Colorado has now significantly revised its AI governance framework before the law ever takes effect. SB 26-189, approved by Governor Jared Polis on May 14, 2026, repeals and reenacts key portions of the Colorado Artificial Intelligence Act (CAIA) and reframes the law around “automated decision-making technology” (ADMT) used to materially influence consequential decisions in areas such as employment, housing, financial and lending services, insurance, health care, education, and essential government services.
The revised law is narrower and more operational than the original version. Rather than treating every AI-adjacent business tool as a high-risk system, SB 26-189 focuses on covered ADMTs that process personal data and generate outputs such as predictions, recommendations, classifications, rankings, or scores that materially influence consequential decisions. It also excludes several low-risk or routine uses, including certain administrative, cybersecurity, fraud prevention, anti-money laundering, sanctions compliance, advertising, marketing, search, content moderation, and customer-service functions that do not materially influence covered decisions.
For companies, the practical takeaway is that Colorado has not abandoned AI regulation, but it has moved toward a more targeted compliance model. Deployers must provide clear notice before using covered ADMTs in consequential decisions, provide post-adverse outcome information within 30 days, maintain compliance records for at least three years, and offer correction and meaningful human review rights in certain circumstances. While the original law was set to take effect next month, the amended law now takes effect on January 1, 2027, and applies to consequential decisions made on or after that date, gives the Colorado Attorney General exclusive enforcement authority, includes a conditional 60-day cure period, and confirms that the statute does not create a new private right of action. To review the amended law, click here
