Colorado AI Act: Enforcement Stayed. What Businesses Should Do Next.
May 12, 2026
Last Updated: May 28, 2026
Update History
May 28, 2026: Updated SB 26-189 to reflect Gov. Polis signed the bill on May 14, 2026; updated Executive Summary, FAQ, and Important Dates table; added three additional Colorado AI bills (HB 1263, HB 1139, HB 1195) pending Polis signature.
May 12, 2026: Added SB 189 replacement bill (passed both chambers, headed to governor); federal court enforcement stay (April 27); DOJ intervention in xAI lawsuit (April 24); updated Important Dates table; revised compliance guidance to reflect new Jan. 2027 effective date and narrowed framework; added executive summary and FAQ section.
Jan. 31, 2026: Updated effective date delay to June 30, 2026; added small business exemption detail; revised compliance preparation steps.
Executive Summary
Colorado's landmark AI antidiscrimination law has been replaced before it ever took effect. Here's where things stand as of May 28, 2026:
The original law (SB 24-205) (PDF) is essentially dead. A federal magistrate judge stayed enforcement on April 27, 2026, and the U.S. Department of Justice joined Elon Musk's xAI in a lawsuit challenging the law's constitutionality. The Colorado legislature passed a replacement bill, SB 26-189 (PDF), and Gov. Jared Polis signed it into law on May 14, 2026.
The replacement law (SB 26-189) is a major scaling-back. It drops the original law's risk management programs, annual impact assessments, and extensive algorithmic discrimination duties in favor of a narrower notice-and-transparency framework. The new law takes effect Jan. 1, 2027, with enforcement contingent on the attorney general completing rulemaking.
Three additional Colorado AI bills are now on Polis's desk. HB 1263 (chatbot safety), HB 1139 (AI in health insurance coverage decisions), and HB 1195 (AI use by licensed mental health professionals) all passed the legislature before the May 13 adjournment and await the governor's signature. Polis has about 30 days from adjournment to act. All three carry some veto risk given his history of opposing stricter tech regulation.
What this means for your business: You don't need to prepare for the June 30, 2026, original law deadline. The governing framework is now SB 26-189. Track the attorney general's rulemaking timeline, which will determine when real compliance obligations begin under the replacement law. The core requirements that survived, including consumer notice and appeal rights, remain worth building toward now.
The practical shift: Colorado is moving from a broad AI governance framework toward operational transparency. For most businesses, the priority is no longer building a full enterprise AI risk program overnight. The more immediate focus is understanding where AI materially influences consequential decisions, giving consumers appropriate notice, maintaining appeal paths, managing AI vendors, and retaining records.
Background: What Original Law Required
The Colorado Artificial Intelligence Act (SB 24-205) was signed by Gov. Jared Polis on May 17, 2024, as the first comprehensive state-level AI regulation in the United States. Modeled partly on the EU AI Act, it established sweeping consumer protection requirements for developers and deployers of high-risk AI systems, with a focus on preventing algorithmic discrimination in AI systems making "consequential decisions" affecting Colorado consumers.
Unlike California's targeted approach through multiple narrow bills, Colorado took a comprehensive risk-based framework that imposed risk management programs, annual impact assessments, extensive documentation requirements, and a duty of reasonable care on both AI developers and companies deploying those tools. Almost immediately, the tech and business communities pushed back hard, arguing the requirements were unworkable.
The effective date was delayed twice: first from Feb. 1, 2026, to June 30, 2026, following a failed special legislative session in August 2025. The 2026 session produced the replacement bill Polis signed on May 14.
Current Status: Law Replaced, Litigation Continues
The original Colorado AI Act faces simultaneous legal and legislative outcomes that make its implementation in any form extremely unlikely.
