Overview: On May 9, 2026, the Colorado legislature passed Senate Bill 189, a bill that repeals and replaces the state’s existing Colorado AI Act with a significantly revised framework for regulating artificial intelligence (now termed “automated decision-making technology” or ADMT). The new legislation reflects a shift away from the prior law’s more prescriptive, risk-based approach and moves toward a more limited, disclosure-focused model. The Governor signed SB 189 on May 14, 2026 and it will take effect on January 1, 2027.  Although the status of Colorado’s AI legislation had been uncertain since late last year, the passage of the updated law secures Colorado’s status as one of the few states with a comprehensive, sector-agnostic AI statute applicable to private-sector use cases.

Applicability: The updated law applies to ADMT that materially influences “consequential decisions” in specified domains such as employment, lending, housing, insurance, healthcare, education, and government services. However, it includes numerous exclusions (e.g., certain internal tools, cybersecurity uses, fraud prevention, marketing and routine data processing), which will require careful analysis to determine applicability.

Requirements and changes from AI Act: The prior Colorado AI Act (enacted in 2024) imposed substantial obligations on both developers and deployers of “high-risk” AI systems, including duties of care, risk management programs, impact assessments, and consumer-facing rights such as notice and appeal. SB 189 eliminates many of these core requirements. In particular, the new bill removes references to algorithmic discrimination and eliminates affirmative obligations such as a duty of care, impact assessments and structured risk governance programs. Instead, it adopts a narrower framework that focuses primarily on transparency, recordkeeping, and limited consumer rights in defined circumstances, reflecting a policy judgment to reduce compliance burdens while retaining some baseline protections.

Under SB 189, obligations are still divided between “developers” and “deployers,” but they are materially scaled back. Developers are generally required to provide deployers with documentation regarding intended uses, data inputs, limitations, and known risks of covered systems. Deployers, in turn, must maintain records and provide two categories of consumer notice: (i) a point-of-interaction disclosure when ADMT is used in a consequential decision, and (ii) a post-adverse outcome notice if the ADMT contributes to a negative decision affecting the individual. In those limited adverse scenarios, consumers may have rights to request correction of certain personal data and to seek meaningful human review, although the scope of these rights is narrow and subject to significant statutory exceptions.

Liability and enforcement: SB 189 provides some liability for ADMT-influenced consequential decisionmaking that is alleged to violate anti-discrimination laws and, notably, voids certain indemnification and defense provisions in contracts related to ADMT. Enforcement authority is vested solely in the Colorado Attorney General (AG), with no private right of action, and an initial cure period will be available in most cases. The AG will enforce the law through Colorado’s Consumer Protection Act and violations will be deemed to be deceptive trade practices. The updated law requires mandatory AG rulemaking that could result in additional requirements or modifications.

Although SB 189 reduces the regulatory burden compared to the original statute, it adds to an increasingly complex and fragmented state AI regulatory landscape, requiring companies to evaluate Colorado-specific obligations alongside emerging requirements in states such as California, Texas, Illinois, Connecticut, New York, and others.

Take-Aways and Next Steps: Although SB 189 reflects a scaled-back approach compared to Colorado’s original AI Act, it still introduces new, enforceable obligations that will require thoughtful implementation, particularly for organizations using automated decision-making technology (ADMT) in high-impact contexts. Companies should not interpret the revisions as a signal to delay compliance efforts. Instead, the law creates a more nuanced and operationally complex framework that will benefit from proactive legal and technical alignment. Key steps to consider now include:

1. Conduct a Targeted ADMT Applicability and Use-Case Assessment
   Organizations should inventory their AI and analytics tools and map them against the statute’s definition of ADMT and “consequential decisions.” Given the law’s numerous exclusions and ambiguity around internal tools and embedded systems, a careful, defensible classification exercise is critical. Misclassification could lead to missed obligations or over-compliance.
2. Review and Update Vendor and Customer Contracts
   The law’s limits on indemnification and defense provisions in ADMT-related agreements and its reallocation of responsibilities between developers and deployers may require updates to existing contracts and playbooks. Companies should reassess risk allocation, representations regarding system capabilities, and documentation obligations. This is particularly important for organizations that both develop and deploy AI or rely heavily on third-party vendors.
3. Design and Implement Compliant Disclosure Workflows
   SB 189’s dual notice requirements (point-of-interaction and post-adverse decision) will require coordination across product, legal, and customer experience teams. Organizations should begin designing standardized disclosure language, delivery mechanisms, and triggers, particularly in customer-facing workflows such as applications, underwriting, hiring, or eligibility determinations. Failing to implement these workflows correctly poses both regulatory and reputational risk.
4. Establish Scalable Recordkeeping and Audit Protocols
   Even without formal impact assessment requirements, the law’s recordkeeping obligations and anticipated Attorney General rulemaking mean companies must be prepared to demonstrate how ADMT is used and governed. Developing a defensible documentation framework now (including system inventories, decision logs, and governance artifacts) will position organizations to respond efficiently to regulatory inquiries or investigations.
5. Align Consumer Rights Handling with Existing Privacy Programs
   The limited rights to correction and human review in certain adverse decision scenarios will need to be operationalized alongside existing privacy rights (e.g., under state privacy laws). Companies should assess whether current intake and response workflows can accommodate these requests or whether enhancements are needed to ensure timely and compliant handling.
6. Monitor Rulemaking and Multi-State Alignment
   With mandatory rulemaking forthcoming and a rapidly evolving patchwork of state AI laws, organizations should adopt a forward-looking compliance strategy rather than a single-state approach. Harmonizing Colorado obligations with emerging requirements in other jurisdictions will be essential to avoid duplicative or conflicting controls.

While SB 189 reduces some prescriptive requirements, it introduces interpretive complexity and operational dependencies that are easy to underestimate. Early, strategic planning—particularly around scoping, contracting, and implementation—can mitigate downstream risk and avoid costly rework as enforcement begins.