Colorado AI Act · SB 26-189
Colorado's AI Law Changed. Here's What It Means for Your Organization.
Colorado's original AI Act (SB 24-205) has been replaced. Governor Polis signed SB 26-189 into law on May 14, 2026, substantially narrowing the requirements. The new law takes effect January 1, 2027. If you were preparing for the old law, your obligations just changed.
Alpinscape helps you understand exactly what SB 26-189 requires of your organization, and builds the governance infrastructure to meet it — not with a binder of policies, but with connected systems and operational frameworks your team will actually use.
January 1, 2027
New compliance deadline (SB 26-189)
7 sectors
Including financial services, healthcare, and employment
$0
Cost of a preliminary conversation
Colorado-based
First-mover advantage on your side
Legislative history
How we got here
Colorado did not pass this law in a vacuum. Understanding the timeline helps explain why the deadline is real, and why organizations cannot afford to wait.
Original law signed
Governor Polis signs SB 24-205. Colorado becomes the first state with comprehensive AI consumer protection legislation, requiring risk management programs and annual impact assessments.
Deadline delayed
A special legislative session pushes the effective date from February 1, 2026 to June 30, 2026. The Attorney General convenes a working group to explore amendments.
Federal court stays enforcement
xAI files suit challenging SB 24-205 on constitutional grounds. The DOJ intervenes on xAI's side — the first time the federal government sought to invalidate a state AI law. A federal magistrate judge stays enforcement on April 27.
Law replaced: SB 26-189 signed
The Colorado legislature passes SB 26-189 (Senate May 7, House May 9). Governor Polis signs it on May 14, 2026. Risk management programs, annual impact assessments, and the algorithmic discrimination duty of reasonable care are dropped. A lighter notice-and-transparency framework replaces them.
New deadline
SB 26-189 takes effect. Developers must provide documentation packages to deployers. Deployers must give pre-decision notice, post-adverse-decision explanations, and a right to request human review.
SB 26-189
What the new law requires
SB 26-189 replaces the original law's broad "high-risk AI system" and algorithmic discrimination framework with a narrower regime focused on "automated decision-making technology" (ADMT) used to "materially influence" a "consequential decision."
The three most burdensome obligations from the original law have been removed: the duty of reasonable care to prevent algorithmic discrimination, mandatory risk management programs, and annual impact assessments. What remains is a focused notice-and-transparency framework.
For companies deploying AI
Companies using AI in operations
If your organization uses automated decision-making technology to materially influence a consequential decision about a person:
- Provide clear and conspicuous pre-decision notice to consumers that ADMT will be used
- After an adverse outcome, provide a plain-language explanation of the ADMT's role within 30 days
- Give consumers the right to request human review and reconsideration of an adverse decision
- Retain compliance records for at least three years
For developers
Companies building or licensing AI systems
If your organization develops or markets ADMT for use in consequential decisions:
- Provide deployers with documentation covering intended uses, known limitations and circumstances where the ADMT should not be used, categories of training data, and instructions for appropriate use and human review
- Notify deployers of material updates, intentional modifications, or changes to intended use within a reasonable time
- Retain compliance records for at least three years
Right to cure: SB 26-189 includes a 60-day right-to-cure provision, giving developers and deployers a window to remedy violations before enforcement action. This provision expires January 1, 2030. The Attorney General must adopt mandatory rules by January 1, 2027 — the same day the law takes effect.
Scope
Who needs to comply
SB 26-189 applies to companies that use automated decision-making technology in "consequential decisions" across these covered domains. If your company serves Colorado consumers and uses AI in any of these areas, the law applies to you regardless of where you are headquartered.
The statute lists the covered domains broadly. The use cases shown below are common examples — the law itself does not enumerate specific applications.
Small employer exemption: Employers with 40 or fewer employees are generally not treated as a "deployer" under SB 26-189, but the exemption does not apply when those employers use ADMT to materially influence employment decisions like hiring or compensation — the most common HR use case. The threshold changed from the original law's 50-employee cutoff. Additional carve-outs: insurers subject to Colorado insurance regulation and HIPAA-covered entities are deemed compliant except for employment decisions. FDA-regulated medical devices and pharmaceutical R&D are excluded outright. Confirm applicability with counsel.