The federal injunction. On April 27, 2026, a federal magistrate judge in the U.S. District Court for the District of Colorado stayed enforcement of the original law. The order prohibits enforcement until 14 days after the court rules on xAI's forthcoming motion for a preliminary injunction, which will be filed within 28 days after the state finalizes rulemaking implementing either the original law or any successor legislation. The stay technically extends to successor legislation, meaning SB 26-189 also can't be enforced until the injunction question is resolved and rulemaking is complete.
The xAI lawsuit and DOJ intervention. On April 9, 2026, Elon Musk's xAI filed suit in federal court seeking to block the law on four constitutional grounds: First Amendment (compelled speech and content-based disclosure requirements), the Dormant Commerce Clause (regulating out-of-state actors), due process vagueness, and equal protection. On April 24, the Department of Justice intervened on xAI's side, marking the first time the federal government has sought to invalidate a state AI law. The DOJ focused its complaint on the equal protection argument, contending the law's carveout for AI systems designed to advance diversity constitutes impermissible racial and characteristic-based classifications. The intervention aligns with President Trump's December 2025 executive order, which specifically named Colorado's law as an example of regulation that could stifle innovation, and directed the DOJ to establish an AI Litigation Task Force to challenge state AI laws.
SB 26-189: Signed into law. Gov. Polis signed SB 26-189 on May 14, 2026, repealing and replacing SB 24-205. The replacement was the product of a governor-appointed AI Policy Work Group that released its proposed framework on March 17, 2026. The bill moved with extraordinary speed: the Senate passed it 8-1 on May 7, the House passed it on May 9, and Polis signed it May 14. The new law takes effect Jan. 1, 2027, with enforcement contingent on the attorney general completing rulemaking. Attorney General Phil Weiser has indicated the state will not pursue enforcement until required rulemaking is complete, and the rulemaking process hasn't formally begun.
Additional Colorado AI Bills Pending Polis Signature
The Colorado legislature sent three additional AI bills to Polis before adjourning May 13. All passed with bipartisan support and all await the governor's signature. Polis has about 30 days from adjournment to sign or veto each bill. All carry some veto risk given his stated preference for limiting tech regulation.
HB 1263 — Chatbot safety bill. Requires operators of conversational AI services to estimate user age and regularly disclose AI status to users identified as minors, applies basic disclosure requirements to all users, bans sexually explicit content and gamified engagement incentives for minors, and mandates crisis response protocols when users express suicidal ideation or self-harm intent. Effective Jan. 1, 2027 if signed. Sponsors acknowledged a stronger bill might have drawn a veto from Polis. For context on the national chatbot law landscape, see our State AI Chatbot Laws guide.
HB 1139 — AI in health insurance and utilization review. Prohibits health insurance companies from basing coverage decisions solely on group data collected by AI systems. Insurers must consider a patient's individual medical and clinical history in any AI-influenced coverage determination. Denials based on medical necessity must be reviewed by a licensed clinician competent to evaluate the specific clinical issues. Covered entities must disclose to the relevant state division the utilization review functions for which AI is used and the process for human oversight of adverse determinations. The law also prohibits health insurance from paying for therapy services provided by AI systems. Effective date TBD pending signature.
HB 1195 — AI use by licensed mental health professionals. Restricts how licensed mental health clinicians may use AI with clients. Clinicians may not use AI chatbots to communicate directly with patients or generate treatment plans without human review. Patient consent is required for AI transcription during sessions. AI tools remain permissible for administrative tasks. Effective date TBD pending signature.
What SB 26-189 Changes
SB 26-189 is a significant scaling-back of Colorado's AI governance ambitions. Senate Majority Leader Robert Rodriguez, the original bill's lead sponsor, described SB 26-189 as "more of a notice bill" that still carries the core principle of requiring disclosure when AI is used in consequential decisions.
What's removed. SB 26-189 eliminates the original law's requirements for deployer risk management programs aligned to industry standards, extensive annual impact assessments, the duty to use reasonable care to avoid algorithmic discrimination, and mandatory reporting of discrimination risks to the attorney general. These were among the most operationally demanding provisions of the original statute.
