State Law Deep Dive • Colorado SB26-189 (ADMT Act)
The Colorado AI Act Explained: SB26-189 Replaces SB 24-205 (2026 Update)
On May 14, 2026, Colorado Governor Jared Polis signed SB26-189, which repealed and replaced the original Colorado AI Act (SB 24-205). The new law — now formally the Colorado Automated Decision-Making Technology (ADMT) Act — takes effect January 1, 2027 (not June 30, 2026). This guide explains what changed, who must comply, and how to prepare.
1. Introduction: Why Colorado Matters
When Colorado's governor signed SB 24-205 into law in May 2024, Colorado became the first state to enact a comprehensive, cross-sector AI governance statute modeled on the European approach to AI regulation. The law's broad scope — covering consequential AI decisions across employment, healthcare, insurance, education, financial services, housing, legal services, and government — means that a significant portion of AI deployments in the United States fall within its reach if they affect Colorado residents.
Colorado's law is important not just because of what it requires, but because of what it signals. It is the most-watched AI law in the country for state legislators, and its core framework — a two-tier developer/deployer structure, high-risk AI definitions, impact assessments, consumer rights — has been borrowed or adapted in proposed legislation in Connecticut, Virginia, Texas, and at least a dozen other states. Understanding Colorado's AI Act is essential to understanding the direction of U.S. AI regulation as a whole.
"Colorado's AI Act is to state AI regulation what GDPR was to data privacy: a first-mover law that sets the template others follow. Even organizations not subject to Colorado's law should understand it — because a version of it is likely coming to their state."
This guide is written for legal counsel, compliance officers, and business leaders at organizations that develop or deploy AI systems affecting Colorado consumers. It provides a detailed, accurate explanation of the law's requirements — not a simplified summary. Where the law uses defined terms, this guide uses them. Where the law's scope is ambiguous, this guide notes that ambiguity.
2. What Is the Colorado AI Act?
The Colorado Artificial Intelligence Act — formally codified as C.R.S. Title 6, Article 1, Parts 17 and 18 — creates a risk-tiered governance framework for "high-risk artificial intelligence systems" that make or substantially influence "consequential decisions" affecting Colorado consumers.
Legislative History
SB 24-205 was introduced in February 2024. It passed the Colorado General Assembly in a closely watched vote — with significant debate about its potential impact on AI innovation — and was signed by the governor with a letter noting concerns about regulatory overreach and requesting legislative refinement before the effective date. The Colorado General Assembly subsequently convened interim task forces to address implementation questions. The original effective date of February 1, 2026 was postponed to June 30, 2026 by SB 25B-004.
The Core Framework
The Act creates obligations at two levels of the AI supply chain:
- Developers — entities that create, code, produce, or substantially modify high-risk AI systems — have obligations to document their systems, share technical information with deployers, and maintain transparency about capabilities and limitations.
- Deployers — entities that deploy high-risk AI systems in Colorado for consequential decisions — bear the more extensive obligations: impact assessments, consumer disclosures, opt-out mechanisms, bias monitoring, incident reporting, and documentation.
An entity may be both a developer and a deployer — for example, a technology company that builds an AI system and also uses it in its own operations to make consequential decisions about its customers or employees.
3. Who Does It Apply To?
The Colorado AI Act applies to:
- Developers that develop, produce, or substantially modify a high-risk AI system and offer it to Colorado deployers, or use it themselves as a deployer in Colorado.
- Deployers that deploy a high-risk AI system in Colorado to make or substantially influence a consequential decision affecting a Colorado resident.
There is no explicit revenue or employee threshold in the Act — it applies based on what the AI system does, not on the size of the organization. However, the Act does provide that the Colorado Attorney General will consider an entity's size, resources, and nature of operations in enforcement, which may provide some practical protection for genuinely small operators.
