Why it matters
  • Lead. Colorado Governor Jared Polis signed Senate Bill 189 on May 14, 2026, stripping the state’s landmark AI Act of its core risk-management requirements just weeks before they were due to take effect on June 30.
  • Fact. The revised law eliminates mandatory impact assessments, algorithmic-discrimination duties, and risk management programmes. It replaces them with a narrower model: notice before AI-assisted decisions, plain-language adverse-outcome disclosures, and the right to request human review.
  • Stake. Colorado’s 2024 law was the first in the United States to impose substantial operational requirements on AI developers and deployers at scale. Its dilution signals the difficulty of maintaining strong AI regulation when industry lobbying intensifies close to enforcement deadlines.

Colorado’s original AI Act — Senate Bill 24-205, signed in 2024 — was designed to function as a US counterpart to the European Union’s AI Act, imposing duties on both developers and deployers of “high-risk artificial intelligence systems” used in consequential decisions affecting employment, housing, healthcare, financial services, and similar domains. It required companies to conduct regular impact assessments, build risk management programmes, and report instances of algorithmic discrimination to the state attorney general.

What was removed and what remains

The bill signed by Polis on May 14 rewrites the framework around a narrower concept of “automated decision-making tools” (ADMT) and removes several of the most operationally demanding provisions. Mandatory risk management policies, annual impact assessments and reviews, and algorithmic-discrimination reporting obligations are eliminated. What the law retains is lighter: employers and companies must notify individuals before using covered ADMT in consequential decisions; if an adverse decision results, they have 30 days to provide a plain-language explanation of the AI system’s role; and individuals retain the right to request “meaningful human review and reconsideration.” Enforcement remains with the Colorado attorney general, with a 90-day cure window before penalties apply and no private right of action.

The effective date shifts from June 30, 2026 to January 1, 2027, according to Law and the Workplace’s analysis of the revised statute, giving companies additional time to build compliance programmes around the narrowed requirements.

A pattern of pre-deadline weakening

The Colorado revision fits a broader pattern in AI regulation: ambitious frameworks face intense industry pressure as their enforcement dates near, and the resulting compromises often trade structural risk management for disclosure-only models. The EU has experienced its own version of this dynamic: the European Parliament delayed AI Act high-risk rules to December 2027, citing implementation readiness concerns. In both cases, the political economy of AI governance appears to favour postponement and scope reduction when specific, enforceable obligations are at stake.

Critics of the Colorado revision argue that notice-and-transparency frameworks, while useful, do not address the deeper problem: automated systems making consequential decisions about jobs, loans, and housing can encode and amplify discrimination without companies being required to proactively test for or mitigate it. Proponents counter that the original law’s compliance burden was disproportionate for smaller companies and that the revised model aligns with how analogous federal-level frameworks — including the NIST AI Risk Management Framework — actually operate in practice. Colorado’s January 2027 effective date will be the next checkpoint for whether the weakened law survives further amendment or proves workable.