What's kept. Consumer notice before or at the time a covered AI tool is used remains. Post-adverse-action notices also survive: if AI contributes to an unfavorable decision, the consumer must receive information about the decision and how to appeal. Developers must still provide deployers with documentation about intended uses, limitations, and risks. The attorney general retains exclusive enforcement authority.
What's new. SB 26-189 introduces a broader definition of covered technology. Where the original law regulated "AI systems" making consequential decisions, SB 26-189 covers "automated decision-making technology" (ADMT), a term more aligned with data privacy law. Deployers must retain records of covered tool usage for three years. Developer and deployer liability is more clearly separated: developers are responsible for harms arising from their systems being used as intended; deployers are responsible for their own deployment decisions, including uses the developer didn't authorize. A right-to-cure provision allows parties 60 days to fix violations before the attorney general may pursue civil penalties, though Sen. Rodriguez insisted this provision expire after three years.
Enforcement timeline. SB 26-189 takes effect Jan. 1, 2027. However, Attorney General Phil Weiser has indicated the state will not pursue enforcement until required rulemaking is complete, and the rulemaking process hasn't formally begun. The federal court stay also extends to successor legislation. Practical enforcement is likely to begin no earlier than late 2027.
Who's Covered Under SB 26-189?
SB 26-189 retains the developer/deployer distinction from the original law. Developers are businesses doing business in Colorado that develop or intentionally and substantially modify an ADMT system. They must provide deployers with documentation on intended uses, known harmful uses, training materials, limitations, and risk notices. Deployers are businesses doing business in Colorado that use ADMT systems to make or materially influence consequential decisions affecting Colorado consumers. "Materially influence" means the ADMT output is a non-de minimis factor that affects an outcome by constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering how the decision is made.
Consequential decisions under SB 26-189 span the same domains as the original law: employment (now clarified to include decisions that could create an employer-employee relationship), financial services, housing, healthcare, insurance, education, government services, and legal services.
What Counts as Materially Influencing a Consequential Decision?
One of the most important practical questions under SB 26-189 is whether an automated decision-making technology materially influences a consequential decision. In plain English, this means the tool's output plays a meaningful role in shaping the outcome, even if a human makes the final call.
| Likely Covered | Why |
|---|---|
| AI ranking job applicants | Influences hiring decisions |
| AI-driven tenant screening | Influences housing eligibility |
| AI loan scoring | Influences lending decisions |
| AI insurance underwriting recommendations | Influences pricing or coverage decisions |
| AI healthcare prioritization tools | Influences patient access or treatment decisions |
| Likely Not Covered | Why |
|---|---|
| Spellcheck or grammar tools | No consequential decision-making function |
| Internal productivity copilots | Typically not making or influencing consumer-impacting decisions |
| Basic analytics dashboards | Informational rather than outcome-determinative |
| General customer support chatbots | Usually not determining consequential outcomes |
| Simple workflow automation | Administrative rather than decision-oriented |
This is why many businesses asking, "Does ChatGPT fall under the Colorado AI Act?" may not be covered simply because employees use generative AI for internal productivity. The risk increases when AI is used to meaningfully influence hiring, lending, insurance, housing, healthcare, education, legal services, or government-service outcomes.
AI Compliance Is Becoming a Shared Responsibility Model
One of the most important operational shifts under SB 26-189 is that businesses cannot outsource accountability simply because they use third-party AI vendors.
The replacement bill preserves the distinction between developers and deployers. Developers are responsible for harms arising from intended use of their systems. Deployers are responsible for how they actually use those systems.
| Cloud Security | AI Governance |
|---|---|
| Cloud provider secures infrastructure | AI developer builds and documents the system |
| Customer secures configurations and usage | Deployer remains accountable for how AI affects outcomes |
In practical terms, businesses using SaaS platforms with embedded AI features may still bear responsibility for how outputs are used, whether consumers receive required notices, whether appeal paths exist, whether records are retained, and whether vendor limitations are understood and documented.
