Colorado is preparing to substantially revise the Colorado Artificial Intelligence Act, one of the earliest state laws aimed at governing high-risk Artificial Intelligence systems. On May 12, 2026, the Colorado General Assembly passed SB 26-189, which removes several of the original law’s most demanding requirements and redirects responsibility toward the employers and other entities that use covered technology to make decisions. The measure reflects a narrower, more implementation-focused approach to regulating Artificial Intelligence in consumer-facing and employment-related contexts.
The original CAIA was enacted in 2024 and was set to go into effect on June 30, 2026. It was designed to regulate the development and deployment of high-risk Artificial Intelligence systems used to make, or act as a substantial factor in making, consequential decisions affecting consumers in areas including education, employment, financial and lending services, essential government services, health care, housing, insurance, and legal services. Under that framework, developers had to provide information to support responsible use, while users were expected to maintain risk-management processes, conduct impact assessments, issue consumer disclosures, and take reasonable care to guard against algorithmic discrimination. Businesses pushed back against those obligations, especially the impact assessment requirement, and xAI sued the state over alleged First Amendment violations tied to the law.
SB 26-189 repeals and replaces key portions of that framework. Most notably, it eliminates the annual impact assessment mandate and shifts compliance away from front-end justification of a system’s use and toward operational requirements after deployment. The bill applies to covered automated decision-making technologies, or ADMTs, defined as technologies that process personal data and use computation to generate predictions, recommendations, classifications, rankings, scores or similar metrics that are used to materially influence consequential decisions in covered domains. Immaterial uses of ADMTs, and uses outside those covered sectors, would not fall within the law’s scope.
For covered ADMTs, users must provide advance notice to consumers that a covered ADMT will be used in an interaction. If a covered ADMT influences a consequential decision and produces an adverse outcome, the user must provide specified information within 30 days, including a description of the decision, the role of the covered ADMT, and an explanation of the consumer’s rights under the CAIA. Users also must tell consumers how to obtain more information about the covered ADMT and the personal data used by it. Recordkeeping obligations remain significant, with users required to keep records of consequential decisions made using ADMT for a minimum of three years.
The revised bill also changes enforcement. SB 26-189 provides a 60-day right to cure for Artificial Intelligence deployers that violate the law, and that cure period is scheduled to sunset after three years. It also states that the CAIA does not create a private right of action, leaving enforcement solely to the State of Colorado. Although the CAIA had been scheduled to take effect on June 30, 2026, SB 26-189 pushes the implementation date to January 1, 2027. Colorado’s attorney general also disclosed in court filings that the state will not enforce the CAIA while the legislature works to amend it. Companies using Artificial Intelligence in employment, lending, health care, insurance, education, housing, legal, and government-services settings are being urged to identify covered uses, assign governance responsibilities, and build compliance processes ahead of the revised deadline.
