What is AI regulation in Colorado?
Global AI regulation
Colorado first passed a risk-based AI law in 2024 aimed at algorithmic discrimination in "consequential decisions", but that framework has now been repealed and reenacted. The current statute, Senate Bill 26-189, regulates "automated decision-making technology" that materially influences consequential decisions in areas such as work, housing, credit, insurance, health care, education and public benefits. It relies on developer documentation, consumer notice, correction and human review rights, record keeping, and Attorney General enforcement. Most operative provisions apply from 1 January 2027.
What this means
Colorado is no longer best described simply as the state with a "high-risk AI" law. That description fits Senate Bill 24-205, passed in 2024. Since then, the legislature delayed that law and then replaced it with Senate Bill 26-189 in May 2026. The new statute keeps Colorado focused on consequential decisions, but it swaps the old "high-risk AI system" label for "covered automated decision-making technology", or covered ADMT.
In practice, this means Colorado regulates a narrow but important slice of AI use. The law is aimed at systems that materially influence consequential decisions about people in sectors such as employment, housing, lending, insurance, health care, education and public benefits. It is not a general licensing law for AI, and it does not automatically cover every model, chatbot, spreadsheet or internal workflow.
For organisations, the main task is to work out where decision-support technology actually affects a person's access, eligibility, price, compensation or selection, then build the notices, records, review channels and vendor documentation needed for that use.
Why it matters
Colorado matters because it has been one of the main US state test beds for AI governance in high-impact decision making. Older commentary often still describes the 2024 model, which used the language of "high-risk AI" and "algorithmic discrimination". The current statute is different. If a leadership team is relying on stale summaries, it can overbuild for duties that are no longer in the operative text, or miss new duties that are now centred on documentation, notice, record keeping, correction and human review.
The law also matters because it cuts across buyer, seller and operator roles. Developers and deployers each have their own responsibilities. A vendor cannot do everything for a customer, and a customer cannot assume the vendor's paperwork is enough. Colorado also pulls employment clearly into scope by treating employees and Colorado-resident job applicants as consumers for this law. That makes the statute relevant not just to consumer-facing firms, but also to HR, internal governance and procurement teams.
How it works
Current legal position
Colorado enacted Senate Bill 24-205 in 2024 as a landmark state AI law focused on high-risk AI systems and algorithmic discrimination. In 2025, Senate Bill 25B-004 delayed the main compliance date to 30 June 2026. In May 2026, the legislature then enacted Senate Bill 26-189, which repeals and reenacts the framework. The new law takes effect mainly on 1 January 2027 and applies to consequential decisions made on or after that date. The Colorado Attorney General is now preparing rulemaking for that 2027 framework.
This timing point matters. If you are reading commentary that speaks only about the 2024 act, you are reading an important part of the story, but not the whole current picture.
What Colorado originally enacted in 2024
The 2024 model was explicitly risk-based. It defined a "high-risk artificial intelligence system" as an AI system that, when deployed, makes or is a substantial factor in making a consequential decision. "Consequential decision" covered areas such as education, employment, finance, essential government services, health care, housing, insurance and legal services.
That statute gave both developers and deployers a duty to use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination. For deployers, the presumption of reasonable care was tied to concrete governance steps such as a risk management policy and programme, impact assessments, annual reviews, consumer notice, correction rights, human appeal where technically feasible, public summaries and notice to the Attorney General if discrimination was discovered. For developers, it required documentation to deployers, public statements, and disclosure of known or reasonably foreseeable risks. It also expressly linked compliance to recognised AI risk management frameworks through an affirmative-defence style mechanism. This is the version that made Colorado famous.
What is covered under the current statute
The current law no longer uses "high-risk AI system" as its main trigger. Instead, it regulates "covered ADMT", meaning automated decision-making technology that is used to materially influence a consequential decision.
That definition does two important things. First, it narrows the relevant technology to systems that process personal data and generate predictions, recommendations, classifications, rankings, scores or similar information used to make, guide or assist a decision about an individual. Secondly, it narrows the trigger to technology that meaningfully affects how a consequential decision is made. The statute says "materially influence" means the output is a non-de minimis factor and affects the decision by constraining, ranking, scoring, recommending, classifying or otherwise meaningfully altering the process.
The covered domains remain familiar: education, employment, residential housing, financial or lending services, insurance, health care, and essential government services and public benefits. The law also makes clear that "consumer" includes employees, Colorado-resident job applicants, and individuals whose access to or opportunity in Colorado is evaluated by a person doing business in Colorado.
