Colorado Legislature Passes Major Rewrite of Landmark AI Act, Shifting Compliance Focus

DENVER — The Colorado legislature on May 9, 2026, passed a sweeping overhaul of its pioneering 2024 artificial intelligence law, replacing a broad and demanding regulatory framework with a more targeted approach that redefines compliance for businesses across the state. The new bill, SB 26-189, which now awaits the governor’s expected signature, repeals and replaces the original Colorado AI Act, shifting the focus from governing “high-risk AI systems” to regulating “automated decision-making technology” (ADMT). The new rules are set to take effect on January 1, 2027. The passage marks the culmination of a contentious two-year effort to amend a law that many in the business community viewed as overly burdensome. The original 2024 act would have imposed onerous requirements on employers and financial institutions, including the implementation of comprehensive risk management programs, detailed impact assessments, and annual reviews to prevent algorithmic discrimination. After failing to reach a consensus in 2025, lawmakers used a special session merely to delay the law’s effective date before a multi-stakeholder working group was convened to draft a viable replacement. While this rewrite provides some relief by streamlining the rules, businesses should not mistake this for deregulation. The compliance burden has simply shifted from abstract risk governance to concrete process transparency. In our experience, many small and mid-sized companies use third-party software for everything from hiring and recruiting to consumer lending, and they may not even be aware that these tools constitute “automated decision-making technology” under the new law. The core challenge is no longer just about the technology itself, but about documenting and disclosing how it’s used in workflows that result in consequential decisions for consumers. This is precisely where business process reengineering becomes essential. It involves mapping out every step where automation touches a customer, identifying the decision points, and embedding the legally required notices and review mechanisms. C&S Finance Group LLC helps clients navigate precisely these kinds of regulatory shifts, ensuring their automated systems are compliant without disrupting operations. Business owners can learn more at csfinancegroup.com. The most significant change in SB 26-189 is the move away from the broad concept of “high-risk AI.” Instead, the legislation now targets the use of ADMT in making, guiding, or assisting in “consequential decisions.” These are defined as decisions that have a material legal or similarly significant effect on an individual’s access to essential services and opportunities, including financial and lending services, housing, insurance, education, employment, and healthcare. Under the new framework, the primary obligation for businesses, referred to as “deployers” of the technology, is to provide transparency. Before using a covered automated system, a deployer must give the consumer a “clear and conspicuous notice” that such a system will be used in a decision affecting them. The law also requires an explanation of how the consumer can obtain additional information about the system’s use. According to the bill’s text, this requirement can be satisfied with a prominent public notice that is reasonably accessible to the consumer, such as a banner on an online loan application portal, placed near the point where the decision-making process occurs. This notice-based approach is a significant departure from the 2024 law, which would have mandated that businesses conduct and document detailed impact assessments to weigh the benefits of an AI system against its potential risks for algorithmic discrimination. The original act’s requirements for ongoing monitoring and annual reviews were a major source of concern for employers and other businesses, who argued the obligations were vague and operationally expensive. The road to SB 26-189 was complex. When Governor Jared Polis signed the initial AI Act in 2024, he did so with public reservations, urging the legislature to refine the law before its original February 2026 effective date. Lawmakers were unable to agree on amendments during the 2025 general session. A subsequent special session only managed to delay the law’s effective date to June 2026, pushing the substantive debate forward. To break the stalemate, a working group comprising lawmakers, the Governor’s office, the Attorney General’s office, and other stakeholders convened in the fall of 2025. This group released a proposal on March 17, 2026, which, while acknowledged as imperfect, provided the foundation for the final bill. SB 26-189 was formally introduced on May 1, 2026, and moved rapidly through both chambers before passing just over a week later. Despite providing more clarity, the new law leaves some questions unanswered. Financial institutions in particular are watching how regulators will interpret a provision requiring a “commercially reasonable” method for human review of automated decisions. Some legal analysts have noted this standard could prove unworkable and counterproductive for fair lending compliance in the high-volume world of consumer credit. Furthermore, the timeline for enforcement remains uncertain. The Colorado Attorney General recently agreed to stay enforcement of the 2024 law pending the outcome of litigation challenging its validity. It is not yet clear how that stay or the final court decision will impact the enforcement of the new law after it takes effect in 2027. With the bill now on Governor Polis's desk, businesses in Colorado have a clearer, albeit still challenging, path for compliance. Stakeholders will be closely watching for the governor’s signature and any subsequent rulemaking from the Attorney General’s office, which will further define the practical obligations for companies using automated tools in their daily operations.