Colorado AI Act Compliance: Enforcement Suspended (April 2026) — SB 189 Sets January 1, 2027

Updated May 15, 2026: A Colorado Magistrate Judge ordered on April 27, 2026 that the Colorado Attorney General may not enforce SB 24-205 until final adoption of the AG's implementing rulemaking. Additionally, SB 189 — which replaces the SB 205 framework with a narrower "automated decision-making technology" definition — passed both chambers of the Colorado legislature (Senate May 7, House May 9, 2026) and is awaiting Governor Polis's signature. If signed, the new effective date is January 1, 2027. The June 30, 2026 statutory date is no longer a realistic enforcement trigger. Full analysis: Colorado AI Act enforcement suspended — what it means. | SB 189 rewrite — what changes

TL;DR: Colorado SB 24-205 enforcement was suspended by court order on April 27, 2026, pending completion of AG rulemaking. SB 189 — a replacement bill narrowing the scope to 'automated decision-making technology' — passed both chambers (May 9, 2026) and is awaiting Governor Polis's signature. If signed, the new effective date is January 1, 2027. The June 30, 2026 statutory date is no longer a realistic enforcement trigger. Deployers should prepare for January 1, 2027: impact assessments, bias testing documentation, transparency statements, and individual notice mechanisms.

The clock is running. Colorado SB 24-205 — the Colorado Artificial Intelligence Act — has a statutory effective date of June 30, 2026. It is the most operationally detailed state AI law in the United States, and unlike the wave of federal proposals circulating in Washington, it is law right now. However, as of April 27, 2026, enforcement has been judicially suspended pending rulemaking completion.

Updated May 2026: Colorado SB 24-205 enforcement was suspended April 27, 2026 by court order. SB 189 — the replacement bill — passed both chambers May 9, 2026 and sets January 1, 2027 as the new effective date (pending governor signature). Use the templates below to prepare for January 1, 2027.

For small teams deploying AI in any consequential decision context, this is the most urgent near-term compliance deadline in the US. Here is what the law requires and what you need to have ready.

Key Takeaways

• The Colorado AI Act statutory date is June 30, 2026. As of April 27, 2026, a court has suspended AG enforcement pending rulemaking — but the law itself has not been repealed.
• The law applies to both developers (who build or substantially modify high-risk AI) and deployers (who use high-risk AI in consequential decisions affecting Colorado residents).
• Covered domains: employment, education, financial services, essential services, healthcare, housing, and legal services. If your AI touches any of these, it may be in scope.
• Required by June 30: risk assessment, bias disclosure, transparency statement, and a human review mechanism for affected individuals.
• Violations are deceptive trade practices — up to $20,000 per violation. The AG may offer a 60-day cure window for good-faith efforts.
• The federal AI preemption proposals currently circulating do not override Colorado — compliance is mandatory today.

Summary

The Colorado AI Act is the first US state law with a comprehensive risk-based framework modeled loosely on the EU AI Act. Unlike simpler disclosure-only laws, it requires substantive governance infrastructure: documented risk assessments, active bias monitoring, public transparency statements, and individual appeal mechanisms. For small teams that have deployed AI in HR screening, loan decisions, healthcare triage, or essential services without building corresponding governance, June 30 is a hard deadline that requires action now — not in Q3.

What the Law Actually Requires

Who is covered:

The law applies to two categories of organization:

• Developers: entities that develop, substantially modify, or make available to the public a high-risk AI system. "Substantially modify" means changes that affect the AI's consequential decision-making behavior.
• Deployers: entities that deploy a high-risk AI system in Colorado for consequential decisions affecting Colorado residents.

Both categories have distinct obligations. Using a vendor's AI system makes you a deployer. Building your own makes you a developer. Modifying a vendor's AI for your use case may make you both.

What is a high-risk AI system:

A system that:

1. Makes or materially contributes to a consequential decision — a decision that has a material legal or similarly significant effect on an individual's access to, or the cost, terms, or availability of, a covered service
2. In a covered domain: employment, education, financial services, essential services (food, shelter, transportation, utilities), government services, healthcare, housing, or legal services
3. And presents a material risk of algorithmic discrimination based on a protected characteristic

Not every AI system is high-risk under this definition. A general-purpose productivity tool that does not make consequential decisions in covered domains is not covered. The key question is: does this system make or materially influence decisions that could meaningfully harm individuals in ways that correlate with protected characteristics?