The broader picture
Colorado led. Others are following fast.
Colorado is the first, but not the last. AI governance legislation is moving through state legislatures and federal agencies across the country. Organizations that build a real governance framework today will not have to rebuild it when the next law lands.
SB 26-189 (replaces SB 24-205). Narrowed notice-and-transparency framework. Applies to any organization serving Colorado consumers in covered sectors.
AI Policy Act (SB 149), signed March 2024. Regulated professionals must proactively disclose generative AI use at the start of an interaction. General consumer-facing businesses must disclose only when asked.
SB 53 (Transparency in Frontier Artificial Intelligence Act), signed September 2025, is the first US law specifically regulating frontier AI models — in effect January 1, 2026. Over 20 AI laws now cover hiring, healthcare, deepfakes, generative AI, and algorithmic pricing.
AI Video Interview Act plus HB 3773 (effective January 1, 2026) expanding AI employment law — prohibiting discriminatory AI use in hiring and requiring notice to applicants and employees. Enforcement through the Illinois Human Rights Act, including compensatory damages after administrative exhaustion.
Texas Responsible AI Governance Act (TRAIGA) signed June 2025, in effect January 1, 2026. Prohibits AI for behavioral manipulation, discrimination, and certain harmful uses. Establishes a regulatory sandbox and AI advisory council.
Governor Youngkin vetoed HB 2094, the comprehensive high-risk AI bill. Most 2026 AI legislation was tabled. Virginia established an AI advisory council and added AI protections to its Consumer Data Protection Act.
Entered into force August 2024 with phased application through 2028. Any organization with EU customers is already on the clock.
Multi-jurisdiction clients: If your organization operates across states or internationally, Alpinscape builds governance frameworks designed to satisfy multiple regulatory regimes — not just Colorado.
The real gap
The real gap is not policy. It is architecture.
Most organizations we talk to assume AI compliance is a legal exercise. Update a disclosure banner, add a notice to the consent flow, check the box. It is not.
SB 26-189 requires you to notify consumers when AI materially influences a consequential decision — and to give them the right to request human review. That means you need to know:
You cannot answer any of those questions if your data lives in disconnected systems with no governance layer. AI compliance starts with data architecture. If your ERP, CRM, field tools, and BI platforms are not connected through governed integrations, even the narrower obligations under SB 26-189 are operationally impossible to meet.
This is where Alpinscape works. We do not write policies in isolation. We build the systems and integrations that make compliance operational.
Methodology
How we get you ready
Alpinscape follows the same focused, security-first methodology we use across all engagements, adapted specifically for AI governance and SB 26-189 compliance.
Discovery
We start with a full inventory of your AI landscape. Not just the tools IT manages, but the ones departments adopted on their own. We map every AI system touching consequential decisions, the data flowing into each one, and the gaps between your current state and what the law requires.
You get: AI system inventory, data lineage map, gap analysis against SB 26-189 requirements, decision-point mapping.
Blueprint
We design your governance framework. This includes your consumer disclosure implementation, developer documentation packages, human review workflow design, and the integration architecture needed to make everything auditable and repeatable. We align it to your business strategy so compliance strengthens operations rather than adding friction.
You get: Disclosure implementation plan, developer documentation templates, human review workflow design, integration architecture plan, record retention framework.
Build + Launch
We implement the integrations, automations, and monitoring systems that make your governance framework operational. This is not a PDF that sits on a shelf. It is a living system connected to your actual data and workflows.
You get: Connected data architecture with governance controls, automated monitoring and alerting, record retention infrastructure, team training and adoption support.
What you walk away with
Tangible deliverables. Not slide decks.
Every AI governance engagement produces operational outputs scoped to your specific systems and risk profile. No unnecessary work. No generic templates.
A complete map of every AI tool in your organization and which ones materially influence consequential decisions under SB 26-189's scope.
Ready-to-deploy notice language and triggered workflows for informing consumers when AI influences a consequential decision about them.
A functional workflow for handling consumer requests for human review and reconsideration after adverse ADMT decisions — plus the post-decision explanation process SB 26-189 requires within 30 days.
For organizations that build or license AI systems: structured documentation covering intended uses, known limitations and circumstances where the system should not be used, training data categories, and human-review instructions, ready to provide deployers.
