What is Colorado SB 26-189 and when does it take effect?

Colorado SB 26-189 is the replacement for Colorado's original AI Act (SB 24-205). It was signed into law by Governor Jared Polis on May 14, 2026, and takes effect January 1, 2027. The law regulates automated decision-making technology (ADMT) used in consequential decisions across seven domains, including employment. It requires pre-use notices, post-adverse-outcome notices, human review options, and three-year recordkeeping. Enforcement is by the Colorado attorney general only; there is no private right of action.

Which AI tools trigger coverage under Colorado SB 26-189?

A tool triggers coverage if it is automated decision-making technology (ADMT) used to "materially influence" a "consequential decision" in one of seven covered domains, including employment. This covers AI resume screeners, interview scoring systems, performance management tools, and similar products used in hiring, promotion, termination, or compensation decisions. It does NOT cover identity verification tools, cybersecurity software, routine scheduling automation, administrative routing, customer service bots, or workflow management systems.

Does Colorado SB 26-189 require AI bias audits?

No. Unlike the original SB 24-205, the replacement law does not require bias audits or annual algorithmic impact assessments. The new framework focuses on transparency and notice. Employers must provide pre-use notice, post-adverse-outcome notice within 30 days, and a human review option, but they are not required to commission third-party audits or submit audit results to the state.

Is Colorado SB 26-189 currently being enforced?

No, not yet. The federal court stay issued on April 27, 2026, in the xAI lawsuit technically extends to successor legislation, including SB 26-189. Enforcement cannot begin until 14 days after the court rules on xAI's forthcoming motion for a preliminary injunction, and the Colorado attorney general must complete rulemaking by January 1, 2027. That said, employers should prepare now because the January 1, 2027 effective date is firm on the legislative calendar.

What must a post-adverse-outcome notice under SB 26-189 include?

If a covered ADMT materially influences a decision that produces an adverse outcome for an individual (such as a rejected job application or a termination), the deployer must provide a plain-language explanation of the ADMT's role in the decision within 30 days. The notice must also inform the individual of their right to request meaningful human review and reconsideration, and their right to access and request correction of any personal data used in the decision.

Colorado AI Act Overhaul: What Employers Mu…

Colorado AI Act Overhaul: What Employers Must Know About SB 26-189 Before January 1, 2027

Colorado replaced its original AI Act with SB 26-189, signed May 14, 2026. The new law drops bias audits and impact assessments in favor of a lighter notice-and-transparency framework. Effective January 1, 2027, it requires pre-use notice, post-adverse-action notice within 30 days, and 3-year recordkeeping for any employer using AI in hiring, promotions, or terminations.

Professional reviewing legal compliance documents at a desk, representing employer obligations under Colorado's new AI law SB 26-189

Colorado's AI regulation story took a dramatic turn in spring 2026. The state's landmark AI Act, SB 24-205, was stopped by a federal court after xAI sued and the U.S. Department of Justice intervened. Within weeks, the Colorado legislature passed a replacement law, SB 26-189, and Governor Jared Polis signed it on May 14, 2026.

For employers using AI in hiring, promotions, performance reviews, or termination decisions, this matters immediately. The original law required bias audits, annual impact assessments, and an extensive risk management program. The replacement is far lighter, but it still creates real compliance obligations for any organization using AI in employment decisions in Colorado.

This guide explains exactly what changed, what the new law requires, and what small teams need to do before January 1, 2027.

What Happened to Colorado's Original AI Act

Colorado SB 24-205 was signed in 2024 as one of the most ambitious state AI laws in the country. It required businesses using AI in consequential decisions to implement AI risk management policies, conduct bias audits, complete impact assessments for each AI system, notify consumers when AI contributed to decisions affecting them, provide a process to contest adverse AI decisions, and notify the attorney general within 90 days of discovering algorithmic discrimination.

Businesses with fewer than 50 employees were partially exempt, but only if they did not use their own data to train or fine-tune the AI system. Any company that fine-tuned a model with proprietary HR data lost the exemption regardless of size.

The law was scheduled to take effect June 30, 2026. That date never arrived.

On April 9, 2026, Elon Musk's AI company xAI filed suit in federal court, seeking to halt SB 24-205 before it took effect. On April 24, 2026, the U.S. Department of Justice moved to intervene in the case, marking the first time the DOJ had sought to intervene in a lawsuit challenging a state AI law. The DOJ argued the Colorado law violated the Equal Protection Clause by compelling AI developers to take race-conscious steps in their models.

