Colorado's original AI Act — SB 24-205 — is officially dead. Governor Jared Polis signed Senate Bill 26-189 in May 2026, replacing the controversial 2024 law that had drawn sharp criticism from both tech companies and civil rights groups. The new law keeps the core structure — focusing on high-risk AI in five domains — but rewrites the definitions, narrows the scope, adds clearer safe harbor provisions, and crucially, gives businesses a realistic path to compliance before the January 1, 2027 deadline. Here is everything your company needs to know.
What Changed From SB 24-205 to SB 26-189
The original Colorado AI Act passed in 2024 drew criticism for two main problems: an overly broad definition of "high-risk AI" that could apply to almost any automated decision tool, and a compliance framework with no meaningful safe harbor for companies acting in good faith. SB 26-189 addresses both. The new definition of high-risk AI is narrower and explicitly excludes AI systems used purely for internal analytics, security monitoring, and product recommendations. The five protected domains remain the same: employment decisions, housing applications, credit and lending, educational admission, and healthcare services. But now, the law only applies when the AI system makes or "substantially influences" a consequential decision — a tighter standard that excludes AI tools used only as advisory inputs to human decision-makers.
The new safe harbor is the most significant change for compliance teams. Under SB 26-189, a company is protected from state enforcement actions if it has completed a documented impact assessment within 12 months before any complaint, implemented reasonable corrective measures for any bias or harm identified, and provided disclosure to affected individuals. This is the kind of practical framework the original law lacked. As we detailed in our analysis of the Great American AI Act now moving through Congress, the Colorado law is likely to influence federal legislation significantly.
The Compliance Checklist: What You Must Have by January 2027
For any business deploying high-risk AI affecting Colorado residents, here is the required compliance checklist under SB 26-189. First, complete a documented impact assessment for each high-risk AI system. The assessment must cover the system's purpose, training data sources, bias testing results, and any corrective measures taken. Second, implement a disclosure mechanism — any individual subject to a consequential decision from your AI system must be notified that AI was used and given the right to request a human review. Third, establish a complaint intake process — the law requires companies to have a documented mechanism for receiving, logging, and responding to complaints about AI decisions within 30 business days. Fourth, train relevant staff — employees who operate, monitor, or review high-risk AI systems must receive documented training on the system's limitations and the company's bias monitoring procedures. Small businesses (under 50 employees or under $5 million revenue) are exempt from requirements one through four but must still avoid prohibited AI practices.
Enforcement Timeline and Risks
The Colorado Attorney General begins active enforcement on February 1, 2027 — 30 days after the compliance deadline. The law provides for civil penalties of up to $20,000 per violation for negligent non-compliance, and up to $100,000 per violation for knowing violations. The AG has priority prosecution authority for violations affecting more than 100 Colorado residents. Unlike some state privacy laws, SB 26-189 does not create a private right of action — only the AG can bring enforcement actions. However, individuals retain the right to request human review of AI decisions, and failure to provide that review is a separately actionable violation.
Businesses with multistate operations should note the interaction with the EU AI Act and emerging federal AI regulation — Colorado SB 26-189's impact assessment framework is compatible with EU AI Act conformity documentation, so a unified compliance program is achievable. Colorado's approach is influencing how state regulators across the US think about high-risk AI rules in 2026.
Frequently Asked Questions (FAQs)
Q: What did Colorado SB 26-189 replace and why?
A: Colorado SB 26-189 replaced SB 24-205, the original Colorado AI Act passed in 2024. The replacement bill was signed in May 2026. The original bill was criticized for being too broad; SB 26-189 narrows the definition of high-risk AI and adds clearer safe harbor provisions.
Q: Which businesses does Colorado SB 26-189 apply to?
A: SB 26-189 applies to AI developers and deployers that operate high-risk AI systems affecting Colorado residents in employment, housing, credit, education, and healthcare — the same five domains as SB 24-205, but with clearer exclusions for low-impact tools.
Q: What is the compliance deadline for Colorado SB 26-189?
A: The compliance deadline for most provisions is January 1, 2027. Impact assessments must be completed and documented by that date. The Attorney General can begin enforcement starting February 1, 2027.
Q: Does Colorado SB 26-189 affect small businesses differently?
A: Yes. SB 26-189 includes a small business exemption: companies with fewer than 50 full-time employees or less than $5 million in annual revenue are exempt from the impact assessment and documentation requirements.
The transition from SB 24-205 to SB 26-189 is a genuine improvement — a law that businesses can actually comply with before it takes effect. Start your impact assessments now: January 2027 is closer than it looks, and the AG's enforcement office has indicated it will prioritize cases with documented non-compliance over good-faith efforts that fall slightly short of perfect.
