Key takeaways (May 17, 2026)
- Colorado SB 26-189 cleared both chambers on May 12, 2026 by 34-1 in the Senate and 57-6 in the House, repealing and replacing the original 2024 AI Act before it could take effect.
- The new law swaps “high-risk AI system” and “algorithmic discrimination” for a narrower “automated decision-making technology” (ADMT) regime focused on consumer disclosures, post-adverse-outcome explanations, correction rights, and meaningful human review.
- SB 189 awaits Governor Polis’s signature and is set to take effect January 1, 2027. There is no private right of action and no duty-of-care requirement.
- If you deploy AI in Colorado’s covered sectors (employment, housing, financial services, health, insurance, education, public benefits), start the consumer-notice, data-correction, and human-review workflows now.
As of May 17, 2026, the Colorado AI law 2026 story is one of the stranger chapters in American technology policy. The state passed one of the nation’s first major AI laws in May 2024, then spent two full years watching it get challenged in court, lobbied against by every major tech trade group, and ultimately gutted — all before a single enforcement action was ever taken.
On May 12, 2026, the Colorado legislature passed SB 26-189 by a 34-1 vote in the Senate and 57-6 in the House. The bill repeals and replaces the original Colorado Artificial Intelligence Act (SB 24-205) entirely. Governor Jared Polis, who signed the original law with visible reservations in 2024, is expected to sign it, having been a driving force in the drafting of the bill.
If you build or deploy AI systems that affect Colorado residents, here’s what you actually need to know — and why this story tells you something important about where US state AI regulation is heading.
Why Colorado Tore Up Its Own AI Law
To understand SB 189, you have to start with May 17, 2024, when Governor Polis signed SB 24-205, the Colorado Artificial Intelligence Act.
The original law was genuinely ambitious. It targeted “high-risk” AI systems — any system that makes or substantially contributes to a consequential decision affecting employment, housing, financial services, healthcare, education, insurance, or government services. Developers had to use “reasonable care” to prevent algorithmic discrimination. Deployers had to run documented risk management programs, complete annual impact assessments, and notify consumers when AI played a substantial role in decisions that affected them.
Polis signed it, but he attached a letter making his reservations explicit. He hoped the law would be revised before its February 1, 2026 effective date, or that it would prod Congress to pass federal preemption. Almost immediately after signing, he formed a working group of tech companies, businesses, labor representatives, and legal experts to rework the policy.
The industry opposition was fast and broad. The US Chamber of Commerce objected that SB 205 would hamper small business AI adoption. The Chamber of Progress and the Consumer Technology Association urged a veto. Then Elon Musk’s xAI filed a lawsuit seeking an injunction against the law, and the Department of Justice joined the challenge. A court paused the original law while litigation proceeded.
I’ve been tracking state AI legislation closely since 2024, and the Colorado situation stands out because the opposition was so broad and the political capitulation so complete. The law faced industry lobbying, executive ambivalence, and federal litigation simultaneously — and the defenders didn’t have enough political weight to hold it. By early 2026, with the February 1 effective date approaching and the law still in legal limbo, Colorado lawmakers moved to replace it entirely.
What the Original Colorado AI Act Required
Before you can judge SB 189 fairly, you need to know what SB 24-205 actually demanded:
For AI developers, the original law required:
- Reasonable care to protect consumers from algorithmic discrimination
- Disclosure of known limitations, potential risks, and training data details to deployers
- Documentation of evaluation methods used
For AI deployers, the original law required:
- A documented risk management policy and program
- Annual impact assessments for each high-risk AI system
- Consumer notice when AI substantially contributed to a consequential decision
- Disclosure of the type of system used and contact information for requesting reconsideration
- A meaningful process for consumers to appeal AI-driven decisions
This was a risk-based, proactive framework. Companies had to anticipate harms and document their prevention efforts before deployment — not just explain what happened after the fact.
What SB 189 Actually Requires
SB 189 strips out most of that structure. What replaces it is a disclosure-and-documentation framework with limited consumer rights triggered only after adverse outcomes.