Third-Party AI Risk Is Now a Vendor Management Problem
For many companies, SB 26-189 transforms AI governance into a vendor risk management issue. Even when a business does not develop AI systems itself, it may still be considered a deployer if it uses vendor-provided systems to materially influence consequential decisions.
Companies should begin treating AI vendors similarly to cybersecurity vendors by requesting documentation about intended uses and limitations, understanding known failure modes or harmful uses, reviewing contractual liability language, expanding procurement reviews to include AI governance considerations, and tracking which systems materially influence decisions affecting consumers.
Vendor contracts may also require updates to address record retention obligations, disclosure responsibilities, incident notification expectations, human review requirements, data governance, and audit rights. If you already maintain vendor risk management programs under cybersecurity frameworks such as NIST or SOC 2, often you can extend those processes to AI governance.
Cybersecurity & Fraud Tools Generally Unlikely To Be Covered
Under the original Colorado AI Act, several categories of systems were specifically excluded, including cybersecurity tools, anti-malware systems, fraud detection tools not using facial recognition, databases, and calculators.
While SB 26-189 broadens the definition of covered technology from "AI systems" to "automated decision-making technology," many security-focused tools are still unlikely to fall within the law unless they materially influence consequential decisions affecting consumers.
For example, SIEM and XDR platforms, SOC automation tools, threat detection systems, email filtering, phishing detection, and endpoint protection platforms are generally unlikely to qualify on their own. The analysis changes if a system's outputs materially affect decisions involving employment, financial services, housing, healthcare, insurance, education, legal services, or government benefits.
Original Law's Framework (For Reference)
Because litigation over the original law continues, the original framework is documented here for reference. These requirements applied under SB 24-205 and may inform future rulemaking or litigation outcomes.
Defining High-Risk AI Systems
The original law applied only to "high-risk AI systems" that made or substantially factored into "consequential decisions." Certain systems were expressly excluded: anti-fraud tools not using facial recognition, cybersecurity tools, calculators, anti-malware software, databases, and narrow procedural assistants that didn't replace human assessment.
| Category | Examples |
|---|---|
| Education | Enrollment decisions, scholarship eligibility, academic placements |
| Employment | Hiring, promotions, terminations, compensation, work assignments |
| Financial Services | Loan approvals, credit limits, interest rates, account terms |
| Healthcare | Treatment recommendations, coverage decisions, appointment access |
| Housing | Rental applications, tenant screening, lease terms, rent pricing |
| Insurance | Policy eligibility, coverage amounts, premium pricing, claims decisions |
| Government Services | Benefits eligibility, licensing, permit approvals |
| Legal Services | Case assessment, resource allocation, procedural decisions |
Original Developer, Deployer Requirements
Under the original law, developers had to exercise reasonable care to protect consumers from algorithmic discrimination, provide deployers with comprehensive documentation, publish public statements on their websites about the systems they made available, and notify the attorney general and all known deployers within 90 days of discovering a credible discrimination risk.
Deployers faced more extensive obligations: a risk management policy aligned to NIST AI RMF or ISO/IEC 42001, annual impact assessments, annual reviews of each deployed system, consumer-facing disclosures before and after consequential decisions, and adverse decision notices that included the principal reasons for the decision, the degree AI contributed, and an opportunity to appeal with human review where technically feasible.
Original Exemptions
The original law carved out small businesses with fewer than 50 full-time equivalent employees under specific conditions, federally approved systems (FDA, FAA, FHFA), banks and credit unions subject to equivalent federal AI oversight, insurers covered by Colorado's existing external consumer data laws, HIPAA-covered healthcare entities for non-high-risk systems, and work performed for the Department of Defense, NASA, and related federal research programs.
Original Enforcement
The Colorado attorney general had exclusive enforcement authority. Violations constituted unfair trade practices under the Colorado Consumer Protection Act, with civil penalties of up to $20,000 per violation, counted separately for each affected consumer. There was no private right of action.
