SB 26-189 is architecturally closer to a consumer rights statute: notice, opt-out, and explanation rights, with enforcement through the consumer protection framework.
Three additional Colorado AI bills
SB 26-189 was not the only Colorado AI legislation signed in this window. HB 1263 (chatbot safety, effective 1 January 2027) imposes disclosure requirements for AI companions and chatbots, particularly where there is a risk of harm to vulnerable users including minors. HB 1139 (AI in health insurance coverage decisions, effective 1 January 2027) requires human review of AI-generated adverse coverage decisions. HB 1195 (AI in psychotherapy, effective 12 August 2026) restricts AI use in psychotherapy services. Together these bills represent targeted consumer protection approaches alongside the broader ADMT framework.
What this means for organisations
The effective date of 1 January 2027 provides a compliance window. However, the Attorney General has indicated enforcement will not begin until rulemaking is complete, and rulemaking has not started. This creates uncertainty about the operational scope of the law. Organisations should track rulemaking developments closely.
The substantive impact is significant for any company making AI-influenced decisions about employees or customers in Colorado — which includes a substantial proportion of US enterprise AI deployment. Even the lighter disclosure framework requires identifying where ADMT is in use, what data it processes, and how to communicate that to affected individuals. The opt-out mechanism requires a compliance infrastructure most organisations have not built.
The broader lesson from Colorado is that the US state AI law landscape is not stable. Laws are passed, frozen, challenged, repealed, and replaced on timelines that compliance programmes cannot easily absorb. The minimum viable response for any organisation operating across US states is: maintain an AI system inventory, track which state laws apply to each system and each state, and build governance infrastructure that can flex as the law changes — rather than point-in-time compliance exercises tied to specific effective dates.
Primary sources: Colorado SB 26-189 (General Assembly) | Seyfarth — Colorado Enacts AI Replacement Law (May 2026) | Norton Rose Fulbright — Colorado Enacts Revised AI Law