Just as important are the exclusions. The current statute excludes many routine or low-stakes uses, including routine scheduling, classroom personalisation, customer service triage, workflow management, search, content moderation, certain summarising or routing tools for human review, cybersecurity, economic sanctions controls, anti-money laundering controls, fraud prevention uses, and some natural-language systems that are not intended or configured for consequential decisions. In other words, the law is not aimed at ordinary productivity tooling unless that tooling has been wired into real consequential decision making.
Duties on developers and deployers
Under the current statute, developers must give deployers documentation in a reasonably understandable form. That documentation must describe intended uses, known harmful or inappropriate uses, categories of training data, known limitations, circumstances in which the system should not be used, instructions for appropriate use, monitoring and meaningful human review, and other information reasonably necessary for the deployer to meet its own disclosure duties. Developers must also notify deployers within a reasonable time about material updates, intentional and substantial modifications, and changes to intended use, limitations or risk mitigation. They must keep compliance records for at least three years.
Deployers must keep records for at least three years after a consequential decision. The current statute is therefore less about a broad ex ante risk programme and more about decision-traceable documentation, records and consumer-facing process. Operationally, that means organisations need a system inventory that is tied to actual consequential decisions, not just a generic list of AI tools.
Consumer notice, correction and human review
Before a deployer uses covered ADMT to materially influence a consequential decision, it must provide a clear and conspicuous notice to the consumer. The law allows this to be done through a prominent public notice at the relevant point of interaction, for example a proximate link or posting where the decision process happens.
If the use of covered ADMT leads to an adverse decision for the consumer, the deployer must provide additional information within 30 days. That includes a plain-language description of the decision and the role the covered ADMT played, plus a simple route to request more information about the covered ADMT and the inputs used, including the system name, version if applicable, developer, and the types, categories and sources of personal data used, to the extent that information has been supplied by the developer.
Consumers may also request correction of factually incorrect or materially inaccurate personal data used in the decision, and an opportunity for meaningful human review and reconsideration, to the extent commercially reasonable. The statute defines meaningful human review in a practical way: the reviewer must have authority to approve, modify or override the decision, be trained, not simply default to the system output, and have enough information to understand intended use, limitations, categories of inputs and principal factors behind the output. Notices and disclosures must also be reasonably accessible to people with disabilities and to consumers with limited English proficiency, consistent with other applicable law.
Enforcement, sector overlays and institutions
The Colorado Attorney General is the main enforcer. Violations are treated as deceptive trade practices under the Colorado Consumer Protection Act, and the statute says the relevant disclosure and consumer-rights provisions are enforceable exclusively by the Attorney General. The law does not create a new private right of action. At the same time, it also says compliance with the statute is not a defence to other applicable law. Existing discrimination, consumer protection, product liability and other claims can still matter.
The current law also contains a cure mechanism. If the Attorney General thinks a cure is possible, the office must issue a notice of violation before bringing an enforcement action. The organisation then gets 60 days to cure. That cure regime is itself temporary, with the reporting and cure subsection repealed from 1 January 2030. Starting in January 2028, the Attorney General must report annually on enforcement actions and cure periods through the Department of Law's SMART Act process.
Colorado also uses sector overlays instead of a one-size-fits-all model. Insurers and affiliated entities subject to Colorado's existing insurance algorithm law are deemed compliant with this part for the practice of insurance. HIPAA covered entities and business associates have broad carve-outs, although employment uses and some patient financial-assistance decisions still trigger specified disclosure duties. Creditors can avoid duplicate notices where federal Equal Credit Opportunity Act and Fair Credit Reporting Act notices already satisfy the state requirements for the same decision. Alongside these formal institutions, the state's Artificial Intelligence Impact Task Force continues to study wider AI governance issues and make recommendations, but it is advisory rather than the main enforcement body.
Examples
An employer uses a screening or ranking model to help decide which candidates move forward for interview. Employment is a covered domain, and the current law expressly includes employees and Colorado-resident job applicants within the consumer concept. If that system materially influences selection, the employer needs a clear notice before use, records that support compliance, and a process for post-decision explanation, data correction and meaningful human review where required.
A lender uses a decision-support model to affect eligibility or pricing for credit. Financial and lending services are covered. Colorado's law still expects notice and consumer-rights handling, but it also recognises that creditors already operate under federal adverse-action notice rules. If the creditor's federal notices also satisfy Colorado's state requirements for the same decision, the statute avoids forcing a separate duplicate notice track.
A hospital or other health-care provider uses covered ADMT to decide whether a patient qualifies for financial assistance or discounted care. HIPAA covered entities have broad carve-outs under the Colorado statute, but this is one of the areas where the law still requires specific disclosures. The patient must be told, in plain language, about the decision and the role of the system, the information relied upon, how to seek correction of materially inaccurate personal data, and how to request human review or reconsideration where applicable.