Developer Obligations Under SB 189
Developers must provide deployers with technical documentation covering:
- The automated decision-making technology’s (ADMT’s) intended uses
- Categories of training data used, to the extent known
- Known limitations and inappropriate uses
- Guidance on appropriate use and when human review is required
Developers must also notify deployers of any material updates and retain compliance records for at least three years.
Deployer Obligations Under SB 189
Deployers must provide clear and conspicuous notice to consumers at the point of interaction that ADMT is being used.
If an ADMT makes a consequential decision that results in an adverse outcome, the deployer has 30 days to provide the consumer a plain-language explanation of the ADMT’s role in that decision.
Consumers have three rights under SB 189:
- Request the personal data used in an ADMT decision
- Request correction of factually inaccurate data
- Request meaningful human review after an adverse outcome
That’s the framework. No required upfront explanation of what AI system is being used. No proactive algorithmic bias auditing. No obligation to disclose that a consumer is interacting with a non-obvious AI system.
What SB 189 Dropped Entirely
Having reviewed the full text and legal analysis of SB 189, what strikes me most is what’s absent. The bill contains no reference to:
- Algorithmic discrimination
- Duty of care
- Risk management programs
- Impact assessments
- Attorney General notice obligations
- Any requirement to tell consumers they’re interacting with a non-obvious AI system
That last item matters more than it sounds. SB 205 required disclosure whenever AI substantially contributed to a consequential decision — period. SB 189 only triggers detailed disclosure requirements after an adverse outcome occurs. The burden shifted from “tell people before AI decides” to “explain after AI hurts them.”
SB 205 vs. SB 189 vs. Connecticut SB 5
Here’s how Colorado’s old law, Colorado’s new law, and Connecticut’s 2026 AI law compare on the provisions that matter most:
| Provision | SB 24-205 (2024) | SB 189 (2026) | Connecticut SB 5 (2026) |
|---|---|---|---|
| Duty of care / bias prevention | ✓ | ✗ | Partial (employment) |
| Risk management programs | ✓ | ✗ | ✗ |
| Annual impact assessments | ✓ | ✗ | ✗ |
| Pre-decision consumer notice | ✓ | Limited | ✓ |
| Post-adverse outcome disclosure | ✓ | ✓ (30 days) | ✓ |
| Right to human review | ✓ | ✓ | ✓ |
| Right to correct data | ✗ | ✓ | ✓ |
| Private right of action | ✗ | ✗ | ✗ |
| Frontier model whistleblower protections | ✗ | ✗ | ✓ |
| Effective date | Feb 1, 2026 (repealed) | Jan 1, 2027 | Varies (Oct 2026 onward) |
The contrast with Connecticut is sharp. While Colorado weakened its law, Connecticut’s SB 5 passed as one of the more comprehensive state AI bills of 2026. Connecticut includes whistleblower protections for employees at frontier AI labs training models on more than 10²⁶ compute operations, and it requires pre-decision disclosure for employment-related AI — not just post-harm explanation.
Two states, both responding to AI in 2026, arriving at very different places.
Which Sectors Does SB 189 Cover?
SB 189 defines “consequential decisions” across seven domains:
- Education enrollment and opportunities
- Employment (hiring, firing, compensation, promotion)
- Residential real estate lease or purchase
- Financial or lending services
- Insurance
- Health care services
- Essential government services and public benefits
If your AI system makes or substantially contributes to decisions in any of these areas and those decisions affect Colorado residents, SB 189 applies to you. Customer service chatbots, content recommendation engines, and product personalization systems fall outside the scope — unless they’re feeding directly into covered consequential decisions.