On April 27, 2026, a federal magistrate judge stayed enforcement of SB 24-205, prohibiting the state from enforcing it pending resolution of xAI's forthcoming motion for a preliminary injunction.

With the original law in legal limbo, the Colorado legislature moved quickly. It passed SB 26-189 on May 9, 2026, and Governor Polis signed it five days later. The new law repeals and replaces SB 24-205 entirely.

The Replacement: SB 26-189 in Plain English

SB 26-189 takes a fundamentally different approach. It drops the original law's risk management programs, annual impact assessments, and extensive algorithmic discrimination duties. In their place, it creates a narrower notice-and-transparency framework built around three obligations: tell people before you use AI on them, explain what happened if AI contributed to an adverse outcome, and give people a path to challenge the result.

The law applies to "deployers," meaning companies that use covered automated decision-making technology (ADMT) to make or assist in consequential decisions. It also imposes separate obligations on "developers," meaning companies that build and sell covered ADMT tools.

The effective date is January 1, 2027. The Colorado attorney general must complete rulemaking by that same date, which means many of the law's specific implementation details are still being determined.

One important complication: the federal court stay that halted SB 24-205 technically extends to successor legislation. That means SB 26-189 also cannot be enforced until the injunction question is resolved and rulemaking is complete. For practical purposes, employers should still plan for January 1, 2027, because the legislative timeline is firm and the stay may be lifted.

What Counts as a "Covered ADMT" Under SB 26-189

Not all AI tools are covered. The law defines an automated decision-making technology (ADMT) broadly as any technology that processes personal data and uses computation to generate output, including predictions, recommendations, classifications, rankings, scores, or other information used to make, guide, or assist a decision concerning an individual.

But a broad definition of ADMT alone is not enough to trigger coverage. The tool must be used to "materially influence" a "consequential decision" in one of seven defined domains:

Education and related services
Employment and related services
Housing and related services
Financial and lending services
Insurance
Health-care services
Essential government services and public benefits

For employers, the relevant domain is employment. Covered decisions include hiring, termination, promotion, compensation decisions, and scheduling decisions that materially affect compensation or opportunity.

Several categories are explicitly excluded from coverage:

Identity verification tools
Cybersecurity and sanctions compliance software
Routine scheduling automation
Administrative routing
Customer service bots
Workflow management systems

This means a chatbot that routes job applicants to the right HR contact is not covered. An AI tool that scores resumes and ranks candidates for a hiring manager is covered.

The phrase "materially influences" is a key limitation. The attorney general's rulemaking will clarify exactly what this means, including presumptions and illustrative examples. A tool that generates a resume score a recruiter can override is likely covered. A tool that merely flags a typo on an application form is likely not.

HR professional reviewing AI-generated hiring analysis on a laptop, illustrating the notice and human review requirements under Colorado SB 26-189

Your Three Core Obligations as a Deployer

If your organization uses a covered ADMT in employment decisions affecting Colorado residents, SB 26-189 creates three core obligations.

1. Pre-Use Notice

Before using a covered ADMT in a consequential employment decision, you must provide "clear and conspicuous" notice to the affected individual. The law specifies that a "prominent posting reasonably proximate to the consumer interaction," such as a link or notice at the point of engagement, satisfies this requirement.

In practice, this means:

Add a disclosure to your job application portal explaining that AI tools are used in the hiring process
Include a notice in any pre-employment assessment that AI analysis will inform the evaluation
Update your employee handbook or any performance review process documentation to disclose AI use in promotion or compensation decisions

The notice does not need to be exhaustive, but it must be prominent and placed where the individual will see it before the AI system processes their data.

2. Post-Adverse-Outcome Notice

If a covered ADMT materially influences a consequential employment decision that produces an adverse outcome, you must provide a plain-language explanation within 30 days. Adverse outcomes include:

Non-selection for a job or promotion
Termination or discharge
Any decision that materially reduces or restricts an employee's compensation, opportunity, or career path

The notice must explain the ADMT's role in the decision in plain language. It must also inform the individual of their right to request meaningful human review and reconsideration, and their right to access and request correction of any personal data the system used.

The 30-day clock starts from the date of the adverse decision, not the date the individual discovers the decision was AI-assisted.

3. Three-Year Recordkeeping

Both developers and deployers must retain records necessary to demonstrate compliance with the law for at least three years. For employers, this means:

Records of pre-use notices provided
Records of post-adverse-outcome notices provided
Documentation of any human review requests and how they were handled
Any data corrections made in response to individual requests

The attorney general's rulemaking will define the specific records required, but starting a documentation trail now is good practice regardless.