Common misunderstandings
Misunderstanding: Colorado regulates all AI.
Correction: No. The current law is focused on covered ADMT that materially influences consequential decisions in specified domains, and it excludes many routine, administrative, informational, cybersecurity and anti-fraud uses.
Misunderstanding: Colorado's law is still mainly the 2024 "high-risk AI" and algorithmic-discrimination model.
Correction: That 2024 model is historically important, but it has been repealed and reenacted. The current 2026 statute uses a different structure and different trigger terms.
Misunderstanding: The statute gives every consumer a new direct right to sue under the AI law itself.
Correction: No. The law says it creates no new private right of action. The Attorney General is the principal enforcer for the statute's disclosure and consumer-rights provisions, although existing rights under other law remain.
Misunderstanding: Any chatbot or large language model is automatically covered.
Correction: No. Ordinary natural-language tools are not automatically in scope. Coverage turns on whether the technology is intended, configured or actually used to materially influence a consequential decision.
Misunderstanding: If we comply with this statute, we are finished.
Correction: No. The statute itself says compliance does not excuse noncompliance with other applicable law, including anti-discrimination and consumer protection law.
Risks and boundaries
The biggest boundary is scope. The current Colorado law is about consequential decisions materially influenced by covered ADMT, not generic AI experimentation or every software feature. Organisations should not over-classify every internal tool as regulated, but they also should not under-classify ranking, scoring, recommendation and classification tools that sit inside hiring, credit, housing, insurance, health, education or benefits decisions.
The biggest near-term uncertainty is implementation detail. The Attorney General must adopt rules by 1 January 2027 on post-decision disclosures and consumer-rights mechanics, and the official Attorney General page says formal rulemaking details will be posted later. There is also a practical transition risk: many public summaries still recite the 2024 high-risk AI framework. That history matters, but it is no longer the cleanest statement of the regime organisations are now preparing for. For any use case that sits close to the late-2026 to early-2027 boundary, the live statutory text and current official guidance should be checked carefully.
What to do next
Start by mapping where your organisation uses ranking, scoring, recommendation or classification tools in employment, housing, credit, insurance, health care, education or public-benefit decisions. The key question is not whether a tool uses AI in a general sense. The key question is whether it materially influences a consequential decision.
Then clean up the developer and deployer split. If you buy technology, ask for intended-use statements, categories of training data, known limitations, instructions for appropriate use and human review, and update notices. If you sell technology, make sure those materials already exist in a form your customers can actually use.
Next, design the consumer path. Put notice where the interaction happens, create a plain-language post-decision explanation process, decide how people can request correction of factually incorrect or materially inaccurate personal data, and nominate reviewers who have real authority to change a decision rather than rubber-stamp the system.
After that, align with sector teams. HR, lending, insurance, health and education functions may already have appeals, adverse-action notices, record-inspection processes or supervisory requirements. Colorado often lets these existing channels do part of the work if they genuinely satisfy the state statute, so duplication is not always necessary.
Finally, monitor Colorado Attorney General rulemaking through 2026. That is likely to be the main source of clarity on difficult points such as post-decision disclosures, sector-specific examples and the boundary of "materially influence".
FAQs
Is Colorado still the first US state with a broad AI law?
Colorado was the first state to enact a broad high-risk AI statute in 2024. But by mid-2026 the legislature had rewritten that framework through Senate Bill 26-189.
When does Colorado's current AI law take effect?
Most of the current statute takes effect on 1 January 2027 and applies to consequential decisions made on or after that date. Some rulemaking and implementation sections took effect earlier on passage.
Does the current law still use the term "high-risk AI system"?
No, not as the main operative trigger. The current law regulates "covered automated decision-making technology" that materially influences consequential decisions.
Does Colorado require AI impact assessments right now?
The original 2024 act did require deployer impact assessments. The current 2026 statute is organised differently and centres instead on documentation, record keeping, notice, correction and human review.
Does the law cover hiring and HR tools?
Yes, where the tool materially influences a consequential employment decision. The statute expressly includes employees and Colorado-resident job applicants in scope.
Who enforces the law?
The Colorado Attorney General. Violations are treated as deceptive trade practices, and the statute gives the Attorney General exclusive enforcement authority for its main disclosure and consumer-rights provisions.
Do insurers and health-care organisations get special treatment?
Yes. The statute contains sector overlays. Insurers subject to Colorado's existing insurance algorithm law are treated as compliant for the practice of insurance, and HIPAA covered entities have broad carve-outs with some important exceptions.
Does the law apply to ordinary chatbots or generic generative AI tools?
Not automatically. Many natural-language and information-assistance tools are excluded unless they are intended or configured to materially influence a consequential decision.