Colorado Rewrote Its AI Law: What Developers Need to Know

Colorado replaced its AI law SB 24-205 with SB 26-189 after a constitutional challenge by xAI and the DOJ. The new law removes requirements for risk management programs, impact assessments, and algorithmic discrimination duty of care, instead mandating developer documentation, consumer notices, and post-adverse-outcome notices. Developers of AI used in consequential decisions in seven domains must comply by January 1, 2027.

The law that spooked every AI startup in America has been replaced — before it ever took effect. Colorado’s SB 24-205, scheduled to drop June 30, 2026, was repealed and rewritten as SB 26-189, signed May 14. The three requirements that drove most of the compliance panic — risk management programs, impact assessments, and the vague “algorithmic discrimination” duty of care — are gone. What replaced them is narrower, more operational, and takes effect January 1, 2027. If you’re building AI that touches consequential decisions about people in Colorado, you’re not off the hook. But the hook looks very different now. What Killed the Original Law Colorado’s original AI Act had a rough spring. On April 9, xAI filed a federal suit challenging SB 24-205 https://en.wikipedia.org/wiki/Colorado AI Act on four constitutional grounds — vagueness, First Amendment compelled speech, Dormant Commerce Clause, and an equal protection argument that the law’s diversity carveout authorized race-based discrimination. On April 27, the DOJ joined. A federal judge stayed enforcement the same day. Colorado didn’t fight it. Less than three weeks later, the legislature replaced the whole thing. That’s an extraordinary sequence: a state AI law was challenged, backed by the DOJ, stayed by a federal court, and replaced inside five weeks. The pivot away from SB 24-205 wasn’t just industry lobbying — it was a constitutional rout. What’s Gone From the New Law SB 26-189 eliminated the three requirements that made SB 24-205 uniquely burdensome for AI developers: Risk management programs — No NIST AI RMF or ISO 42001 alignment required Impact assessments — No annual audits, no 90-day post-modification reviews Algorithmic discrimination duty of care — No self-reporting to the Colorado AG, no open-ended liability for discriminatory outputs These weren’t trimmed. They were removed. As ArentFox Schiff put it https://www.afslaw.com/perspectives/alerts/colorado-replaces-its-landmark-ai-act-new-framework-what-developers-and : “Three obligations that drove the most concern in the business community are gone.” What Colorado SB 26-189 Requires Instead SB 26-189 trades governance theater for operational transparency. Instead of standing up an ethics committee, you need to build three things into your product and process: 1. Developer Documentation Package If you build “covered ADMT” and sell or license it for use in consequential decisions, you must provide deployers with a documentation package covering: intended uses and known harmful or inappropriate uses; categories of personal data used in training; known limitations and conditions where the system should not be used; and instructions for appropriate use, monitoring, and human review. Trade secrets — source code, model weights — are explicitly protected. You don’t need to open-source your way to compliance. 2. Pre-Use Consumer Notice Deployers must notify consumers before covered ADMT is used in a decision. This is a disclosure engineering problem, not a legal review problem. Build the notice into the product flow. 3. Post-Adverse-Outcome Notice Within 30 Days When covered ADMT materially influences an adverse decision — rejected loan, denied health service, failed job screening — the deployer has 30 days to notify the affected consumer with an explanation and a path to meaningful human review, where commercially reasonable. Expect the AG’s rulemaking to define “commercially reasonable” further. Are You Actually Covered by Colorado’s AI Law? The law covers “covered ADMT” — automated decision-making technology that processes personal data and is used to materially influence a consequential decision in one of seven domains: employment, healthcare, housing, financial and lending services, insurance, education, and essential government services. You’re in scope if your AI helps decide: whether to hire or fire someone, approve a loan, set an insurance rate, accept a tenant, recommend a medical treatment, or grant access to government benefits. You’re almost certainly out of scope if your AI does: code completion, bug detection, ad targeting, content recommendation, search ranking, or anything that doesn’t touch those seven domains. One important nuance: if you build and deploy your own AI system, you carry both the developer documentation obligation and the deployer disclosure obligation. The same company can be both. What to Do Before January 1, 2027 The AG hasn’t started rulemaking yet, and practical enforcement likely won’t arrive until mid-2027 at the earliest. That’s not a reason to wait — it’s a reason to do it right without a deadline gun to your head. Crowell & Moring’s analysis https://www.crowell.com/en/insights/client-alerts/colorado-hits-reset-on-ai-regulation-sb-26-189-repeals-and-reenacts-the-colorado-ai-act confirms the January 2027 date is firm even if enforcement timelines shift. - Map your AI systems against the seven covered domains. If none apply, you’re done. - Draft your developer documentation package now — before deployment, not after. - Set up record retention for compliance documentation 3-year minimum required . - If deploying covered ADMT, design pre-use notice flows and adverse-outcome notification into your product. The Bottom Line Colorado’s AI Act is not dead — it was replaced. SB 26-189 https://leg.colorado.gov/bills/sb26-189 is narrower and more operable than what it replaced, but it’s real regulation with real penalties up to $20,000 per violation . The impact assessment nightmare is over. The open-ended discrimination liability is gone. What remains is a disclosure and documentation framework that any competent engineering team can build into their product without a compliance army. If your AI makes high-stakes decisions about people in Colorado’s seven covered domains, start planning now. If it doesn’t, breathe easy — and note that Colorado just showed how fast a state AI law can go from “existential threat” to “gutted and replaced in five weeks.”