Developer obligations:

• Make available to deployers: documentation of the system's known limitations, the data used to develop it, an explanation of its decisions, and instructions for appropriate use
• Disclose known risks of algorithmic discrimination
• Report known instances of algorithmic discrimination to the Colorado AG within 90 days of discovery

Deployer obligations:

• Implement a risk management policy governing the use of the high-risk AI system
• Conduct and document a pre-deployment impact assessment
• Complete annual post-deployment assessments of the system's performance, including bias monitoring
• Publish a transparency statement on the deployer's website disclosing the types of high-risk AI deployed, their purposes, and how individuals can seek human review
• Provide individual notice to any person subject to a consequential decision influenced by high-risk AI, including the principal reason for the decision
• Offer a human review mechanism: a meaningful process through which individuals can appeal or request reconsideration of AI-influenced decisions

What "Material Risk of Algorithmic Discrimination" Means in Practice

The law uses "material risk of algorithmic discrimination" as the threshold for coverage. This does not mean your system has been shown to discriminate — it means it could, based on the context in which it is deployed.

The Colorado AG's guidance treats several deployment contexts as carrying inherent material risk:

• AI systems trained on historical data where the population was historically underrepresented or discriminated against
• AI systems using proxy variables that correlate with protected characteristics (credit score proxies, zip code, certain educational credentials)
• AI systems whose training data was not audited for representation bias

If you cannot positively rule out material risk of algorithmic discrimination, treat the system as high-risk and comply accordingly. The documentation burden of demonstrating no material risk is typically higher than completing the impact assessment required for high-risk systems.

Why Small Teams Are Particularly Exposed

Three patterns create outsized risk for small organizations:

Third-party AI deployed without oversight documentation. A startup uses a third-party AI screening tool to filter job applications. The vendor's documentation is a one-page API description. There is no impact assessment, no transparency statement, and no process to explain to a rejected applicant why their application was filtered. This is a textbook Colorado AI Act violation — as a deployer, the startup owns the compliance obligation regardless of who built the tool. The third-party AI tool risk gap is where most small team violations originate.

No human review mechanism. Many small teams use AI to make fast decisions at scale precisely because they do not have the staffing to review each decision manually. The Colorado AI Act does not require reviewing every decision — it requires a mechanism for individuals to request human review of decisions that affect them. This is a process requirement, not a staffing requirement. It can be as simple as a contact email, a documented review workflow, and a committed response time.

Transparency statement not drafted. The law requires a public transparency statement before deployment, not when an investigation begins. A team that has been using a high-risk AI since 2024 and has never published such a statement faces retroactive exposure for every consequential decision made since then.

Governance Goals for June 30

For a small team to be defensibly compliant by the deadline:

• AI system inventory completed and classified: every AI system assessed against the high-risk definition; classification rationale documented
• Impact assessments completed: for every system that qualified as high-risk, a pre-deployment assessment completed retroactively and documented
• Risk management policy in place: a written policy governing how high-risk AI is used, monitored, and reviewed
• Transparency statement published: live on the website before June 30
• Individual notice process defined: a documented process for notifying individuals of AI-influenced consequential decisions
• Human review mechanism operational: a real, functioning process — not just a policy document — through which individuals can request reconsideration

Controls: What to Actually Do

This week:

• Map every AI system your organization uses. Flag any that operate in the covered domains: employment, financial services, healthcare, housing, education, essential services, legal services.
• For each flagged system, apply the two-question test: (1) Does it make or materially contribute to a consequential decision? (2) Is there a material risk of algorithmic discrimination? If both answers are yes, it is high-risk.
• Check your vendor contracts. Do they provide the developer documentation the law requires deployers to obtain?

This month:

• Complete a risk assessment for each high-risk AI system — use the AI governance guide for small teams as a starting framework. Document methodology, scope, findings, and any mitigation decisions made.
• Draft the individual notice language you would use if a person asked why an AI-influenced decision was made about them.
• Write a risk management policy. At minimum it should cover: who owns oversight of each high-risk AI, how performance is monitored, what triggers escalation or review, and how bias concerns are handled.

