When Colorado passed SB 24-205 in 2024, it was the most ambitious AI consumer protection law in the United States. It included mandatory risk management programs, annual algorithmic impact assessments, anti-discrimination duties, and significant obligations for both developers and deployers of AI systems.

By mid-2026, nearly all of that framework was gone.

What Happened to the Original Law

SB 24-205 was delayed before it ever took effect. Originally scheduled for February 1, 2026, Governor Jared Polis pushed implementation to June 30, 2026 to give businesses more time to prepare.

The delay turned out to be irrelevant. On April 27, 2026, a federal magistrate judge stayed enforcement of the law entirely, following a constitutional challenge filed by Elon Musk’s xAI. The US Department of Justice later joined the lawsuit, arguing the law’s provisions conflicted with federal authority and constitutional limitations.

Rather than defend the original legislation through years of litigation, the Colorado legislature moved to replace it. On May 14, 2026, Governor Polis signed SB 26-189, a replacement bill that strips the framework back to its core.

What the Replacement Actually Requires

The new law takes effect January 1, 2027, and only after the attorney general completes rulemaking to define what compliance looks like in practice. That rulemaking process has not started.

What SB 26-189 keeps:

• Consumer notice: If AI materially influences a consequential decision affecting a person (employment, credit, housing, healthcare, education), that person must be told
• Appeal rights: People must have a meaningful way to contest AI-driven decisions
• Vendor accountability: Businesses remain responsible for understanding what their AI tools actually do and who built them

What the replacement drops:

• Mandatory annual algorithmic impact assessments
• Formal risk management programs
• Broad algorithmic discrimination duties that applied across the AI development chain
• Developer-level obligations that required AI builders to document and audit their systems

The result is a framework that looks more like a consumer notice law than a comprehensive AI governance regime.

The Broader Pattern

Colorado is not an outlier. Multiple US states that passed or proposed ambitious AI laws in 2024 and 2025 have since scaled back, paused, or watched them get challenged in court.

California’s AI Transparency Act and Texas’s Responsible AI Governance Act both moved toward disclosure requirements rather than operational restrictions. The Trump administration’s June 2026 executive order on AI explicitly directed federal agencies to reduce “bureaucratic constraints” on AI development, which shaped the political environment at the state level as well.

The EU AI Act is following a different path. Its transparency requirements take full effect in August 2026, and the risk-based framework remains intact. For businesses operating across markets, the compliance picture is fragmented: lighter in the US, more structured in Europe.

What This Means for Business

If you use AI that influences consequential decisions about people in Colorado, two things are true simultaneously. First, the June 30 compliance deadline for the original, comprehensive law is no longer the operative date. The immediate pressure is off. Second, the January 2027 transparency requirements are still coming, and rulemaking will define exactly what they require.

Start building now anyway. The practical steps for the new framework are not complicated, but they do require knowing where AI touches decisions that affect real people in your business. Most organisations using AI for hiring screens, customer qualification, or service routing do not have that mapped clearly.

The businesses that use the next six months to document where AI makes or influences decisions, build consumer-facing notice language, and create escalation paths for disputes will be ahead of the curve when rulemaking completes. The ones that wait for the final rules may find they have less time than they expected.

The broader lesson from Colorado’s legal saga is that US AI regulation is still unstable. Comprehensive frameworks are difficult to pass and vulnerable to challenge. What survives tends to be transparency requirements because they are harder to argue against constitutionally.

For data and AI strategy, the implication is practical: build your AI infrastructure so that you can explain how it works and give people a way to contest decisions. Not just because regulators may eventually require it, but because it is good practice for any business that wants to use AI reliably at scale.

If you are navigating AI adoption for your business and want a clear view of what responsible deployment looks like, Enterprise DNA’s advisory work starts exactly there.