Comparison to Other Frameworks
Both the original Colorado law and its replacement sit in distinct positions relative to other regulatory approaches. The original law's comprehensive, EU-influenced structure has been replaced by something far closer to a notice-and-disclosure model:
| Feature | SB 26-189 (Current Law) | Original Colorado AI Act | EU AI Act |
|---|---|---|---|
| Scope | ADMT materially influencing consequential decisions | High-risk AI making consequential decisions | Risk-based tiers from unacceptable to minimal |
| Primary Focus | Notice, transparency, consumer rights | Algorithmic discrimination prevention | Safety and fundamental rights |
| Impact Assessments | Not required | Required annually | Required for high-risk systems |
| Risk Management Programs | Not required | Required (NIST AI RMF or equivalent) | Required for high-risk systems |
| Private Right of Action | No | No | Limited |
| Enforcement Timeline | Jan. 1, 2027 (pending rulemaking; stayed by federal court) | Stayed; original effective date June 30, 2026 | Phased 2024-2027 |
For international context, see our EU AI Act Compliance Guide.
What Most Businesses Should Actually Do Right Now
The original Colorado AI Act created concern that organizations would immediately need enterprise-grade AI governance programs. SB 26-189 significantly narrows those expectations.
For most businesses, the practical focus is now operational transparency, vendor accountability, consumer notice, and recordkeeping.
- Inventory AI and ADMT systems used in consequential decisions.
- Identify whether you are acting as a developer, deployer, or both.
- Obtain vendor documentation regarding limitations and intended uses.
- Draft AI-use disclosures and adverse-decision notices.
- Establish human review or appeal procedures where appropriate.
- Update vendor contracts and procurement reviews.
- Retain records of covered system usage for at least three years.
- Assign internal ownership for AI governance and oversight.
These steps align with both the original law's structure and the narrower framework under SB 26-189.
Compliance Preparation Steps
Given the shifting landscape, here's where to focus attention now.
1. Stand down on June 30 deadlines. The enforcement stay and passage of SB 26-189 mean the original law will not take effect on June 30, 2026. Companies that were preparing for the original law's full requirements, including risk management programs and impact assessments, do not need to complete those by that date.
2. Inventory AI and Automated Decision-Making Technologies (ADMT) systems. Identify every AI or automated decision-making tool used in employment, lending, housing, health care, insurance, education, and government-service contexts. This step is foundational regardless of which version of the law ultimately governs, and the broader definition of ADMT in SB 26-189 may cover tools that weren't captured under the original law's AI system definition.
3. Assess your role. If you purchase or license AI tools, you are likely a deployer. If you build or substantially modify systems, you may be a developer. Companies that both develop and deploy have obligations in both categories. Under SB 26-189, developers bear liability for harms from intended use; deployers bear liability for their own deployment decisions.
4. Obtain developer documentation. For any deployed systems, request documentation now, including intended use cases, known harmful uses, training materials, limitations, and risk notices. Build these requirements into vendor contracts regardless of the final law, since the obligation to furnish this information survived from the original statute into SB 26-189.
5. Draft consumer notices. Pre-decision notices (telling consumers AI was used) and adverse-decision notices (explaining AI's role and providing an appeal path) survived into SB 26-189. Developing templated disclosures now positions you well regardless of which specific requirements the attorney general's rulemaking ultimately produces.
6. Set up a three-year records retention policy. SB 26-189 introduces a new requirement to retain records of covered ADMT use for three years. Think beyond simple logs and preserve enough information to explain how decisions were made. Recommended retained records may include AI-generated recommendations or scores, human review or override documentation, consumer appeals and resolutions, vendor notices and documentation, policies governing AI-assisted decisions, system configuration and workflow records, and model or version information where available. These records may become critical during attorney general investigations, audits, consumer complaints, or future litigation.