Key Exemptions
The Act includes several important exemptions. Not all are settled in their application, and organizations relying on exemptions should document their basis carefully:
- Small developer/deployer exemption: Entities with fewer than 50 employees that develop or deploy a high-risk AI system solely for their own internal use are subject to reduced obligations, though not fully exempt.
- Approved NIST framework safe harbor: Deployers that document and follow the NIST AI Risk Management Framework — or an approved equivalent — receive safe harbor protections against enforcement actions. This is a critical compliance pathway.
- Open-source exemption: Developers making AI systems available under open-source licenses have reduced documentation obligations, though deployers of open-source AI systems remain covered.
- Outputs not used for consequential decisions: AI systems whose outputs are not used, directly or indirectly, in consequential decisions fall outside the high-risk definition.
The Act applies to AI systems that affect Colorado residents regardless of where the developer or deployer is located. A company headquartered in California deploying an AI system that makes consequential decisions about Colorado residents is subject to the Colorado AI Act.
4. High-Risk AI Systems Defined
The Act defines a "high-risk artificial intelligence system" as any AI system that, when deployed, makes or is a substantial factor in making a "consequential decision." A consequential decision is a decision that has a material legal or similarly significant effect on a Colorado consumer's access to, or the cost or terms of, any of the following:
The "substantial factor" test is one of the more consequential ambiguities in the Act. An AI system that a human decision-maker "substantially relies upon" — even if the human makes the final decision — may be covered. Documenting the actual role of AI in your decision workflows is therefore critical both for compliance and for scoping your obligations.
5. Requirements for Developers
Developers of high-risk AI systems have three primary categories of obligations under the Colorado AI Act:
Risk Management Documentation
DeveloperDevelopers must create and maintain documentation sufficient to allow deployers to conduct the required impact assessments. This documentation must include:
- A description of the AI system and its intended uses, including the types of consequential decisions it is designed to assist or make
- The known limitations of the system, including known or reasonably foreseeable risks of algorithmic discrimination
- The categories of data used to train the system and the sources of that data
- Performance metrics, including metrics disaggregated by relevant demographic categories to the extent technically feasible
- The basis for determining that the system is a high-risk AI system
- The applicable NIST AI RMF profile or equivalent risk management standard followed
Disclosure to Deployers
DeveloperWhen a developer makes a high-risk AI system available to a deployer, the developer must provide the deployer with:
- All documentation required above
- Notice of any known uses for which the system should or should not be used
- Guidance on how to perform the deployer's own impact assessment
- Descriptions of evaluation processes used, including data sources, testing methodologies, and bias evaluation results
- A summary of the developer's own risk management program for the system
Developers must update this documentation and notify deployers when material changes are made to the system that affect the deployer's ability to comply with its own obligations.
Consumer Inquiry Response
DeveloperDevelopers must establish a process to receive and respond to inquiries from Colorado consumers who interact with or are affected by their high-risk AI systems. Developers are required to maintain contact information that deployers can pass through to consumers, and must cooperate with deployers in responding to consumer appeals and complaints.
6. Requirements for Deployers
Deployers bear the most extensive compliance obligations under the Act. These obligations apply to any organization that deploys a high-risk AI system to make or substantially assist in making a consequential decision affecting a Colorado resident.
Annual Impact Assessments
DeployerDeployers must conduct a documented impact assessment before initially deploying a high-risk AI system and annually thereafter. The impact assessment must address:
- The purpose, intended use cases, and benefits of the AI system
- The categories of data used and the sources of that data
- The reasonably foreseeable risks of algorithmic discrimination and steps taken to mitigate those risks
- The performance metrics of the system, including evaluation across demographic categories
- Post-deployment monitoring procedures
- Transparency and disclosure measures implemented
- The governance structure for the system, including human oversight mechanisms
Impact assessments must be made available to the Colorado AG upon request. Deployers are not required to make them publicly available, but should treat them as discoverable in litigation and enforcement proceedings.