Before June 30:

• Publish the transparency statement to your website.
• Stand up the human review mechanism and document that it is operational.
• Complete post-deployment bias monitoring for any high-risk AI that has been in production. If you find a discrimination issue, the 90-day AG disclosure clock starts when you discover it — not when the AG does.

Transparency Statement Template

The Colorado AI Act requires this to be live on your website before June 30, 2026. Adapt the bracketed fields.

[Company Name] — AI Transparency Statement

Pursuant to Colorado SB 24-205, effective June 30, 2026

High-Risk AI Systems We Deploy

[Company Name] deploys the following high-risk artificial intelligence systems in our operations:

(Add one row per high-risk AI system)

How We Use These Systems

[Brief description of how each system is used and what role it plays in your decision-making process. Example: "Our resume screening tool reviews incoming applications against defined criteria and produces a ranked shortlist for human recruiter review. It does not make final hiring decisions."]

Individual Notice

If you are subject to a consequential decision materially influenced by one of these AI systems, you have the right to:

• Be informed that AI was used in the decision
• Receive the principal reason(s) for the decision
• Request human review of the decision

How to Request Human Review

To request human review of an AI-influenced decision, contact: [[email protected]] within [30] days of receiving the decision. Include your name, the decision in question, and the date it was made. We will acknowledge your request within [5] business days and complete the review within [30] business days.

Contact

For questions about our AI governance practices: [[email protected]]

Last updated: [Date]

Save this as a standalone page on your website, or add it as a section to your Privacy Policy or Terms of Use. Link to it from your product documentation and any communications where AI-influenced decisions are disclosed.

Individual Notice Template

When you make an AI-influenced consequential decision, you must notify the individual. Adapt this language for your channel (email, letter, in-product notification):

Subject: Notice of AI-Assisted Decision — [Decision Type]

Dear [Name],

We are writing to inform you that an automated system was used in connection with a decision regarding your [application / account / request] submitted on [date].

What the AI did: [Description of the AI's role, e.g., "An AI screening tool evaluated your application based on the criteria listed in the job posting and produced a recommendation that was reviewed by our recruiting team."]

Principal reason for the decision: [The main factor(s) that influenced the outcome, e.g., "The screening tool identified a mismatch between your stated qualifications and the minimum requirements for this role."]

Your rights: You have the right to request human review of this decision. To do so, reply to this message or contact [[email protected]] within 30 days. We will review your request and provide a written response within 30 business days.

[Company Name]

Keep a copy of every individual notice sent. This is the evidence record for the AG if a complaint is filed.

Checklist (Copy/Paste)

• Inventory all AI systems; classify each against the high-risk definition
• Document classification rationale for each system
• Obtain developer documentation from vendors for all third-party high-risk AI
• Complete pre-deployment impact assessments (retroactively if already deployed)
• Conduct bias monitoring and document findings
• Write risk management policy covering oversight, monitoring, escalation, review
• Draft individual notice language for AI-influenced decisions
• Implement and test the human review mechanism
• Publish transparency statement to website before June 30
• Document the date of publication and content as evidence of compliance
• Establish annual post-deployment assessment cadence

Implementation Steps (7 Steps to June 30 Compliance)

Step 1 of 7: Run Your AI Inventory (Days 1–3)

Pull every AI tool from expense systems, IT asset registers, and engineering wikis. Flag anything used in hiring, lending, healthcare triage, housing decisions, benefits eligibility, or access to essential services. Use the AI inventory process to capture tool name, vendor, data it touches, and who uses it.

Step 2 of 7: Apply the High-Risk Classification Test (Week 1)

For each flagged tool, apply the two-question test: (1) Does it make or materially contribute to a consequential decision? (2) Is there a material risk of algorithmic discrimination? If both are yes, classify as high-risk. Document the analysis. If uncertain, classify as high-risk — the cure period protects good-faith efforts.

Step 3 of 7: Request Developer Documentation from Vendors (Week 2)

Contact every vendor of a high-risk tool and request their developer documentation: limitations statement, training data summary, and known discrimination risks. Track responses by date. A vendor that cannot provide this documentation may create deployer-level risk you need to escalate to legal.

