Colorado AI Act: Readiness Update After SB 26-189

Update (May 2026): SB 26-189 moved the effective date to January 1, 2027. The original June 30, 2026 deadline no longer applies.

The Colorado AI Act (SB 24-205, as amended by SB 26-189) effective date is now January 1, 2027. As of January 2026, you have roughly six months. The readiness window is open now — and for many organizations, it’s narrower than it looks.

Where Organizations Stand

The Colorado Attorney General’s office spent 2025 publishing guidance and running industry outreach sessions. The picture that emerged: most large enterprises are aware of the law but have not operationalized compliance. Mid-size and smaller businesses are largely unaware.

Who is ahead:

• Financial services companies (credit decisioning teams have been watching algorithmic accountability laws since CFPB guidance years ago)
• Large HR software vendors (who are actively updating their platforms and documentation)
• EU AI Act-regulated companies that already have frameworks in place

Who is behind:

• Mid-size companies using off-the-shelf AI tools without realizing they’re deployers under the Act
• Healthcare AI deployers still assessing scope
• Property tech companies using AI in rental decisions

What “Readiness” Actually Means

Readiness under the Colorado AI Act means:

1. You know what you have. You’ve inventoried your AI systems and identified which are high-risk under the Act.
2. You’ve done the impact assessment. For each high-risk system, you have a documented impact assessment covering the required elements.
3. You have consumer notification. If you use a high-risk AI system to make consequential decisions about individuals, you can notify them before the decision and give them a meaningful appeal process.
4. You’ve done vendor diligence. You’ve obtained documentation from AI vendors and have contracts that address the Act’s requirements.
5. You have ongoing monitoring. You’re not just compliant at a point in time — you have a process for ongoing review.

The Practical Timeline from Here

January–February 2026: Inventory and scoping. This is the last comfortable moment to do this methodically. Do it now.

March–April 2026: Impact assessments. Plan on 6-8 weeks per complex system. Start in March for a June deadline.

May 2026: Consumer notification and process testing. Deploy disclosures, test the appeal process, train staff.

June 1-29, 2026: Final review. If you’re doing anything in June, it should be gap-filling and documentation review — not primary compliance work.

January 1, 2027: Law takes effect under SB 26-189 (subject to AG rulemaking and stay resolution).

The AG Enforcement Signal

Colorado AG Phil Weiser has been unusually transparent about enforcement intent. Key signals:

• The AG’s office has hired AI-specific enforcement staff
• Guidance explicitly says enforcement will prioritize “willful violations” and repeat offenders
• The AG has indicated that documented good-faith compliance efforts will be relevant to penalty determination

This matters: a company that can show a serious compliance effort — even with imperfections — is in a meaningfully better position than a company that did nothing.

What to Do This Month

If you haven’t started:

1. Designate a compliance owner for Colorado AI Act compliance — today
2. List every AI tool your company uses that touches employment, credit, housing, healthcare, or government services
3. For each tool, ask: do Colorado residents interact with this?
4. Get legal counsel to assess which of those systems are high-risk under the Act

That’s four actions. The readiness window is open. Use it.