Colorado SB 26-189: AI Act Repealed for Lighter ADMT Disclosure Law (May 2026)

Colorado state capitol building with AI governance policy documents, representing SB 26-189 signing in May 2026 Photo by Joachim Schnürle on Pexels

AI & ML · 1 Jun 2026 —

Colorado's 2024 AI Act — once the most ambitious US state AI law on the books — survived just two years before Governor Jared Polis signed its replacement on 14 May 2026. Senate Bill 26-189 (SB 26-189) repeals and reenacts the original statute, stripping out its three most contested obligations and substituting a disclosure-centred framework that takes effect on 1 January 2027.

What the Original Law Required — and Why It Failed to Survive

Senate Bill 24-205, signed in May 2024, imposed a duty of care on developers and deployers of "high-risk AI systems" to prevent algorithmic discrimination, required formal risk management programmes, and mandated annual impact assessments. Business groups fought the rules from the outset. When Polis signed the original bill, he did so with publicly stated reservations: his signing statement explicitly encouraged sponsors to significantly improve their approach before the law took effect, and called on Colorado legislators to fine-tune provisions so they would not hamper AI development. The signal that the statute's lifespan was uncertain was present at the very beginning.

The political pressure came to a head in April 2026 when Elon Musk's xAI filed suit to block enforcement on constitutional grounds, and the US Department of Justice intervened to support the challenge — the first time the DOJ had sought to intervene in a lawsuit challenging a state AI law. Colorado's Attorney General agreed to suspend enforcement pending the outcome. Faced with a stalled law, an active legal challenge, and a legislature receptive to change, the governor moved to replace the statute entirely.

The New Framework: ADMT, Not High-Risk AI

SB 26-189 discards the "high-risk AI system" construct in favour of "Automated Decision-Making Technology" (ADMT): any system that processes personal data to generate predictions, recommendations, classifications, or scores used to guide decisions about individuals. The shift matters because it drops the inference requirement that had caused compliance headaches under the original law.

Coverage is pegged to seven consequential-decision domains: employment, education, housing, financial services, insurance, healthcare, and essential government services. Outside those domains, the law does not apply.

14 May 2026Date SB 26-189 signed into law

7 domainsCovered consequential-decision areas under ADMT framework

30 daysWindow for deployers to explain adverse outcomes to consumers

1 Jan 2027Effective date for the revised law

What Deployers and Developers Must Actually Do

The obligations are more surgical than the original law's broad duties. Deployers must give consumers advance notice before using covered ADMT to make employment decisions. When an adverse outcome follows, they have 30 days to provide a plain-language explanation of the ADMT's role and must offer a mechanism for meaningful human review and reconsideration. Consumers can also request correction of inaccurate personal data used as inputs.

Developers carry upstream obligations: they must supply deployers with documentation covering intended uses, training data categories, known risks, and usage instructions. Absent that documentation, deployers cannot claim they were uninformed about a system's limitations.

Enforcement sits exclusively with the Colorado Attorney General. There is no private right of action — a deliberate design choice that removes the litigation risk that had most alarmed the business community under the original act. A 60-day cure period applies before the AG can pursue enforcement action, though that provision sunsets on 1 January 2030.

Who Gets a Pass

The law carves out several categories: HIPAA-covered entities, FDA-regulated medical devices, creditors complying with federal requirements, and insurers already subject to state-specific regulation. Research tools, fraud-prevention systems, and internal scheduling or administrative routing tools are also exempt. Holland & Knight's analysis notes the exemptions are drafted broadly enough to give most pure-infrastructure and product-development teams a clear path out of scope.

The Wider Signal for AI Governance

Colorado's reversal is the clearest evidence yet that US states are not converging on the EU's risk-management model. The original 2024 law was modelled loosely on the EU AI Act's tiered-risk approach; its replacement looks more like a consumer-protection disclosure regime. The Governor's office characterised the new law as protecting consumers while not being onerous on developers or the businesses that use AI technology — language that reflects where the political centre of gravity now sits in American AI policy debates.

Other states watching Colorado's experiment — including those that had cited SB 24-205 as a template — will now weigh whether a disclosure-plus-explanation model is both politically viable and practically enforceable. For enterprises with Colorado-facing operations, the January 2027 effective date is meaningful: compliance programmes built for the original law's risk assessments and impact reports need to be redesigned around the narrower ADMT definition and the notice-and-explanation obligations. Those programmes are lighter, but they still require audit trails, consumer-facing processes, and developer documentation chains to be in place before the new year.

Sources & cross-checks

Primary: Holland & Knight — Colorado Governor Signs SB 189, Significantly Amending the State's AI Law
Corroborated: Norton Rose Fulbright — Colorado enacts revised AI law
Corroborated: Seyfarth Shaw — Colorado Enacts Artificial Intelligence Replacement Law
Verified: Signing date (14 May 2026), seven covered domains, 30-day adverse-outcome explanation window, AG-only enforcement, 60-day cure period, January 2027 effective date — confirmed across Holland & Knight, Norton Rose Fulbright, and Seyfarth Shaw, 2 June 2026. xAI lawsuit (April 2026) and DOJ intervention confirmed via Norton Rose Fulbright (xAI/DOJ article). Polis 2024 signing-with-reservations confirmed via Seyfarth Shaw (2024 signing analysis).

Tags: #AI-Regulation #Tech-Policy #Colorado-SB-26-189 #ADMT #US-AI-Governance

Priya Nair

Data, AI Governance & Policy Analyst

Priya Nair covers AI governance, data protection, privacy, and digital trust topics for RECATOOLS.

View author profile → · Editorial policy

About this byline Priya Nair is a RECATOOLS editorial persona for AI governance, privacy, and digital trust coverage. Articles are produced and reviewed under RECATOOLS editorial supervision.