What Developers Must Provide to Deployers

If you use a third-party AI tool in employment decisions, the vendor of that tool (the "developer" under the law) has its own obligations starting January 1, 2027. Developers must provide deployers with:

A general statement of the covered ADMT's intended uses
Known risks and limitations of the system
Categories of data used to train the system
Instructions for appropriate use and human review
Any other information necessary for deployers to meet their disclosure obligations

This has an immediate practical implication: when you renew or negotiate AI vendor contracts before January 2027, add a clause requiring the vendor to provide all documentation required by Colorado SB 26-189 for deployers. Vendors who cannot or will not provide this documentation may create compliance exposure for you.

The law also addresses liability allocation between developers and deployers. It limits liability based on fault, which means if a developer provides false or incomplete documentation, the deployer's exposure is reduced. Indemnification clauses that would shift all liability to the deployer are void under the new law.

Enforcement: AG Only, No Private Lawsuits

Unlike some state AI laws, SB 26-189 is enforced exclusively by the Colorado attorney general. There is no private right of action, meaning individual employees or applicants cannot sue you directly for violations.

This is a significant change from the original SB 24-205 and from laws like New York City's Local Law 144, which creates some private enforcement exposure through city agency processes. The AG-only model means enforcement will be complaint-driven and focused on systemic violations rather than individual disputes.

That said, the attorney general's office will have authority to investigate, subpoena records, and impose civil penalties. The rulemaking process will clarify the penalty structure. Employers should not interpret AG-only enforcement as low-risk; a pattern of missing notices or failing to provide human review could result in significant penalties.

Practical Compliance Checklist for Small Teams

Given the January 1, 2027 effective date and the pending AG rulemaking, here is a practical action plan for employers:

Now (June 2026):

Inventory every AI tool used in hiring, performance management, promotions, terminations, or compensation decisions
Identify which tools qualify as covered ADMT under the seven-domain definition
Pull your current vendor contracts for covered tools and note renewal dates
Assign a point person to track AG rulemaking developments

By September 2026:

Add SB 26-189 documentation requirements to AI vendor contract renewals and RFPs
Draft pre-use notice language for job application portals and assessment platforms
Map your existing adverse action notification workflows to identify gaps for the new 30-day notice requirement
Create or update your HR documentation retention policy to cover three-year ADMT records

By December 2026:

Finalize and deploy pre-use notice language across all covered ADMT touchpoints
Train HR staff on post-adverse-outcome notice requirements and human review request handling
Implement recordkeeping systems for ADMT-related notices and correction requests
Review AG final rules (due January 1, 2027) and adjust policies as needed

Ongoing after January 1, 2027:

Track every adverse employment decision where covered ADMT was involved
Send post-adverse-outcome notices within 30 days
Document all human review requests and outcomes
Retain all compliance records for three years from the date of the relevant decision

What Remains Uncertain

SB 26-189 leaves several important questions to the attorney general's rulemaking process:

The exact meaning of "materially influences," including presumptions for common use cases
What specific information must be in pre-use and post-adverse-outcome notices
What constitutes "commercially reasonable" human review
Whether particular AI tools (such as AI-assisted resume ranking within a broader ATS) qualify as covered ADMT

The AG must finalize rules by January 1, 2027. Employers should monitor the rulemaking docket at the Colorado Department of Law website and adjust their compliance programs when final rules are published.

The federal court case also remains open. The stay of enforcement is temporary, and the court must still rule on xAI's motion for a preliminary injunction. If the injunction is denied, enforcement could begin under whatever compliance timeline the court sets. If the injunction is granted on constitutional grounds, SB 26-189 could face additional legal challenges. Either outcome will affect when the law actually applies in practice.

The Bigger Picture for Multi-State Compliance

Colorado's overhaul is part of a fast-moving national landscape. Illinois has its AI Video Interview Act. Minnesota, New Jersey, Maryland, and Texas all have AI employment laws in effect or taking effect in 2026-2027. New York City's Local Law 144 has been enforcing bias audit requirements since 2023.

For employers operating across multiple states, the compliance matrix is becoming complex. Colorado's SB 26-189, with its notice-and-transparency focus, is more consistent with the Illinois model than the bias audit model of NYC LL 144. Understanding where each law's requirements overlap and diverge will help you build a single, rationalized compliance program rather than layering redundant policies on top of each other.

The bottom line for small teams: the original Colorado AI Act's most burdensome requirements, such as bias audits and algorithmic impact assessments, are gone. But the replacement law is real, it has teeth (the AG can investigate and penalize), and the January 1, 2027 deadline is firm. Start your inventory now.