7. Monitor rulemaking. SB 26-189 directs the attorney general to complete rulemaking by Jan. 1, 2027, and enforcement won't begin until that process concludes. Formal rulemaking hasn't started. Track the attorney general's office for initiation of the process, which will include public comment periods where your business can weigh in on how obligations are defined.
8. Watch the litigation. The xAI case continues now that SB 26-189 has been signed. Both parties agreed that xAI's preliminary injunction motion will be filed within 28 days of rulemaking being finalized under whatever law governs. If xAI prevails on its constitutional claims, it could affect the successor statute as well. The DOJ's continued involvement signals the federal government intends to challenge state AI laws broadly, not just Colorado's original version.
9. Track the three pending bills. HB 1263 (chatbot), HB 1139 (health insurance AI), and HB 1195 (mental health therapy AI) are all on Polis's desk. If signed, each creates distinct compliance obligations beginning Jan. 1, 2027 or later. If vetoed, no action is needed. Expect a decision within roughly 30 days of the May 13 adjournment.
Shadow AI May Create Hidden Compliance Risks
Many companies may unknowingly become deployers under SB 26-189 because employees adopted AI tools without formal approval or governance. This practice called Shadow AI has become an issue for businesses worldwide.
Examples of shadow AI include managers using AI to evaluate employee performance, HR teams screening resumes with AI tools, finance departments using AI scoring systems, or staff using public generative AI tools for decision support without management oversight or knowledge.
Without centralized oversight, companies may not realize AI is materially influencing consequential decisions. This creates risks around missing disclosures, inconsistent or undocumented decision-making, inability to explain outcomes to consumers, lack of retained records, and exposure from unauthorized or unvetted AI tools.
Businesses should consider updating acceptable-use policies, procurement procedures, and governance processes to address unauthorized AI adoption. Check out the STACK AI Hub for a free AI Acceptable Use template you can customize for your unique circumstances or use exactly as it sits.
Significant Shift: From AI Governance to Operational Transparency
The replacement bill marks a significant shift in regulatory philosophy. The original Colorado AI Act attempted to impose a broad AI governance framework resembling portions of the EU AI Act, including formal risk management programs and annual impact assessments.
SB 26-189 moves away from that engineering-heavy model toward a more operational approach focused on consumer disclosure, transparency, appeals and human review, vendor accountability, record retention, and explainability.
For many small and midsize businesses, this makes Colorado AI compliance substantially more achievable while still signaling the direction regulators are moving nationally. Even if Colorado's final framework changes through litigation or rulemaking, businesses should expect transparency and accountability requirements around consequential AI use to continue expanding across the United States.
If you'd like to understand how Colorado's requirements interact with your existing cybersecurity and compliance posture, schedule a risk assessment with our team.
Important Dates
| Date | Event |
|---|---|
| May 17, 2024 | Gov. Polis signs SB 24-205 (original Colorado AI Act) |
| Aug. 28, 2025 | Gov. Polis signs SB 25B-004, delaying effective date to June 30, 2026 |
| March 17, 2026 | Colorado AI Policy Work Group releases proposed replacement framework |
| April 9, 2026 | xAI files federal lawsuit challenging SB 24-205 (X.AI LLC v. Weiser, No. 1:26-cv-01515) |
| April 24, 2026 | U.S. Department of Justice intervenes in xAI lawsuit against original law |
| April 27, 2026 | Federal magistrate judge stays enforcement of SB 24-205; stay extends to successor legislation |
| May 1, 2026 | SB 26-189 introduced in Colorado Senate |
| May 7, 2026 | Colorado Senate passes SB 26-189 (8-1) |
| May 9, 2026 | Colorado House passes SB 26-189 |
| May 13, 2026 | Colorado legislative session adjourns; HB 1263, HB 1139, HB 1195 enrolled to governor |
| May 14, 2026 | Gov. Polis signs SB 26-189 into law |
| ~June 12, 2026 | Polis deadline to sign or veto HB 1263, HB 1139, HB 1195 (about 30 days from adjournment) |
| Jan. 1, 2027 | SB 26-189 effective date (enforcement contingent on rulemaking completion and court stay) |
| Jan. 1, 2027 | HB 1263 effective date (if signed by Polis) |
| Jan. 1, 2027 | Attorney general rulemaking deadline under SB 26-189 |
Frequently Asked Questions
Does Colorado's AI law take effect June 30, 2026?