Consumer Disclosures
DeployerDeployers must notify Colorado consumers, no later than the time a consequential decision is made, that:
- A high-risk AI system was used to make or substantially assist in making the consequential decision
- The consumer has the right to appeal the decision and request human review
- The consumer has the right to correct inaccurate data that influenced the decision
- Contact information for submitting an appeal or inquiry
The notice must be "clear, timely, and accessible" — not buried in a privacy policy. The AG has indicated that disclosures in user-facing adverse action letters or decision notices will satisfy this requirement if they contain the required elements.
Consumer Appeal and Human Review Rights
DeployerDeployers must provide consumers with a meaningful opportunity to appeal consequential AI decisions and, where technically feasible, to request human review. Specifically:
- The deployer must provide a process for consumers to appeal an adverse consequential decision
- If the consumer requests it and it is technically feasible, the deployer must allow human review of the AI's decision
- The deployer must provide an explanation of the principal reasons for the decision, including which factors most significantly affected the outcome
- Consumers must be allowed to correct personal data that was inaccurate and that influenced the decision, and the deployer must reconsider the decision based on corrected data if feasible
This is operationally demanding. Deployers must design, staff, and document human review processes before deploying covered AI systems — not as an afterthought.
Bias Testing and Monitoring
DeployerDeployers must implement and maintain a risk management program that includes ongoing monitoring of the high-risk AI system for algorithmic discrimination. This includes:
- Periodic evaluation of the system's outputs for disparate impact across protected class categories
- Documentation of testing methodologies and results
- Remediation procedures when bias is detected
- Incident tracking and reporting requirements (see enforcement section)
Record-Keeping and Reporting
DeployerDeployers must maintain records sufficient to demonstrate compliance with all obligations above. Records must include all impact assessments, consumer notices provided, appeals received and resolved, monitoring results, and corrective actions taken. Records must be retained for the period of deployment plus three years.
Deployers must also notify the Colorado AG of any known or suspected incident of algorithmic discrimination within a reasonable timeframe (AG rulemaking is pending on the specific timeframe). Incidents must be documented, investigated, and remediated with a record of actions taken.
7. Enforcement and Penalties
Colorado Attorney General Enforcement
Primary enforcement authority under the Colorado AI Act rests with the Colorado Attorney General. The AG may investigate complaints from consumers, conduct proactive investigations, issue civil investigative demands, and bring enforcement actions. The AG may seek:
- Injunctive relief — court orders requiring compliance or cessation of covered activities
- Civil penalties — up to $20,000 per violation; however, the Act provides a cure period of 60 days after notice before penalties can be sought, provided the violation was not willful
- Actual damages — in cases where consumers suffered quantifiable harm from algorithmic discrimination
- Attorney's fees — in successful enforcement actions
Private Right of Action
The Colorado AI Act does not create a broad private right of action allowing individual consumers to sue directly for violations of the Act's procedural requirements. However:
- Consumers who suffer actual harm from algorithmic discrimination may have claims under existing civil rights and anti-discrimination laws (which apply independently of the AI Act)
- The Act's documentation requirements and impact assessments are likely to be discoverable in civil litigation, creating significant evidence implications
- The AG can seek actual damages on behalf of harmed consumers in enforcement actions
Even without a direct private right of action, the documentation and impact assessment requirements of the Colorado AI Act create significant litigation exposure. Well-documented bias or discrimination findings in an impact assessment that were not remediated could be devastating evidence in a discrimination lawsuit. Legal counsel should review all impact assessment materials before finalization.
8. Preparing for Compliance: A Timeline
With the Colorado AI Act effective June 30, 2026, organizations need a structured preparation timeline. Below is a recommended phased approach for deployers subject to the Act.
Phase 1: AI Systems Inventory
Document every AI system deployed in Colorado operations that touches any of the eight covered domains. Identify vendors, decision types, affected populations, and data sources. This inventory is the foundation of everything that follows.
