TL;DR: Colorado SB 26-189, signed May 14, 2026, replaces the original Colorado AI Act (SB 24-205). The mandatory impact assessment requirement is gone. In its place: a notice-and-disclosure framework requiring employers to inform Colorado residents before using AI in consequential decisions, with explanation rights and a 3-year record retention obligation. Effective January 1, 2027.
Colorado's AI law just went through a significant rewrite. Governor Polis signed SB 26-189 on May 14, 2026, replacing the original Colorado AI Act (SB 24-205) with a narrower, notice-focused framework. If your team has been watching the Colorado AI law situation, this is the version that actually governs your obligations going into 2027.
The headline change: the mandatory algorithmic impact assessment is gone. The notice-and-disclosure framework is not. Employers who dismissed the Colorado AI law after the April 2026 enforcement suspension should revisit that position. The clock is now running toward January 1, 2027.
This article covers what was removed, what the signed law actually requires, who it covers, and the 8-step employer checklist for getting ready before January 1.
What was removed
The original Colorado AI Act (SB 24-205) was modelled partly on the EU AI Act. It required employers deploying high-risk AI systems in consequential decisions to complete documented algorithmic impact assessments before deployment. Three obligations were either removed or substantially scaled back in SB 26-189.
Mandatory algorithmic impact assessments. Under SB 24-205, any employer using a high-risk AI system in a consequential decision had to conduct and document a formal impact assessment, including bias testing, risk analysis, and documentation of the AI system's purpose and limitations. SB 26-189 removes this as a legal requirement. Voluntary assessments still make sense and support a safe harbour defence, but the mandatory pre-deployment assessment obligation is gone.
Risk management programme requirements. SB 24-205 included requirements for ongoing risk management programmes tied to high-risk AI systems. Organisations had to maintain policies, controls, and documentation governing how high-risk AI was monitored after deployment. SB 26-189 does not include an equivalent mandatory risk management programme requirement.
Third-party audit obligations. The original act included provisions that pointed toward third-party review or audit as a mechanism for demonstrating compliance. SB 26-189 dropped the third-party audit component. Employers now demonstrate compliance primarily through their internal notice, disclosure, and record-keeping practices rather than external audits.
What the signed law requires
SB 26-189 replaces the assessment-and-audit framework with a notice-and-disclosure model. The obligations are more specific and operationally easier to map to internal processes.
Advance notice before consequential decisions. Employers must notify individuals before using a high-risk AI system in a consequential decision affecting them. The notice must be clear enough that the individual understands AI is substantially involved in a decision about their employment, housing, credit, education, healthcare access, or access to legal services.
Post-decision disclosure and explanation rights. After a consequential decision is made, the affected individual has the right to request: the reason for the decision, information about the AI system that was used (what data it processed, what factors it weighted), and an explanation of how the AI influenced the outcome. The employer must provide this in plain language.
Right to appeal and request human review. SB 26-189 gives individuals the right to request that a human review a consequential decision that was substantially influenced by AI. This does not mean employers must reverse decisions on request, but they must have a documented process for human review that individuals can access.
Correction of inaccurate data. If an individual believes the AI system used inaccurate information about them in reaching a decision, they can request that the employer identify and correct that data. The employer must have a mechanism to receive and act on these requests.
3-year record retention. SB 26-189 adds a specific record retention requirement that was absent from SB 24-205. Employers must retain records of covered AI system decisions for 3 years. This includes records sufficient to show what AI system was used, what data it processed, what decision it influenced, and when the decision was made.
Who the law covers
SB 26-189 applies to "deployers" of "high-risk AI systems" making consequential decisions that affect Colorado residents. A few points on scope.
The term "high-risk AI system" in SB 26-189 is defined differently from the EU AI Act. In the Colorado law, a high-risk AI system is one that makes or substantially factors into a consequential decision. The EU AI Act uses a broader list-based classification. For Colorado purposes, the relevant question is whether your AI tool substantially influences an outcome in one of the covered categories, not whether it appears on a published risk list.
Consequential decisions under SB 26-189 cover: employment decisions (hiring, promotion, termination, compensation, performance evaluation), housing decisions (rental approvals, mortgage lending), credit decisions (loan approvals, credit limits), education decisions (admissions, financial aid), healthcare services access, and legal services access.
The law applies when a Colorado resident is affected, regardless of where the employer is based. A company operating remotely from outside Colorado that uses AI to screen applications from Colorado residents falls within scope.
