Colorado Rewrites Its Landmark AI Law: Unpacking SB 26-189 and What It Means for Businesses

Snow covered Longs Peak, part of the Rocky Mountains stands tall in the background with green trees and the Downtown Denver skyscrapers as well as hotels, office buildings and apartment buildings filling the skyline.

By Gregory P. Szewczyk, J. Matthew Thornton, Mo Pham-Khan, Lexi Chapman & Kelsey Fayer on May 11, 2026

Posted in Artificial Intelligence, Banking and Financial Services, Colorado Law, Compliance, Employment Law, Enforcement, Health Care, Insurance, Legislation, Regulatory Compliance, State Attorneys General, State Law, State Legislatures

After attempting to amend its first-in-the-nation AI law for two years and three legislative sessions, on May 9, 2026, the Colorado legislature passed SB 26-189. It now awaits the governor’s signature and is expected to be signed into law, which will go into effect January 1, 2027.

SB 26-189 replaces the original law’s broad “high-risk artificial intelligence system” and “algorithmic discrimination” framework with a narrower regime focused on “automated decision-making technology” (ADMT) that processes personal data used to “materially influence” a “consequential decision.” The bill also shifts compliance obligations away from broad governance and impact assessments and toward targeted consumer disclosures, post-adverse-outcome explanations, correction rights, and meaningful human review.

However, whereas the original AI Act contained conditional exemptions for some federally regulated entities, the new version has eliminated those exemptions—thereby bringing into scope many additional entities that have thus far avoided state regulation of ADMT.

A Long and Tortured History

Signed in May 2024, SB 24-205 was the nation’s first comprehensive state AI law. It imposed obligations on developers and deployers of “high-risk artificial intelligence systems” used in “consequential decisions”—including employment, housing, health care, insurance, education, lending, legal services, and essential government services. Key features included reasonable care requirements to avoid algorithmic discrimination, mandatory implementation of risk-management programs, impact assessments, consumer notices, correction and appeal rights, and enforcement by the Attorney General under the Colorado Consumer Protection Act. While there was no private right of action, many feared that there would be attempts to exploit alleged ambiguities for private litigation.

When Governor Polis signed the AI Act into law in 2024, he did so with reservations, asking the legislature to revisit the law during the 2025 session before it was scheduled to go into effect in February 2026. The legislature could not come to an agreement during the general 2025 session, and, during the 2025 special session, it could agree only to extend the law’s effective date to June 2026.

In an effort to break the logjam, a working group consisting of lawmakers, the Governor’s office, the Attorney General’s office, and other stakeholders convened in fall of 2025, prior to the 2026 legislative session. The working group released its proposal on March 17, 2026, but even its members stated that the proposal needed further work. However, that proposal gave the legislature a new framework from which it could negotiate a consensus bill.

On May 1—with the close of the legislative session nearing—SB 26-189 was released. It moved quickly after introduction, advancing through the Senate Business, Labor, and Technology Committee, Senate Appropriations, the full Senate, House Judiciary, and House Appropriations, before the House passed it on third reading on May 9, 2026.

Key Updates and SB 26-189

For most businesses that operate as deployers of AI, SB 26-189 is meaningfully narrower than SB 24-205. Key differences include:

Scope of covered technology. SB 24-205 regulated “high-risk artificial intelligence systems,” while SB 26-189 focuses on “covered ADMT” that process personal data used to materially influence consequential decisions in sectors including employment, housing, lending, insurance, health care, education, and essential government services.
Eliminated Exemptions. Whereas the original AI Act had limited and conditional exemptions for various federally regulated entities, the new bill does not.
Governance obligations. SB 24-205 required broader reasonable-care, risk-management, impact-assessment, annual-review, and public-summary obligations for deployers. SB 26-189 shifts deployers’ obligations toward targeted disclosure, explanation, correction, and the right to request human-review, although it still maintains the three-year record-retention obligations.
Litigation and enforcement risk. SB 26-189 makes clear that the Colorado AI Act does not create a private right of action, and it closes alleged ambiguities that some argued existed in the prior law. Nonetheless, companies can still be held liable for discrimination under existing laws.
Three-Year Cure Period. A 60-day right-to-cure provision allows developers and deployers to remedy violations before enforcement action—but this provision expires January 1, 2030.
AG Rulemaking. Unlike the original AI Act where rulemaking was permissive, rulemaking under the new bill is mandatory. Further, rulemaking must be completed by January 1, 2027.

What Businesses Can Do Now

Even though we will see AG rulemaking, companies developing or deploying decision-support tools in Colorado should reassess their compliance roadmaps now. Mapping covered ADMTs and developing the general framework for compliance do not need to wait, and operational changes to implement consumer rights may take several months to execute. Further, based on the Attorney General’s approach to the Colorado Privacy Act rulemaking, we can expect that the rules will clarify, rather than change, the scope of the AI law

In other words, while we have waited for years for the changes, we now have a sprint for the finish line.