Phase 2: Impact Assessments
Conduct documented impact assessments for each high-risk AI system. Engage technical AI auditors and legal counsel. Follow the NIST AI RMF to qualify for the safe harbor. Document methodology, findings, and remediation decisions. These must be complete before each system's first use after the effective date.
Phase 3: Consumer-Facing Compliance
Update adverse action letters, decision notices, website disclosures, and customer communications to include required AI disclosures. Establish the appeal and human review process — including staffing, routing, and documentation procedures.
Phase 4: Annual Assessments and Monitoring
Conduct annual impact assessments; update documentation for material system changes; track and report algorithmic discrimination incidents; respond to consumer appeals; and monitor legislative amendments and AG rulemaking. Assign a designated AI compliance owner within your organization.
9. Colorado vs. Other States: How Does It Compare?
| Feature | Colorado | California | Illinois | New York | Texas |
|---|---|---|---|---|---|
| Omnibus AI law | Yes | Piecemeal | No | Partial (NYC) | Yes (TRAIGA) |
| Impact assessments required | Yes (annual) | Some bills | No | NYC: bias audit | Yes |
| Consumer appeal rights | Yes | Advancing | No | No | Yes |
| Developer obligations | Significant | Training data (AB 2013) | Limited | No | Yes |
| Employment AI coverage | Yes | Advancing | Yes (AIVIA) | Yes (NYC LL144) | Yes |
| Healthcare AI coverage | Yes | Multiple bills | Limited | Advancing | Yes |
| NIST framework safe harbor | Yes | No | No | No | Partial |
| Max civil penalty | $20,000/violation | Varies by law | $1,000–$5,000 (BIPA) | $500–$1,500 (LL144) | Varies |
Colorado's law stands out for its breadth, its developer obligations (most state laws focus only on deployers), its human review rights, and its NIST safe harbor pathway. It is the most complete AI governance framework enacted by any U.S. state. Connecticut's advancing legislation is closely modeled on it and may be the next enacted comparable law. See the Bill Comparator to analyze any pair of state AI laws side by side.
What's Pending in 2026
Two developments could affect the Colorado AI Act before its June 30, 2026 effective date — neither has changed the law as of April 28, 2026.
The ADMT proposal (March 17, 2026): The Colorado AI Policy Work Group released a proposed rewrite of the CAIA that would replace the bias-audit framework with a transparency/disclosure framework and likely delay enforcement to January 1, 2027. As of late April 2026 it is a Work Group proposal — not yet introduced as a bill. Sources: Mayer Brown; Fisher Phillips.
xAI litigation (April 9, 2026): xAI Corp. filed suit against Colorado Attorney General Phil Weiser in the U.S. District Court for the District of Colorado (Civil Action No. 1:26-cv-01515), alleging the CAIA violates the First Amendment, Dormant Commerce Clause, and Equal Protection. As of April 28, 2026, no preliminary injunction has been issued and the June 30, 2026 effective date stands. Source: PPC Land.
10. Resources and Tools
For ongoing compliance monitoring and analysis, use the following resources:
- Colorado State Page — Live tracking of all Colorado AI legislation, including SB 24-205 amendments and AG rulemaking
- Am I Affected? — Assess your Colorado AI Act exposure based on your industry and AI use cases
- Deadline Calendar — Key dates for Colorado AI Act compliance milestones and AG reporting deadlines
- Penalty Tracker — Penalty structures and enforcement history for Colorado AI Act violations
- Bill Comparator — Compare Colorado's AI Act to other state laws side by side
- The Complete 2026 Guide — Full overview of the U.S. AI regulatory landscape
- Compliance Checklist — Structured assessment tool for determining your AI compliance obligations
Track every update to Colorado's AI Act
We've published 15 Colorado AI bills and 2182 AI bills across all 50 states. Get alerts on amendments, AG rulemaking, and enforcement actions.
Free Newsletter View Colorado Laws