Colorado AI Act (as amended by SB 26-189) enforcement begins January 1, 2027 — is your business ready?
Colorado SB 24-205 | Effective January 1, 2027 | AG enforcement authority — no private right of action
What Changed With SB 26-189 (May 2026)
If you've been following the Colorado AI Act since 2024, your compliance calendar is out of date.
SB 26-189 — passed May 9, 2026 — substantially rewrote the original law. The key changes:
- Effective date moved from June 30, 2026 to January 1, 2027. The original deadline is gone.
- Mandatory AG rulemaking — the Attorney General must now issue formal implementing regulations before the law takes full effect. That rulemaking has not yet started.
- Enforcement stayed — a federal magistrate stayed enforcement as of April 27, 2026. The stay is ongoing.
- Small business provisions revised — the exemption thresholds were adjusted, but they remain narrow. Don't assume you qualify.
The practical implication: you have more time than you thought, but the law is not going away. Use the runway to build the program you'd need anyway when the enforcement stay lifts and rulemaking concludes.
Are You a Deployer? Run This Test First
Most compliance work under the Colorado AI Act falls on deployers — the companies using AI to make decisions — not developers. If you're building an AI product for someone else, your obligations are narrower (primarily documentation and disclosure to deployers downstream from you).
You are a deployer under Colorado AI Act if:
All three of these are true:
- You use an AI system that makes a consequential decision or is a substantial factor in one
- That decision affects a Colorado consumer
- The decision is in one of these domains:
- Employment: hiring, promotion, termination, compensation, scheduling, performance evaluation
- Credit and lending: loan approvals, credit limits, interest rates, lease decisions
- Education: admissions, financial aid, academic evaluation, credentialing
- Healthcare: diagnosis, treatment recommendations, medication decisions
- Housing: rental applications, purchase decisions, pricing
- Insurance: applications, underwriting, claims decisions, pricing
- Legal services: legal representation, referrals, bail, sentencing
- Government services: access to essential government benefits
You do not need to be headquartered in Colorado. If your AI affects Colorado residents in these domains — even if your company has no Colorado presence — you are covered.
If you're still not sure: The safest question to ask is: "Does this AI system's output affect whether a Colorado resident gets a job, a loan, an apartment, or healthcare?" If yes, treat yourself as in scope.
What Deployers Must Do
The Colorado AI Act requires deployers of high-risk AI to exercise reasonable care to prevent algorithmic discrimination — differential treatment that disadvantages individuals based on protected characteristics.
Here's what reasonable care looks like in practice:
1. Conduct an Impact Assessment
Before deploying a high-risk AI, and annually thereafter, you need an impact assessment that documents:
- The AI system's intended purpose and use case
- The categories of data the system processes
- The potential benefits and risks of the deployment
- Steps taken to test and mitigate discrimination risks
- The level of human oversight involved
The NIST AI RMF is explicitly recognized as a framework for satisfying the reasonable care standard — if you're already building a NIST-aligned program, your impact assessment is part of that.
Key point: The impact assessment is not a checkbox. It needs to actually document your testing and mitigation work. "We reviewed the system and it seems fine" will not survive an AG investigation.
2. Maintain a Risk Management Program
You need documented processes for identifying, assessing, and mitigating the discrimination risks from your AI systems. This is ongoing, not one-time.
The AG's enforcement authority includes examining whether deployers have a functioning risk management program — not just whether they have paperwork.
3. Notify Consumers
When an AI system makes a consequential decision about a Colorado consumer, you must:
- Notify the consumer that AI was used in the decision
- Give them the principal reason(s) for an adverse decision
- Tell them how to appeal or request human review
This applies to employment decisions, credit denials, insurance adverse actions, and the other consequential decision categories.
4. Respond to Correction Requests
Consumers can request correction of incorrect information that was used in an AI-driven consequential decision. You need a process to handle these requests.
5. Document Your Developer Relationships
If you're using a third-party AI product, you need:
- Documentation from the developer about how the system works, what bias testing was done, and what discrimination risks exist
- A contract that allocates compliance responsibilities appropriately
- Your own testing and monitoring on top of what the developer provides
Your vendor's compliance documentation helps your case, but it doesn't satisfy your obligations as a deployer. You need to test the system in your deployment context.
