Enterprise DNA

Omni by Enterprise DNA

Enterprise DNA Resources

Latest AI and industry news. Practical AI operating-system thinking for owners, operators, and teams doing real work.

220k+

Data professionals

Omni

AI agents and apps

Audit

Map the manual work

News Trending Regulation

Colorado AI Act Replaced: What Businesses Need to Know

Colorado replaced its sweeping AI Act with a narrower transparency-focused law signed May 14, 2026, taking effect January 1, 2027.

Enterprise DNA | | via Seyfarth Shaw LLP
Colorado AI Act Replaced: What Businesses Need to Know

Colorado’s AI regulation story just took a significant turn. After passing one of the most comprehensive AI laws in the US in 2024, the state effectively started over. On May 14, 2026, Governor Jared Polis signed SB 26-189, repealing and replacing the original Colorado AI Act (SB 24-205) with a substantially narrower framework.

For any business using AI in decisions that affect employees, customers, or consumers in Colorado, here is what changed and what you need to do about it.

What Happened to the Original Law

The original Colorado AI Act was ambitious. It would have required businesses to implement formal risk management programs, conduct impact assessments, and demonstrate reasonable care to prevent algorithmic discrimination. It was modeled loosely on the EU AI Act and represented a serious compliance burden for mid-market and enterprise companies.

It never made it into practice. A federal magistrate judge issued a stay on enforcement in April 2026 following a lawsuit filed by Elon Musk’s xAI, which the US Department of Justice joined in support. With the law frozen by litigation and the White House signaling its preference for lighter-touch federal AI policy, Colorado’s legislature moved quickly to replace the original act before its June 30, 2026 effective date.

What the New Law Actually Requires

SB 26-189 takes a notice-and-transparency approach rather than a risk-management-and-audit approach. The major obligations of the original law — risk management programs, impact assessments, and the duty to prevent algorithmic discrimination — are gone.

What remains and what takes effect on January 1, 2027:

Pre-use notice. If you deploy automated decision-making technology (ADMT) that influences consequential decisions about people, you must clearly notify them before using it. A notice at the point of interaction, such as a visible disclosure at the start of a hiring application or a loan process, satisfies this requirement.

Post-decision disclosure within 30 days. If an ADMT system influenced an adverse outcome — a rejected job application, a denied loan, a claim denial — you must inform the affected person within 30 days. That disclosure must describe the role the AI played in the decision.

Data correction rights. Consumers must be able to request corrections to inaccurate personal data used in ADMT decisions.

Meaningful human review. People affected by adverse ADMT outcomes must have a path to request human reconsideration of the decision.

The law applies to technologies that process personal data to produce predictions, recommendations, classifications, rankings, or scores that materially influence decisions in areas including hiring and employment, credit and lending, healthcare, housing, insurance, education, and government services.

Who Needs to Pay Attention

If your business uses AI tools that influence decisions in any of the categories above and you have employees, customers, or applicants in Colorado, this law applies to you. That includes:

  • HR teams using AI-assisted resume screening, performance scoring, or workforce scheduling tools
  • Lenders, insurers, or fintech companies using algorithmic credit or risk scoring
  • Healthcare providers using AI for treatment recommendations or patient triage
  • Landlords or property managers using algorithmic tenant screening

The law targets deployers — the businesses actually using the ADMT — not just the vendors building it. Developers are required to provide technical documentation to deployers, but the disclosure and human review obligations sit with the organization making decisions about individuals.

Enforcement and Timeline

The Colorado Attorney General will enforce the law. There is a 60-day right-to-cure provision: if a business violates the law, it has 60 days to remedy the issue before facing enforcement action. That provision expires on January 1, 2030.

The Attorney General’s office must complete rulemaking before enforcement begins in earnest, which means the practical deadline for compliance is somewhat fluid beyond the January 1, 2027 effective date. But rulemaking takes time, and the 2027 date is the legal anchor.

What This Means for Business

The good news for businesses is that Colorado pulled back from the most demanding requirements. Risk management programs and algorithmic bias audits are gone for now. The remaining obligations are primarily about documentation and process — telling people what AI is doing and giving them a path to dispute decisions made about them.

The practical challenge is that most businesses using AI tools in HR, finance, or customer decisions have not designed those processes with disclosure workflows in mind. Adding a 30-day adverse outcome notification process for rejected applicants or declined customers requires coordination between your AI tools, your operations team, and your legal/compliance function.

A few things worth doing now, before January 2027:

  1. Audit your ADMT exposure. Map every AI tool in your business that influences decisions about individuals in the covered categories. Many businesses are surprised by how many tools qualify.

  2. Check your vendor agreements. SB 26-189 requires developers to provide technical documentation to deployers. If your vendors cannot provide this, that is a risk exposure.

  3. Design disclosure workflows. The 30-day adverse outcome notice is the most operationally complex requirement. Build that process before the law takes effect, not after.

  4. Watch the rulemaking. The Attorney General’s office will issue implementing rules that clarify ambiguous definitions. The definition of “materially influence” in particular will have significant practical impact. Track the rulemaking process.

The Bigger Picture

Colorado’s reversal reflects a broader shift in US AI regulation. The White House has signaled strong preference for innovation-first AI policy, and state legislatures are adjusting. The EU AI Act model — comprehensive risk tiers, mandatory audits — has not taken root in the US. What is emerging instead is a notice-and-transparency approach: tell people when AI is making decisions about them, give them rights to dispute those decisions, and let companies figure out the rest.

That is a lighter touch than many expected. But lighter-touch regulation still requires real process changes for businesses that have deployed AI tools without building corresponding disclosure and governance infrastructure around them.

If you are working through AI governance and want to understand how to build responsible AI systems that are both effective and compliant, talk to Enterprise DNA’s advisory team.

Source

Seyfarth Shaw LLP