Step 4 of 7: Complete Impact Assessments (Weeks 2–3)

For each high-risk system, complete a pre-deployment impact assessment — retroactively if already deployed. Use the AI risk assessment framework as your template. Document methodology, scope, findings, and any mitigation decisions made.

Step 5 of 7: Write Your Transparency Statement and Risk Management Policy (Weeks 3–4)

Draft the public-facing transparency statement (template above) and a written risk management policy covering: who owns oversight of each high-risk AI, how performance is monitored, what triggers escalation or review, and how bias concerns are handled. Have legal review both documents before publishing.

Step 6 of 7: Publish and Activate Before June 30

Publish the transparency statement to your website. Stand up the human review mechanism and document that it is operational. Run one end-to-end test of the human review process and document it. This is your compliance evidence.

Step 7 of 7: Establish Ongoing Assessment Cadence

Schedule annual post-deployment assessments for each high-risk AI. Assign a named owner for each. If you discover algorithmic discrimination at any point, the 90-day AG disclosure clock starts on discovery — not when the AG discovers it.

Frequently Asked Questions

Q: We are a SaaS company and our AI product is used by other businesses to make consequential decisions. Are we a developer or a deployer? A: You are a developer. Your customers are the deployers. You have developer obligations: you must provide documentation to your deployers (limitations, training data summary, decision explanation capability) and disclose known risks of algorithmic discrimination. If you substantially modify the system based on customer configurations, you may share deployer obligations too.

Q: Our AI makes recommendations but a human always makes the final decision. Are we still covered? A: Possibly. The law covers AI that "materially contributes" to a consequential decision — not just AI that makes the decision autonomously. If the human decision-maker routinely accepts the AI recommendation without independent analysis, regulators are likely to treat it as a material contribution.

Q: We are not headquartered in Colorado but serve Colorado customers. Does the law apply? A: Yes. Jurisdiction is based on where affected individuals are located, not where the company is based. If Colorado residents are subject to consequential decisions made using your AI, you are covered.

Q: What should we do if we discover our AI has been discriminating? A: The law requires disclosure to the Colorado AG within 90 days of discovery. Stop using the model in production, document the discovery and investigation, implement remediation, and engage legal counsel before disclosure. The AG's enforcement posture has explicitly acknowledged good-faith remediation as a mitigating factor.

Q: Can the White House preemption framework invalidate the Colorado AI Act? A: Not today. The White House framework is a set of legislative recommendations to Congress — it has no legal effect on the Colorado AI Act until Congress passes and the President signs a preemption statute. That has not happened, and the timeline is uncertain. Comply with Colorado now.

References

1. Colorado AI Act full text — SB 24-205: https://leg.colorado.gov/bills/sb24-205
2. Colorado's Landmark AI Law Coming Online (Brownstein Hyatt): https://www.bhfs.com/insight/colorados-landmark-ai-law-coming-online-what-developers-and-deployers-should-know/
3. Complete Guide to the Colorado AI Act 2026 (Glacis): https://www.glacis.io/guide-colorado-ai-act
4. Navigating the AI Employment Landscape in 2026 (K&L Gates): https://www.klgates.com/Navigating-the-AI-Employment-Landscape-in-2026-Considerations-and-Best-Practices-for-Employers-2-2-2026
5. NIST AI Risk Management Framework 1.0: https://www.nist.gov/system/files/documents/2023/01/26/AI%20RMF%201.0.pdf
6. Related: AI Risk Assessment for Small Teams — the impact assessment framework referenced in Step 4 of the implementation plan
7. Related: Red Teaming AI Systems — verify bias controls hold under adversarial conditions before the June 30 deadline
8. Related: AI Vendor Due Diligence Checklist — request developer documentation from third-party AI vendors (Step 3 above)
9. Related: EU AI Act Compliance for Small Teams: Complete Guide — Colorado AI Act shares the same high-risk categories as EU AI Act Annex III; satisfying EU AI Act requirements generally satisfies Colorado obligations

Related Reading

• EU AI Act compliance guide for small teams
• Federal AI preemption and state law
• AI governance guide for small teams
• AI acceptable use policy template