Three requirements gone. One framework added. January 1, 2027 is the new deadline.
Colorado’s SB 26-189, signed into law on May 14, 2026, doesn’t just revise the original Colorado AI Act, it repeals SB 24-205 entirely and replaces it with a narrower Automated Decision-Making Technology (ADMT) disclosure framework. Organizations that invested in SB 24-205 compliance programs now face a different problem: figuring out what to un-build.
What the new law eliminates
According to legal analysis of SB 26-189, three major compliance structures required under SB 24-205 have been removed. Mandatory risk management programs, gone. Impact assessments, gone. The “duty of care” to prevent algorithmic discrimination, gone. If your compliance program was organized around those three pillars, the new law doesn’t just simplify your workload. It changes your architecture. Law firm analysis confirms the shift from a risk-management-centered model to a disclosure-centered one.
What the new law adds
The ADMT framework introduces disclosure obligations tied specifically to automated decision-making. According to legal analysis, developers must provide deployers with technical documentation covering intended uses, potential harmful uses, and training data categories. Deployers must disclose to consumers when ADMT is used in consequential decisions. The law reportedly provides individuals with a right to receive an explanation of adverse outcomes, with law firm analysis noting a 30-day window for that explanation, though this specific timeframe requires confirmation against the enrolled bill text.
What stays
Enforcement authority remains with the Colorado Attorney General, who is expected to complete formal rulemaking before the January 1, 2027 effective date, per law firm analysis of the bill.
The compliance delta
Organizations that built SB 24-205 programs should complete three immediate steps: audit which program elements map to eliminated requirements, identify what disclosure infrastructure the ADMT framework now demands, and hold the January 1, 2027 date as a firm target, because the AG rulemaking timeline gives no assurance of early guidance.
One open question worth flagging: the AG’s forthcoming rules haven’t yet defined “adverse outcomes” in sector-specific contexts. For financial services companies, this matters. Whether a less favorable pricing outcome triggers the explanation right is unresolved. Monitoring the rulemaking process isn’t optional for that sector.
Unanswered Questions
- How will the AG's rulemaking define 'adverse outcomes' in financial services contexts, does a less favorable pricing result trigger notice?
- Is the 30-day adverse-outcome explanation window confirmed in the enrolled bill text, or subject to rulemaking modification?
- Which developer disclosure requirements apply to third-party AI components vs. internally developed ADMT systems?
The catch is the timing. SB 24-205 was originally set to take effect June 30, 2026, 33 days from today. Teams that rushed to meet that deadline now have until January 1, but the compliance architecture they need is different, not simply delayed. The additional months are useful only if directed toward the right framework.
Colorado is one of the most closely watched state AI compliance experiments in the country. The decision to scrap risk management mandates in favor of disclosure transparency reflects a real legislative choice about where compliance friction should sit, on developers and deployers building systems, or on consumers receiving explanations after the fact. That tradeoff is now the model other states are watching.