In May 2024, Colorado made history. With SB24-205, the Colorado Artificial Intelligence Act (CAIA), it became the first U.S. state to enact a comprehensive, cross-sector law governing artificial intelligence. The statute was modeled in part on the European Union’s risk-based approach, imposing affirmative obligations on both developers and deployers of “high-risk” AI systems, and it was widely studied as a template for what state-level AI regulation might look like across the country.

That law never took effect.

On May 14, 2026, Governor Jared Polis signed SB 189 (“Automated Decision-Making Technology”), which repealed and replaced the Colorado AI Act roughly six weeks before its original June 30, 2026 effective date. The replacement statute discards most of the original framework’s defining features and substitutes a lighter-touch, transparency-oriented regime. The new effective date is January 1, 2027.

The reversal is one of the most consequential events in U.S. AI policy to date, and not because of what the new law adds. It matters because of what it removes, and because of what the retreat signals about the political and economic durability of comprehensive AI regulation in the United States. This analysis walks through why the first comprehensive U.S. AI law was rolled back before it ever applied, what compliance actually requires now versus before, how the new regime contrasts with the EU AI Act and the federal deregulatory posture, and the strategic question this leaves for organizations that deploy AI across multiple states.

Why the First Comprehensive U.S. AI Law Was Rolled Back

The Colorado AI Act passed in 2024 with an unusually long runway to its 2026 effective date, and that gap was deliberate. Even as he signed the original bill, Governor Polis expressed reservations in a signing statement, warning that the law’s complexity and compliance burden could chill innovation and disadvantage Colorado’s technology sector. The long implementation window was meant to give the legislature time to refine the statute before it bound anyone.

That refinement never produced consensus. Instead, the gap exposed a deep split. Industry groups argued the law was overbroad, vague in critical definitions, and would impose heavy documentation costs on small and mid-sized deployers with little corresponding benefit. Civil-society and consumer advocates argued the opposite, that the law’s protections against algorithmic discrimination were essential and should be strengthened, not weakened. An attempt to amend the law in the 2025 session failed. Governor Polis convened the Colorado AI Policy Work Group to find a workable middle path, but the underlying disagreement persisted.

By early 2026, with the effective date approaching and no settled implementing guidance, the practical reality was that covered entities faced a hard compliance deadline against a statute that many considered unworkable as written. SB 189 was the resolution: a near-complete rewrite rather than a patch. It passed with broad bipartisan margins, 34-1 in the Senate and 57-6 in the House, reflecting how little appetite remained for the original framework on either side of the aisle.

The lesson for compliance professionals is structural. A first-of-its-kind law with a long delayed effective date is not a stable obligation; it is a draft subject to revision until the day it binds. Colorado demonstrated that even a landmark statute can be unwound entirely before enforcement begins.

What the Original Colorado AI Act Required, and What SB 189 Removed

To understand the new regime, you have to understand what is gone. The original SB24-205 built its obligations around the concept of a high-risk artificial intelligence system and imposed a parallel set of duties on the two regulated roles, developers (those who build or substantially modify AI systems) and deployers (those who use them to make consequential decisions). SB 189 eliminates most of that architecture.

The following core elements of the original law were removed by SB 189:

  • The duty of reasonable care to prevent algorithmic discrimination. This was the conceptual heart of the original act. Both developers and deployers were required to use reasonable care to protect consumers from any known or reasonably foreseeable risk of algorithmic discrimination, with a rebuttable presumption of compliance available to those who followed the statute. That affirmative duty of care is gone.
  • Deployer risk-management programs. The original law required deployers to implement and maintain a risk-management policy and program governing high-risk systems, modeled on recognized frameworks. SB 189 does not carry this forward.
  • Impact assessments. Deployers were required to complete detailed impact assessments for high-risk systems, including analyses of foreseeable discriminatory risks, data used, and mitigation measures, and to review them annually and after material modifications. This obligation is eliminated.
  • The NIST/ISO affirmative defense. The original act gave defendants an affirmative defense if they discovered and cured violations through internal testing and were in compliance with a recognized risk-management framework such as the NIST AI Risk Management Framework or a comparable ISO standard. That safe harbor no longer exists, because the underlying duties it defended against no longer exist.

In place of a duty-of-care-and-documentation model aimed at preventing discriminatory outcomes, SB 189 substitutes a transparency and disclosure model aimed at informing consumers and giving them limited, defined rights. The regulated concept also shifts. Rather than “high-risk artificial intelligence systems,” the new law governs automated decision-making technology (ADMT), defined broadly as technology that processes personal data and uses computation to generate output, including predictions, recommendations, classifications, rankings, or scores, that is used to make, guide, or assist a consequential decision concerning an individual.

