Colorado’s Reset: What SB 26-189 Actually Asks of AI Deployers
Colorado’s landmark AI Act (SB 24-205) never took effect: its start date was postponed to June 30, 2026, and on May 14, 2026 the state repealed it outright and enacted SB 26-189, whose obligations begin January 1, 2027. The replacement is deliberately narrower — the impact assessments, the risk-management program, and the algorithmic-discrimination duty are gone. What remains is a disclosure-and-rights regime around automated decision-making technology (ADMT): notice when ADMT is in play, a plain-language explanation after an adverse outcome, data access and correction, and a consumer right to meaningful human review and reconsideration. We think that last phrase is where the real engineering question now lives — review of what, exactly? — and we say so having gotten Colorado’s trajectory wrong once already.
How Colorado got here
The short history, because the sequence matters. In May 2024, Colorado passed SB 24-205 — the first comprehensive state AI law, built around “high-risk artificial intelligence systems,” a duty of reasonable care against algorithmic discrimination, mandatory impact assessments, and a deployer risk-management program. Industry pushback and implementation concerns followed. In an August 2025 special session, the legislature postponed the effective date from February 1, 2026 to June 30, 2026. And this spring, rather than let the act take effect, the General Assembly repealed it and passed a replacement: SB 26-189, signed May 14, 2026, with its operative requirements arriving January 1, 2027.
So the first comprehensive state AI law never governed a single decision. That fact should discipline anyone — including us — who writes sentences about where AI regulation is “inevitably” heading.
What the new law covers
SB 26-189 trades the old act’s “high-risk AI system” frame for automated decision-making technology: technology that processes personal data and uses computation to generate output — predictions, recommendations, classifications, rankings, scores — used to make, guide, or assist a decision about an individual. It is covered when it materially influences a consequential decision: access to, eligibility for, or compensation related to education, employment, housing, financial or lending services, insurance, health care, or essential government services and public benefits.
For deployers, the obligations cluster around the consumer, not the management system:
Notice at the point of interaction. Clear and conspicuous notice to consumers when they are interacting with a covered ADMT.
Explanation after an adverse outcome. Within 30 days of a consequential decision that goes against the consumer, a plain-language description of the ADMT’s role in it. The Attorney General is directed to adopt rules sharpening these disclosure requirements by January 1, 2027.
Data access and correction. Consumers can request the personal data the ADMT used and demand correction of factual errors in it.
Meaningful human review. After an adverse outcome, consumers can request human review and reconsideration of the decision.
Enforcement runs through the Colorado Consumer Protection Act — a violation is a deceptive trade practice — which puts this in the Attorney General’s ordinary consumer-protection toolkit rather than a bespoke AI regime.
What was dropped — and reading it honestly
Three pillars of the repealed act are simply gone: the mandatory impact assessments, the risk-management program, and the duty of reasonable care against algorithmic discrimination with its ninety-day reporting obligation. It would be convenient for a company in our position to minimize that. We would rather read it plainly: Colorado moved away from mandated process obligations and toward disclosure and individual rights. Anyone who told you in 2025 that comprehensive process mandates were the settled direction of American AI regulation — a group that includes this blog — has been corrected by events, and we have annotated the original post accordingly rather than quietly rewriting it.
The question that survives the reset
Here is what did not get repealed, because it was never statutory to begin with: when an adverse decision reaches a consumer, someone eventually asks how it was made.
SB 26-189 gives that question a specific new form. A consumer requests meaningful human review and reconsideration of a decision an automated system made or guided. The statute does not say what the reviewer must be given to review — that is exactly the kind of gap the Attorney General’s rulemaking may or may not fill. But an institution has to decide, operationally, what lands on the reviewer’s desk. If the answer is the input file and the output score, the “review” is a re-run of the decision by other means. If the answer includes a record of how the system actually reasoned — what it weighed, what it checked, where it was uncertain — the reviewer has something to reconsider, and the word meaningful starts doing work.
We will not claim SB 26-189 requires reasoning traces; it does not, and vendors who tell you otherwise are reading their product into the statute. Our narrower observation: the law now hands every affected consumer a lever that ends with a human being asked to defend or reverse an automated decision, and the cost and quality of that moment depends almost entirely on what the system recorded about its own reasoning at decision time. That is an architectural choice, made long before any request arrives. It was true under the old act’s framework, it is true under the new one, and it would remain true if Colorado repealed this law too.
Colorado’s reset replaced a mandate list with a shorter promise: you will know when an automated system decided against you, you can see and correct the data it used, and you can put a human back in the loop. The statute is silent on what makes that human review meaningful. The institutions that answer well will be the ones whose systems can show their reasoning — not because Colorado requires it, but because a reviewer with nothing to review is a formality, and formalities do not survive scrutiny.
Related
The Colorado AI Act: What It Required — and What Replaced It (corrected) → SR 26-2 and the Model Risk Management Graph Suite → From Perimeter to Core: Auditability as an Architectural Property →Sources
- Colorado General Assembly, SB 26-189: Automated Decision-Making Technology (signed May 14, 2026).
- Colorado General Assembly, SB 24-205: Consumer Protections for Artificial Intelligence (2024; repealed 2026) and SB 25B-004 (2025 special session; postponed effective date).
- Davis Wright Tremaine, Colorado AI Act Repealed and Replaced by Narrower Statute (May 2026).
- Seyfarth Shaw, Colorado Enacts Artificial Intelligence Replacement Law (May 2026).
- Ballard Spahr, Colorado Rewrites Its Landmark AI Law: Unpacking SB 26-189 (May 2026).