Connected systems with clean data lineage so your disclosures and records are based on real, auditable information rather than assumptions.
Processes and tooling to retain compliance records for the three-year minimum SB 26-189 mandates for both developers and deployers.
Governance frameworks designed to satisfy Colorado alongside Utah, California, Illinois, Texas, EU AI Act, and other active or advancing regulatory regimes.
Fit
Built for organizations that take AI seriously
This service is designed for mid-market and growth-stage companies ready to build compliance into their systems from the ground up.
This is a fit if you:
- Use AI in decisions that affect customers, employees, or applicants
- Operate in or serve consumers in Colorado
- Run enterprise platforms like Salesforce, SAP, D365, or modern SaaS stacks
- Want compliance built into your systems, not layered on top as an afterthought
- Need to move fast without creating risk
We also work with:
- Private equity firms assessing AI risk across portfolio companies
- Organizations in multiple sectors needing a unified governance approach
- Companies unsure whether SB 26-189 applies to their specific systems
- Teams that have policies but lack the operational infrastructure to back them up
Not sure if SB 26-189 applies to your organization? Start with a conversation. We will tell you straight.
FAQ
Frequently asked questions
The Colorado AI Act is still evolving. Here are the questions we hear most often.
When does the Colorado AI Act take effect?
The replacement law, SB 26-189, takes effect January 1, 2027. The original law (SB 24-205) was signed in May 2024, delayed from February 2026 to June 2026 during a special legislative session, and then stayed by a federal court in April 2026 after xAI and the DOJ challenged its constitutionality. The Colorado legislature responded by passing SB 26-189 in early May 2026, which Governor Polis signed on May 14, 2026.
Does this apply to companies outside Colorado?
Yes. SB 26-189 applies to any entity that deploys or develops automated decision-making technology affecting Colorado consumers, regardless of where the company is headquartered.
What counts as automated decision-making technology under SB 26-189?
Any AI system that materially influences a "consequential decision" about a person. The statute's covered domains are education, employment, housing, financial or lending services, insurance (underwriting, pricing, coverage, claims), health-care services, and essential government services.
What happens if we do not comply?
Violations are enforced by the Colorado Attorney General under the Colorado Consumer Protection Act. There is no private right of action, meaning individuals cannot sue directly. Before initiating an enforcement action, the AG must provide a 60-day notice and opportunity to cure — but this right-to-cure provision expires January 1, 2030. Organizations that have not built operational compliance by then face enforcement without a grace period.
What happened with the federal lawsuit against the original law?
In April 2026, xAI (Elon Musk's AI company) filed suit against SB 24-205 on four constitutional grounds: compelled speech, the Dormant Commerce Clause, due process vagueness, and equal protection. The DOJ intervened on xAI's side — the first time the federal government moved to invalidate a state AI law. A federal magistrate judge stayed enforcement on April 27, 2026. The Colorado legislature responded by passing SB 26-189 to replace the original law with a narrower framework that is less vulnerable to those constitutional challenges.
Is there a small business exemption?
Yes — with a major caveat. Under SB 26-189, employers with 40 or fewer employees are generally not treated as a "deployer," but the exemption does not apply when those employers use ADMT for employment decisions like hiring or compensation — the most common HR use case. The threshold changed from the original law's 50-employee cutoff. Additional carve-outs apply to insurers subject to Colorado insurance regulation and HIPAA-covered entities (deemed compliant except for employment decisions), and FDA-regulated medical devices and pharmaceutical R&D (excluded outright). Most mid-market organizations do not qualify.
How long does an engagement take?
Most organizations complete the Discovery and Blueprint phases in 3 to 4 weeks. Build and Launch timelines depend on the complexity of your systems and the number of AI tools in scope. With the January 1, 2027 effective date and mandatory AG rulemaking that must be adopted by the same date, we recommend starting well before year-end.
Do you replace our legal counsel?
No. We focus on the technical and operational side of compliance, specifically the systems, data architecture, governance frameworks, and integration work. We work alongside your legal team so that your policies are backed by actual infrastructure.
Start with an AI governance assessment
We will map your AI systems, identify your obligations under SB 26-189, and give you a clear picture of what needs to happen before January 1, 2027.
No commitment. No sales pitch. Just a straight answer on where you stand.