What Businesses Need to Do Before January 1, 2027
The compliance lift under SB 189 is lighter than SB 205, but it still requires concrete action. Here’s what I’d focus on:
If you’re an AI developer with products deployed in Colorado’s covered sectors:
- Document your training data categories, intended uses, and known limitations in writing
- Create deployer guidance that specifies appropriate use cases and when human review should be required
- Build a notification process for material product updates
- Retain compliance records for at least three years
If you’re an AI deployer using ADMT for consequential decisions in Colorado:
- Add conspicuous notice to any consumer-facing interface where ADMT contributes to covered decisions
- Build a 30-day post-adverse-outcome disclosure workflow in plain language
- Create a functioning mechanism for consumers to request their data, correct inaccuracies, and request human review
- Make sure your human review process has actual independence — the right to request review is empty if the review is automatic approval
The Attorney General’s rulemaking, due by January 1, 2027, will clarify definitions including what counts as a “material update” and what makes human review “meaningful.” Watch that rulemaking process closely — those definitions will determine how much the disclosure requirements actually bite.
What This Signals for State AI Regulation
Colorado’s reversal tells you something real about how AI governance frameworks are evolving under political pressure.
The tech industry won this round convincingly. But it didn’t win by killing the law entirely — it won by transforming a risk-based framework into a disclosure-only model. That distinction matters for how you plan ahead.
What I see playing out across states is a bifurcation. States that push for proactive risk management — duty of care, impact assessments, pre-deployment audits — are running into the same wall Colorado hit: industry litigation, executive ambivalence, and a legislature that finds technical AI policy genuinely hard to defend in a campaign ad. States that settle for disclosure frameworks are getting laws passed and signed, but those laws shift the harm-discovery burden onto consumers rather than companies.
This has direct implications for how you assess risk in agentic AI deployments. Under a proactive risk model, you have to prove safety before you deploy. Under a disclosure model, you have to explain what went wrong after you deploy. These are different incentive structures, and they produce different deployment decisions.
At the federal level, the Trump administration’s approach to frontier model oversight remains unsettled. The EU, meanwhile, is still working through enforcement timeline adjustments for its high-risk AI provisions. The patchwork is real, and Colorado’s reversal just made it more complicated for companies trying to build consistent compliance programs across jurisdictions.
For teams focused on what AI regulation means for workers, the Colorado-Connecticut comparison is especially pointed. Connecticut requires pre-decision disclosure in employment contexts and protects workers who raise safety concerns about frontier AI. Colorado now only requires explanation after someone loses a job because of an algorithm. If you care about accountability in AI-driven employment decisions, those are meaningfully different outcomes.
My Take
The disclosure-only model Colorado landed on is the path of least political resistance. That’s not a neutral observation — it reflects who carried more political weight in a two-year fight.
Some of the industry criticism of SB 205 was fair. The duty-of-care standard was vague, the compliance requirements for smaller companies were genuinely burdensome, and the law was passed without federal coordination, creating a fragmented compliance landscape. These were real problems.
But SB 189 didn’t fix those problems — it eliminated the protections along with the friction. Consumers in Colorado now have fewer upfront rights when an AI system denies them a loan, flags them as a bad hire, or affects their healthcare coverage than they had under the original framework. The right to request human review after an adverse outcome exists on paper; without proactive risk management requirements, there’s no structure ensuring that review is independent or that the AI system producing adverse outcomes was properly evaluated in the first place.
The vote counts — 34-1 and 57-6 — tell the story. Bipartisan, but not because everyone agreed this was good policy.
Conclusion
Colorado’s AI law went through two years of debate, survived an injunction, and emerged as a disclosure-only framework the original authors wouldn’t recognize. SB 189 is heading to Governor Polis’s desk and takes effect January 1, 2027. If you deploy AI in Colorado’s covered sectors, document your ADMT systems, build consumer notice into your interfaces, and set up a functioning human review process before that date. Watch the AG rulemaking for the definitional detail that will determine whether SB 189 has real teeth or just disclosure checkboxes.
Related AI Insights
- Connecticut AI Act SB 5: What It Means for Your Business
- EU AI Act 2026: Enforcement Updates and What’s Delayed
- Trump and AI Oversight: What’s Happening with Frontier Model Regulation
- AI Governance Framework: 7 Strategies for 2026
- Will AI Replace Jobs? What EU and US Laws Say About Worker Protections