What Developers Must Do
If you build AI systems and sell them to deployers, your obligations are narrower:
- Disclose to deployers how the system works, what risks exist, and what bias testing was done
- Make the disclosures the deployer needs to conduct their impact assessment
- Cooperate with deployer audits and correction requests where your system is involved
Developer obligations are primarily about transparency downstream to deployers — not about directly managing consumer relationships.
The Safe Harbor: Document Your Framework
The law includes an important safe harbor: deployers who demonstrate reasonable care through alignment with recognized AI risk management frameworks are treated more favorably in enforcement.
What this means in practice: If the Colorado AG investigates your AI deployment and you can show:
- A documented impact assessment
- A functioning risk management program aligned with NIST AI RMF or equivalent
- Evidence of bias testing and ongoing monitoring
- Records of consumer notifications and correction processes
...you are in a fundamentally different position than a deployer who deployed without documentation and is responding reactively to an enforcement action.
The safe harbor is not absolute — you can still violate the law even with documentation. But documented reasonable care is your primary defense.
The Penalty Structure
The Colorado AG has exclusive enforcement authority — there is no private right of action under this law (no class action plaintiffs).
Maximum penalty: $20,000 per violation per consumer.
Important: The AG must issue a 60-day cure notice before initiating formal enforcement. If you have a documented compliance program and act in good faith to correct identified issues within the cure period, that meaningfully reduces your risk exposure.
The $20,000 figure becomes significant quickly in hiring contexts: if an AI hiring tool discriminated against 500 candidates in Colorado, the exposure math is uncomfortable even at partial enforcement.
The Enforcement Reality (As of May 2026)
Current status: Enforcement is stayed by a federal magistrate order (April 27, 2026). The stay is ongoing pending resolution of the related litigation.
AG rulemaking: SB 26-189 requires mandatory rulemaking before the law takes full effect. That rulemaking has not yet started. Formal implementing regulations could significantly clarify or modify some requirements.
What this means for your program: Don't stop building compliance infrastructure because of the stay. The stay is litigation-related and could lift. Rulemaking will establish clearer standards — you want to be positioned to meet them when they arrive, not scrambling after they're final.
Your Compliance Checklist
Work through these before January 1, 2027:
Phase 1 — Scope assessment (do this first)
- Identify all AI systems that make or substantially influence consequential decisions about Colorado residents
- Confirm which systems meet the high-risk threshold
- Determine which third-party AI products you deploy that qualify
Phase 2 — Documentation
- Conduct impact assessments for each in-scope deployment
- Document your risk management program (NIST AI RMF or equivalent)
- Document bias testing results and methodology
- Establish ongoing monitoring schedule
Phase 3 — Vendor management
- Collect developer documentation for all third-party high-risk AI
- Update contracts to allocate AI compliance responsibilities
- Verify developer bias testing covers your specific deployment context
Phase 4 — Consumer-facing processes
- Implement AI disclosure notices for consequential decisions
- Build adverse action notice process (principal reasons + appeal path)
- Create a correction request intake and response process
Phase 5 — Ongoing monitoring
- Set annual impact assessment review schedule
- Establish bias testing cadence for each high-risk deployment
- Brief relevant teams on consumer notification obligations
For a step-by-step version of this checklist with implementation detail, see the Colorado AI Act Compliance Checklist (updated for SB 26-189).
Official Resources
AI used in diagnosis, coverage decisions, or treatment recommendations is high-risk under SB 24-205.
Automated tools for screening, scoring, or ranking job candidates trigger deployer obligations.
Credit scoring, lending decisions, and underwriting algorithms are explicitly covered by the Act.
AI-driven underwriting or claims decisions affecting Colorado policyholders require impact assessments.
Enforced by the Colorado Attorney General under the Colorado Consumer Protection Act. A 60-day cure window applies for non-willful violations — but only if you have an active compliance program.
Get weekly regulation updates, enforcement news, and compliance deadlines — free.