Colorado’s legislature has nine days to decide the fate of the most ambitious AI regulation in the United States — and this week, a compromise landed that has both business groups and consumer advocates saying something close to yes.

Senate Bill 189, introduced on May 1, 2026 by Senate Majority Leader Robert Rodriguez, would replace the controversial Colorado AI Act (SB 24-205) before it takes effect on June 30. The bill pushes the new compliance date to January 1, 2027 and strips out the parts of the original law that made every employer, lender, insurer, and technology team in the country nervous: the mandatory bias audits, the joint-and-several liability framework, and the broad impact-assessment requirements that critics said were impossible to implement in practice.

What remains is more surgical. SB189 is what Rodriguez calls “more of a notice bill” — but that undersells it. The core obligations are real.

What SB189 Actually Requires

If it passes before the May 13 legislative deadline, any business using AI to make a consequential decision — think hiring, loan approvals, insurance underwriting, medical triage, housing, or education eligibility — must:

Notify consumers. People need to know when AI is influencing a decision about them. This applies before or at the point of the decision, not buried in terms of service.

Provide an appeals path. If an AI-assisted decision goes against someone, they have the right to contest it and to correct inaccurate data the system used about them.

Know what they’re deploying. AI developers must give businesses that use their technology clear documentation of intended use cases, known limitations, prohibited uses, training data details, and risk disclosures. Businesses can’t claim ignorance if they’re handed the spec sheet.

Allocate fault correctly. Instead of holding everyone jointly responsible for anything that goes wrong, the bill assigns liability based on who caused the harm — the developer who built the system, or the deployer who used it in a way it wasn’t designed for.

There’s also a right to cure: if a company is found to be out of compliance, they get the chance to fix it before facing penalties. That provision has a three-year sunset so it doesn’t become a permanent loophole.

Why This Matters Beyond Colorado

Colorado was first. When Governor Polis signed SB 24-205 in May 2024, it was the only comprehensive AI discrimination law in the country. Every other state watched to see if it would survive and whether it would become a template.

Two years later, the law has been delayed twice, challenged in federal court by xAI, opposed by the Trump administration’s Justice Department, and scrutinised by everyone from school districts to mortgage companies. The original ambition — mandating bias audits and algorithmic impact assessments for any AI used in a consequential decision — turned out to be operationally unworkable at scale.

What Rodriguez’s bill signals is that the US model for AI regulation is settling somewhere between “do nothing” and “audit everything.” Transparency beats process burden. Notice and correction rights beat proactive risk management mandates.

That is not a minor shift. If SB189 passes and survives its first few years, it gives every other state a template that has already survived one regulatory cycle, two lawsuits, and a federal administration that wanted to kill state AI laws entirely.

What Businesses Should Do Now

If you operate in Colorado and use AI in any decision affecting consumers — whether that’s an automated screening tool, a chatbot handling service requests, a credit scoring system, or an HR recommendation engine — here is the practical read:

Audit your AI vendors, not your AI. The new obligation flows up the chain. Ask your AI providers for documentation of intended use, limitations, and risk disclosures. If they can’t provide it, that is a compliance gap that starts at their end.

Document your AI use cases. For any system touching consequential decisions, know what it does, where its data comes from, and what the failure modes are. This is the foundation for the consumer notices SB189 requires.

Build your appeals workflow now. January 2027 sounds distant, but operational changes to HR systems, lending platforms, and customer service infrastructure take time. Start designing the human review path while you have runway.

Watch the vote. The legislature must act by May 13. If SB189 fails and the original AI Act takes effect June 30, the compliance burden is significantly higher. The probability of passage looks good given cross-party support, but nothing is certain.

What This Means for Business

Colorado’s AI regulation saga illustrates a broader truth about enterprise AI compliance: the rules are being written in real time, and the businesses that will be best positioned are not the ones waiting for the dust to settle. They are the ones who already understand what AI systems they use, what decisions those systems influence, and what data they run on.

That kind of operational clarity is not just a compliance asset. It is a prerequisite for using AI responsibly and effectively — whether or not any particular law passes.

At Enterprise DNA, the work we do with data teams and AI adoption starts with exactly that foundation: knowing what you have, what it does, and whether it’s doing what you think. That clarity is what turns compliance from a cost into a competitive advantage.