There is a small employer carve-out. Employers with fewer than 50 employees are generally exempt from the ADMT disclosure requirements. Smaller teams still face federal obligations (EEOC disparate impact, Title VII, ADA) but are not subject to SB 26-189's notice and disclosure framework.
For more background on how Colorado got here, see the Colorado AI Act enforcement update covering the April 2026 court order that suspended enforcement of SB 24-205.
Quick comparison: original act vs. SB 26-189
| Requirement | Original Act (SB 24-205) | SB 26-189 (signed) |
|---|---|---|
| Impact assessment | Required | Removed |
| Risk management programme | Required | Removed |
| Third-party audit | Required | Removed |
| Advance notice | Required | Required |
| Explanation rights | Required | Required |
| Human review right | Required | Required |
| Data correction right | Required | Required |
| Record retention | Not specified | 3 years |
| Small employer exemption | Unclear | Under 50 employees |
| Enforcement mechanism | Colorado AG | Colorado AG |
| Private right of action | Not included | Not included |
| Effective date | February 1, 2026 | January 1, 2027 |
The net result is a narrower law. The compliance burden has shifted from documentation-heavy pre-deployment assessments to operational notice-and-disclosure processes that employers must embed into the workflows where AI touches consequential decisions.
8-step employer checklist before January 1, 2027
Step 1: Confirm whether you are in scope. You are in scope if you have 50 or more employees and use AI that substantially influences a consequential decision affecting a Colorado resident. If you are under 50 employees, note your federal obligations separately but SB 26-189 does not apply to you.
Step 2: Inventory every AI tool touching consequential decisions. List every AI tool, scoring system, ranking algorithm, or automated process your organisation uses in employment, housing, credit, education, healthcare, or legal services decisions for Colorado residents. Include tools from third-party vendors. The question for each: does the AI substantially influence the outcome?
Step 3: Determine which tools are high-risk AI systems under SB 26-189. For each tool on your list, apply the test: does it make or substantially factor into a consequential decision about a Colorado resident? Tools that are purely advisory (the human has full information and full discretion to override) may not qualify. Tools that score, rank, filter, or recommend in ways that substantially determine who advances likely do qualify.
Step 4: Write advance notice templates for each covered system. For each high-risk AI system, draft the advance notice you will send to affected individuals before a decision is made. The notice should be in plain language, state that AI is being used, and describe what the AI processes. Plain language means a sentence like "We use an automated system to review applications. It analyses factors including your work history and skills to assist our hiring decision."
Step 5: Build a post-decision explanation process. For each covered system, document what information you can provide when an individual requests an explanation after a decision. This should include: what data the AI processed, what factors it weighted, and how the AI's output influenced the final decision. This does not need to be a technical model description. It needs to be meaningful to the individual.
Step 6: Set up a human review request pathway. Create a documented process for receiving and handling human review requests. The pathway should include who receives the request, what triggers a review, what the review entails, and the timeline for response. Document this process and make sure affected individuals can access it.
Step 7: Set up a data correction request pathway. Create a parallel process for handling requests from individuals who believe inaccurate data was used in a decision about them. This should include a way to receive the request, investigate what data the AI processed, correct inaccurate information, and notify the individual of the outcome.
Step 8: Implement 3-year record retention. Configure your systems to retain records of covered AI system decisions for 3 years from the date of the decision. Records should capture: which AI system was used, what data it processed, what consequential decision it influenced, the outcome of the decision, and the date. Work with your IT or vendor to confirm this retention is technically possible for each tool.
For a template to help document your AI tools, see the AI register template free download. For the broader governance policy context, the AI acceptable use policy template covers the internal policy layer. If your focus is specifically on employment decisions, the HR AI governance and hiring decisions guide has the detail most relevant to Step 3.
What has not changed
Employers outside Colorado are not directly covered by SB 26-189, but the law applies when a Colorado resident is affected. Remote hiring processes, credit applications from Colorado addresses, and healthcare coverage decisions for Colorado-based patients all fall within scope regardless of employer location.
Federal obligations remain entirely unaffected by SB 26-189. EEOC disparate impact liability, Title VII, ADA, and ADEA apply to AI-assisted employment decisions regardless of what state law requires. An AI screening tool that creates a statistically significant adverse impact against a protected group remains actionable under federal law even if the employer has fully complied with SB 26-189's notice requirements.
The enforcement mechanism is the Colorado Attorney General. There is no private right of action under SB 26-189, meaning individuals cannot sue you directly for violations. Enforcement comes from the AG's office. That said, the AG has discretion to prioritise investigations, and companies with documented compliance programmes are in a better position than those with none.
