Colorado Rewrites Its AI Law With SB 26-189

On May 9, 2026, the Colorado legislature passed Senate Bill 26-189, a substantial rewrite of its 2024 artificial intelligence law. The bill replaces the original framework with a more targeted regime for "automated decision-making technology" (ADMT) and will take effect on January 1, 2027.

Financial institutions doing business in Colorado should carefully assess these changes and how they may apply to their own uses of computerized systems that are used to "make, guide, or assist" consequential decisions about individuals relating to financial or lending services as well as other enumerated consumer opportunities and services. The changes will take effect on January 1, 2027.

According to the Consumer Financial Services Law Monitor, the law defines ADMT broadly as technology that processes personal data and uses computation to generate outputs (predictions, recommendations, classifications, rankings, or scores) that are used to make or assist decisions about individuals.

A system becomes a "covered ADMT" when its outputs "materially influence" a consequential decision, meaning they are more than incidental and affect the outcome of the decision, for example by ranking applicants, constraining options, or determining pricing.

Consequential decisions are those that determine a person's access to, eligibility for, selection for, compensation for, or pricing of key opportunities and services. The covered domains for such consequential decisions include education, employment decisions that may create an employer–employee relationship, leasing or purchasing residential real estate in Colorado, financial and lending services, insurance (including underwriting, pricing, coverage, and claims), health-care services, and essential government services and public benefits.

At the same time, the statute narrows its reach by excluding low-stakes or routine processes that do not materially influence eligibility, pricing, or access. It specifically carves out advertising and marketing, differentiated product recommendations, and content moderation. It also excludes core infrastructure and basic tools such as databases, firewalls, simple calculators, and spreadsheets that do not use machine learning.

Systems used for anti-money laundering, Office of Foreign Assets Control, and sanctions compliance, fraud detection and prevention (including identity verification), cybersecurity, and related controls are excluded to the extent they are performing those compliance functions rather than making the kind of consequential decisions covered by the law. Uses for administrative purposes would also be excluded.

The law no longer contains a small business exemption for companies with fewer than fifty (50) full-time employees. The amendments also removes a safe harbor that companies could assert if complying with the National Institute of Standards and Technology Artificial Intelligence Risk Management Framework, ISO/IEC 42001 framework for an Artificial Intelligence Management System, or other recognized artificial intelligence framework.

Developer obligations now focus on documentation. Developers, defined as entities doing business in Colorado that sell, license, or substantially modify covered ADMT for consequential decisions, must provide deployers with enough information to understand how these systems should and should not be used.

Developers must supply technical documentation describing the ADMT's intended uses and known harmful or inappropriate uses; the categories of training data, including personal data, to the extent known; known limitations and risks, including circumstances in which the system should not be used; and instructions for appropriate use, monitoring, and meaningful human review.

Developers must also give deployers the information they reasonably need to comply with their own obligations under the statute. If certain information is withheld because it is a trade secret or otherwise legally protected, the developer must notify the deployer. In addition, developers are required to notify deployers of "material updates," such as new versions or patches that materially affect outputs, performance, or intended use, and to retain records like version identifiers and changelogs for at least three years.

These duties attach when a developer has marketed, documented, configured, or contracted a system to be used in consequential decisions, or becomes aware that it is being used in that way consistent with its intended and contracted uses.

The amendments remove prior developer obligations to post a public statement about artificial intelligence on their websites, notifications to the Colorado Attorney General, processes around algorithmic discrimination, and an affirmative duty of care.

Deployer obligations focus on transparency and process. Deployers, defined as businesses using covered ADMT to materially influence consequential decisions, must focus on transparency and process.

Before using covered ADMT in such a decision, a deployer must provide a clear and conspicuous notice to the consumer that an automated system is being used or will be used in a consequential decision affecting them and explain how the consumer can obtain additional information. The law allows this to be satisfied by a prominent public notice that is reasonably accessible at points of consumer interaction, such as an online application portal, so long as it is reasonably proximate to where the consequential decision may occur.

If the deployer's use of ADMT leads to an "adverse outcome" (i.e., a denial of a loan, a materially reduced benefit, or significantly worse pricing), the deployer must, within thirty days, give the consumer a plain-language description of the decision and the role of the ADMT; explain how to request additional information about the system and the types, categories, and sources of personal data used (to the extent provided by the developer); and describe the consumer's right to request human review.