What the New Regime Actually Requires

SB 189 is not deregulation in the sense of imposing nothing. It imposes a defined, narrower set of obligations focused on notice, explanation, and human oversight. The principal requirements are:

  • Pre-use consumer notice. Before a covered ADMT is used to make or materially influence a consequential decision about an individual, the deployer must provide the consumer with a notice. The notice tells the consumer that an automated system is being used, describes its purpose, and identifies the nature of the consequential decision involved. This is a transparency obligation that attaches at the point of use rather than a documentation obligation maintained in the background.
  • Adverse-outcome explanations within 30 days. When a consequential decision is adverse to the consumer, the deployer must provide an explanation. The statute sets a 30-day window for delivering the principal reasons for the adverse decision, including the role the ADMT played and, where applicable, the types of data used. This is functionally an explainability and recourse mechanism rather than a discrimination-prevention mechanism.
  • Meaningful human review. The new law centers a right to meaningful human review of adverse automated decisions, allowing affected individuals to have a qualified human reconsider an outcome rather than being subject to a purely automated determination. The emphasis is on a genuine, authorized human in the loop rather than a perfunctory rubber stamp.
  • Developer documentation. Developers retain a narrower disclosure-and-documentation role. They must provide deployers with information sufficient to understand and comply, including documentation about the ADMT’s intended use, the types of outputs it produces, and the data categories it processes. This supports the deployer’s downstream notice and explanation obligations rather than feeding a standalone risk assessment.

The throughline is that the new obligations are consumer-facing and procedural. They tell people when AI is being used on them, why an adverse decision was reached, and give them a path to human reconsideration. They do not require the deployer to affirmatively evaluate, document, and mitigate the system’s potential for discriminatory impact. That substantive prevention duty, the most demanding and most contested feature of the original law, is precisely what was traded away.

Enforcement and Timeline

The enforcement structure is as significant as the substantive obligations, and it reinforces the lighter-touch design.

  • Exclusive attorney-general enforcement. SB 189 is enforced solely by the Colorado Attorney General. The statute does not create a private right of action. Individuals cannot sue deployers or developers directly for violations; remedies run through the AG’s office, consistent with the enforcement model used for the Colorado Privacy Act.
  • A 60-day cure period. Before the Attorney General can pursue an enforcement action, covered entities are afforded a 60-day cure period to remedy an alleged violation after receiving notice. A genuine cure within that window forecloses the action. This is a meaningful procedural protection that gives organizations a defined opportunity to fix problems before liability attaches.
  • Effective date of January 1, 2027. The new law takes effect January 1, 2027, roughly six months after the original act would have. That timeline gives covered entities a full additional implementation runway, this time against a materially simpler set of requirements.

For compliance planning purposes, the combination matters: no private litigation exposure, a built-in opportunity to cure, and a single regulator. The risk profile of the new regime is far more contained than the original law’s, which combined affirmative duties, documentation obligations, and AG enforcement against a backdrop of significant uncertainty.

The Contrast: EU AI Act and the Federal Deregulatory Push

Colorado’s reversal is best understood against two reference points.

The first is the EU AI Act, which remains the world’s most comprehensive AI statute and is moving in the opposite direction from Colorado. The EU framework is explicitly risk-based: it classifies AI systems into prohibited, high-risk, limited-risk, and minimal-risk tiers, and it imposes escalating conformity assessments, technical documentation, risk-management systems, and post-market monitoring obligations on high-risk systems. The original Colorado AI Act borrowed heavily from this logic, with its high-risk classification, risk-management programs, and impact assessments. SB 189 abandons that lineage. Where the EU continues to build out a dense, prevention-oriented compliance apparatus, Colorado has retreated to a thinner, disclosure-oriented model. The transatlantic gap on AI governance, already wide, just widened further.

The second reference point is the federal deregulatory posture in the United States. The Colorado rollback did not happen in a vacuum. It tracks a broader 2025-2026 federal climate that has favored AI innovation and growth over prescriptive regulation, including pressure against a patchwork of divergent state AI mandates. SB 189 reads, in part, as a state-level accommodation to that climate, preserving consumer transparency while shedding the heavier obligations most likely to draw industry and federal objection.

The result is a notably fragmented national picture. Other states have continued to legislate in this space, and not all of them have followed Colorado toward retrenchment. Connecticut, for example, has pursued its own comprehensive approach; readers tracking the broader state landscape should review our coverage of the Connecticut CART Act (SB 5). The divergence between Colorado’s lighter regime and more comprehensive frameworks elsewhere is exactly the multistate complexity that a federal standard would resolve, and that, for now, remains unresolved.

Strategic Implications for Multistate Deployers

The hardest question SB 189 raises is not “what does Colorado now require.” It is “how should an organization that operates in many states respond to a single state walking its requirements back.”

There are two coherent strategies, and the right answer depends on an organization’s footprint and risk tolerance.