No. A federal magistrate judge stayed enforcement of the original law on April 27, 2026. Gov. Polis signed a replacement bill, SB 26-189, on May 14, 2026. The new law takes effect Jan. 1, 2027. Enforcement won't begin until the attorney general completes required rulemaking. The court stay also technically extends to the successor legislation.
What is SB 26-189 and how is it different from the original law?
SB 26-189 replaces the original Colorado AI Act's comprehensive risk-management framework with a narrower notice-and-transparency model. Risk management programs, annual impact assessments, and the duty to use reasonable care to avoid algorithmic discrimination are removed. What remains includes consumer notice before AI-assisted decisions, adverse-decision notices with appeal rights, and developer documentation requirements. The new law also covers a broader category of technology, using "automated decision-making technology" rather than "AI systems."
Does ChatGPT fall under the Colorado AI Act?
Usually not by itself. General internal use of ChatGPT or similar generative AI tools for productivity, drafting, brainstorming, or summarization is unlikely to be covered unless the tool materially influences a consequential decision affecting a Colorado consumer. The risk increases when AI is used in hiring, lending, housing, insurance, health care, education, legal services, or government-service decisions.
My business isn't based in Colorado. Does this apply to us?
Potentially, yes. SB 26-189 applies to businesses "doing business in Colorado" that develop or deploy covered systems affecting Colorado consumers. If your products or services reach Colorado residents and involve AI in consequential decisions, you may be covered regardless of where your company is headquartered. This was one of xAI's key constitutional objections: the original law regulated development activity occurring entirely outside of Colorado.
We use AI tools from a vendor. Are we still responsible?
Yes. If you deploy a vendor's AI tool to make or materially influence consequential decisions about Colorado consumers, you're a deployer and have obligations independent of the developer. Under SB 26-189, developers are responsible for harms from intended use; you, as deployer, are responsible for your own deployment decisions, including any uses beyond what the developer authorized. Indemnification clauses that would shift your liability to the developer are void under the replacement bill.
What should business leaders be doing right now?
Inventory every AI or ADMT tool used in employment, lending, housing, healthcare, insurance, education, or government-service contexts; obtain documentation from your vendors about how those systems work and their known limitations; draft templated consumer notices; create appeal or human-review workflows where appropriate; update vendor contracts; and set up a records retention policy covering three years of ADMT usage. Watch the attorney general's rulemaking for the final compliance specifics, and monitor Polis's decision on HB 1263, HB 1139, and HB 1195.
Could the xAI lawsuit affect SB 26-189 too?
Possibly. The parties agreed xAI's preliminary injunction motion will be filed within 28 days of rulemaking being finalized under either the original law or any successor legislation. The constitutional claims targeting compelled speech and the Commerce Clause could apply to aspects of SB 26-189 as well, particularly any requirements to alter system outputs or disclose proprietary information. The litigation is ongoing and the outcome is uncertain.
Additional Resources
For official text and legislative history, see the Colorado General Assembly bill page for SB 24-205 and the SB 26-189 bill page. The Colorado Attorney General's office maintains an AI resources page that will be updated as rulemaking proceeds.
The NIST AI Risk Management Framework remains a strong foundation for AI governance regardless of which state laws ultimately govern your operations. Building toward NIST AI RMF now positions your business to demonstrate compliance readiness and provides an affirmative defense under several state AI frameworks.
Need Help Implementing AI Solutions?
STACK Cybersecurity provides comprehensive AI readiness assessments, including licensing analysis, security implementation, and ongoing monitoring. Check out our AI Hub.
Email: info@stackcyber.com
Phone: (734) 744-5300