Independent reporting from Consumer Finance Monitor corroborates the timeline and scope of the changes, noting that SB 26-189 replaces the original law's broad "high-risk artificial intelligence system" and "algorithmic discrimination" framework with a narrower regime focused on "automated decision-making technology" (ADMT) that processes personal data used to "materially influence" a "consequential decision."

The bill also shifts compliance obligations away from broad governance and impact assessments and toward targeted consumer disclosures, post-adverse-outcome explanations, correction rights, and meaningful human review.

However, whereas the original AI Act contained conditional exemptions for some federally regulated entities, the new version has eliminated those exemptions—thereby bringing into scope many additional entities that have thus far avoided state regulation of ADMT.

SB 24-205 was the nation's first comprehensive state AI law. It imposed obligations on developers and deployers of "high-risk artificial intelligence systems" used in "consequential decisions"—including employment, housing, health care, insurance, education, lending, legal services, and essential government services. Key features included reasonable care requirements to avoid algorithmic discrimination, mandatory implementation of risk-management programs, impact assessments, consumer notices, correction and appeal rights, and enforcement by the Attorney General under the Colorado Consumer Protection Act.

When Governor Polis signed the AI Act into law in 2024, he did so with reservations, asking the legislature to revisit the law during the 2025 session before it was scheduled to go into effect in February 2026. The legislature could not come to an agreement during the general 2025 session, and, during the 2025 special session, it could agree only to extend the law's effective date to June 2026.

In an effort to break the logjam, a working group consisting of lawmakers, the Governor's office, the Attorney General's office, and other stakeholders convened in fall of 2025, prior to the 2026 legislative session. The working group released its proposal on March 17, 2026, but even its members stated that the proposal needed further work.

On May 1—with the close of the legislative session nearing—SB 26-189 was released. It moved quickly after introduction, advancing through the Senate Business, Labor, and Technology Committee, Senate Appropriations, the full Senate, House Judiciary, and House Appropriations, before the House passed it on third reading on May 9, 2026.

For most businesses that operate as deployers of AI, SB 26-189 is meaningfully narrower than SB 24-205. Key differences include scope of covered technology, eliminated exemptions, governance obligations, litigation and enforcement risk, a three-year cure period, and mandatory AG rulemaking.

SB 24-205 regulated "high-risk artificial intelligence systems," while SB 26-189 focuses on "covered ADMT" that process personal data used to materially influence consequential decisions in sectors including employment, housing, lending, insurance, health care, education, and essential government services.

SB 24-205 required broader reasonable-care, risk-management, impact-assessment, annual-review, and public-summary obligations for deployers. SB 26-189 shifts deployers' obligations toward targeted disclosure, explanation, correction, and the right to request human-review, although it still maintains the three-year record-retention obligations.

SB 26-189 makes clear that the Colorado AI Act does not create a private right of action, and it closes alleged ambiguities that some argued existed in the prior law. Nonetheless, companies can still be held liable for discrimination under existing laws.

A 60-day right-to-cure provision allows developers and deployers to remedy violations before enforcement action—but this provision expires January 1, 2030.

Unlike the original AI Act where rulemaking was permissive, rulemaking under the new bill is mandatory. Further, rulemaking must be completed by January 1, 2027.

Even though we will see AG rulemaking, companies developing or deploying decision-support tools in Colorado should reassess their compliance roadmaps now. Mapping covered ADMTs and developing the general framework for compliance do not need to wait, and operational changes to implement consumer rights may take several months to execute.

The practical reality is that compliance teams will need to audit their systems, update documentation, and train staff on new disclosure requirements—all while the Attorney General's office drafts the final rules (a process that could take months, given the complexity).

Further, based on the Attorney General's approach to the Colorado Privacy Act rulemaking, we can expect that the rules will clarify, rather than change, the scope of the AI law.

In other words, while we have waited for years for the changes, we now have a sprint for the finish line.

Whether companies actually have the bandwidth to implement meaningful human review processes before the January 2027 deadline remains the real question.

Artūras Malašauskas is an AI Systems Integrator with 20+ years of production-grade web engineering experience. He has designed, shipped, and scaled enterprise Python/PHP systems for logistics, SaaS, and public-sector clients. For the past year, he has focused exclusively on AI integrations: deploying open-source LLMs, building generative media pipelines (image, audio, video), and engineering multi-agent workflows for real production environments. His standard: reproducibility, security, cost-efficient inference—no vaporware. He documents and evaluates emerging AI tooling, separating verified capabilities from marketing noise. Technical editor at: muza-ai.eu, ai-verslas.lt, ai-naujinos.lt Connect on LinkedIn