Strategy one: design to the high-water mark. Build a single AI governance program to the most demanding standard you face anywhere, and apply it everywhere. For most large multistate deployers, that high-water mark is no longer Colorado; it is the EU AI Act, comprehensive state frameworks like Connecticut’s, and sector-specific obligations in areas such as employment, lending, insurance, and housing. Under this approach, Colorado’s rollback changes almost nothing operationally. You keep your risk assessments, impact analyses, and NIST-aligned governance because other jurisdictions still demand them, and because they are defensible practice regardless of whether any single statute compels them. The cost is overhead; the benefit is a uniform, audit-ready program and resilience against the next regulatory swing.

Strategy two: optimize to each jurisdiction. Tailor obligations state by state, doing only what each law requires. This minimizes near-term compliance cost in lighter-touch states like Colorado, but it creates operational fragmentation, multiplies the number of distinct workflows to maintain, and exposes the organization to whiplash every time a state amends its law, as Colorado just demonstrated it will.

The Colorado episode is itself the strongest argument for the high-water-mark approach. An organization that had spent 2025 building to the original Colorado AI Act, with full risk-management programs, impact assessments, and NIST-aligned controls, has not wasted that work. Those controls remain valuable for the EU, for other states, for sector regulators, and for the affirmative-defense logic that still appears in other frameworks. An organization that had deferred all preparation, betting Colorado would never bind, happened to be right this time, but that is a bet on legislative outcomes rather than a governance strategy.

A final caution: do not over-read the rollback. SB 189 reduces Colorado’s specific statutory obligations, but it does not repeal anti-discrimination law generally. Existing civil-rights, fair-lending, fair-housing, and employment-discrimination statutes still apply to automated decisions. An algorithmic system that produces discriminatory outcomes can still create liability under those laws, even though Colorado no longer imposes a standalone duty of care to prevent it. The disappearance of the bespoke AI duty is not the disappearance of accountability for discriminatory results.

Compliance Checklist for the SB 189 Regime

Use the following to prepare for the January 1, 2027 effective date:

  • Inventory covered ADMT. Identify every system that processes personal data and generates outputs (predictions, recommendations, classifications, rankings, scores) used to make, guide, or assist consequential decisions about Colorado individuals.
  • Classify roles. Determine where you act as a developer, a deployer, or both, for each system, and confirm contractual flow-down of developer documentation to deployers.
  • Build pre-use consumer notices. Create and deploy notices, delivered before the ADMT influences a consequential decision, that disclose the use of automated technology, its purpose, and the nature of the decision.
  • Stand up a 30-day adverse-outcome explanation process. Implement workflows to deliver the principal reasons for adverse decisions, the role the ADMT played, and the data categories used, within the 30-day window.
  • Establish meaningful human review. Define an authorized, qualified review path for affected individuals to seek human reconsideration of adverse automated decisions, and document who is empowered to overturn outcomes.
  • Assemble developer documentation. If you are a developer, prepare documentation on intended use, output types, and data categories sufficient for deployers to meet their notice and explanation duties.
  • Operationalize the 60-day cure capability. Build the internal process to identify, investigate, and remediate alleged violations within the 60-day cure period following AG notice.
  • Do not dismantle existing governance. Retain risk assessments, impact analyses, and NIST AI RMF-aligned controls where other jurisdictions (EU, other states, sector regulators) require them, even though Colorado no longer does.
  • Map the multistate picture. Cross-reference Colorado’s lighter regime against more comprehensive frameworks like the Connecticut CART Act and the EU AI Act, and decide deliberately between a high-water-mark and a jurisdiction-by-jurisdiction strategy.
  • Confirm anti-discrimination coverage remains. Ensure your AI systems are still tested against generally applicable civil-rights, fair-lending, fair-housing, and employment-discrimination obligations, which SB 189 does not displace.

Conclusion

The Colorado AI Act was supposed to be the beginning of comprehensive U.S. AI regulation. Instead it became a case study in how fragile such regulation can be. SB 189 did not amend the first comprehensive U.S. AI law; it repealed and replaced it before it ever bound a single entity, trading a prevention-oriented duty-of-care framework for a transparency-oriented disclosure framework, and exclusive attorney-general enforcement with a cure period for the threat of more expansive liability.

For deployers, the practical takeaway is twofold. In Colorado specifically, the bar is now lower and clearer: notice, explanation, human review, documentation, with a path to cure and no private lawsuits, effective January 1, 2027. Nationally, the lesson is the opposite of reassuring. AI obligations are still in motion, still diverging across states, and still capable of reversing direction with little warning. The organizations best positioned for that volatility are the ones that build durable governance to the highest standard they face, rather than the lowest, and treat any single state’s retreat as a data point rather than a destination.

This article is provided for informational purposes only and does not constitute legal advice.