Menu

Colorado AI Law Update: SB26-189 and What to Do Now

Glowing, metallic 'AI' letters with circuit patterns over a city skyline at dusk, including a domed capitol building in the foreground.

This article is part of an ongoing series on Colorado’s AI and automated decision-making rules. If you have been following along, you may have read our earlier posts on the original Colorado AI Act (SB24-205). That law has now been repealed and replaced. This post explains what changed, what the new law requires, and what businesses in South Denver should do next.

Earlier posts in this series:

Quick navigation: What changed | Exemptions and carve-outs | What to do now | My take | FAQ

The short version

On May 12, 2026, Governor Polis signed SB26-189 into law. It repeals and replaces the original Colorado AI Act (SB24-205), which generated significant business community pushback after it passed in 2024. After two failed legislative sessions and a working group convened by the Governor, SB26-189 is the result: a narrower, more targeted approach focused on transparency and consumer rights rather than broad AI governance mandates.

The new law takes effect January 1, 2027.

It focuses on Automated Decision-Making Technology (ADMT) used to materially influence consequential decisions about people in areas like employment, housing, lending, insurance, and healthcare.

If your firm has 40 employees or fewer: SB26-189 includes a carve-out that generally means you are not treated as a “deployer” under the statute. That said, the carve-out is not unconditional. If you are using ADMT to materially influence consequential decisions, particularly around hiring and compensation, you can still be pulled into scope. The safest move is to inventory your tools and confirm where automated decisioning is happening. If it is not, you are almost certainly out.

If you run a professional services firm in Greenwood Village, Centennial, Littleton, Lone Tree, Highlands Ranch, or the Denver Tech Center, here is what you need to know.

What changed (the big shifts)

1) Risk management programs and bias audits are gone

SB24-205 asked businesses to build formal risk management programs, conduct algorithmic bias assessments, perform annual reviews, and publish public summaries of their AI governance. SB26-189 removes all of that.

Instead it focuses on targeted obligations: tell consumers when ADMT is being used in a consequential decision, explain what happened if a consumer gets an adverse outcome, give consumers a path to correct bad data and request human review, and keep records for at least three years. That is a meaningful simplification for most small and mid-size businesses.

2) New terminology: ADMT replaces “high-risk AI system”

The new law centers on Automated Decision-Making Technology (ADMT), defined as technology that processes personal data and uses computation to generate outputs like predictions, recommendations, classifications, rankings, or scores, which are then used to make, guide, or assist decisions about individuals.

This only triggers obligations when the technology materially influences a consequential decision. If your tools are assisting humans but not driving decisions, you are likely not in scope.

3) Clearer exclusions for everyday tools

SB26-189 explicitly excludes certain technologies from the ADMT definition:

  • Anti-malware, anti-virus, and firewalls
  • Spam filtering
  • Spreadsheets requiring human analysis (no ML or foundation models)
  • Cybersecurity, fraud prevention, and anti-money laundering tools (in certain contexts)
  • Tools used solely to summarize, organize, translate, draft, route, or present information for human review (with conditions)

For most professional services firms across South Denver using Microsoft 365 features, AI drafting assistants, or standard security tooling, many of those tools are likely excluded, as long as they are not being used to make consequential decisions about people.

4) Consumer notices and adverse outcome disclosures are now required

If you use covered ADMT in consequential decisions, the law requires you to notify consumers before the decision is made. If a consumer receives an adverse outcome, you must provide within 30 days a plain-language explanation of the decision, the role ADMT played, and the consumer’s rights, including the right to correct inaccurate data and request meaningful human review.

Meaningful human review is not a rubber stamp. The reviewer must have actual authority to override the output, appropriate training, access to relevant system information, and the independence to reach a different conclusion.

5) Vendor documentation obligations are now statutory

SB26-189 requires developers of covered ADMT to provide deployers with documentation including intended uses and known harmful uses, categories of training data, known limitations, instructions for appropriate use and monitoring, guidance for meaningful human review, and notice of material updates.

If you read our vendor due diligence post (Post 4), this is exactly why that checklist matters. You are no longer asking vendors for a favor. You have a statutory basis for asking, and they have a statutory reason to respond.

6) Enforcement is measured, not a free pass

There is no private right of action. Only the Colorado Attorney General can enforce the law, through the Colorado Consumer Protection Act. If the AG identifies a violation, businesses receive a 60-day notice and opportunity to cure before enforcement action, as long as a cure is possible. This does not apply to knowing or repeated violations, and this provision sunsets January 1, 2030.

Key exemptions and carve-outs

SB26-189 includes exemptions that may apply to some South Denver businesses. If any of these apply to your firm, you may have a narrower set of obligations. I would still recommend documenting why you believe an exemption applies.

  • Employers with 40 or fewer employees: Generally not treated as a “deployer” under the statute, with conditions. If you are using ADMT for consequential hiring or compensation decisions, confirm whether this carve-out fully applies to your situation with qualified counsel.
  • Insurers: Deemed compliant if subject to Colorado insurance regulation, except for employment decisions.
  • HIPAA-covered entities: Exempt except for employment-related decisions. Must still provide general notice of advanced technologies in use.
  • FDA-regulated devices: Medical devices and pharmaceutical R&D under FDA oversight.
  • Federal law preemption: No requirement to violate GLBA (financial privacy) or HIPAA.

What Colorado businesses should do now

If you are a professional services firm in Centennial, Littleton, Greenwood Village, Lone Tree, Highlands Ranch, or the Denver Tech Center, here is a practical timeline.

Now through August 2026: Foundation

  • Complete your AI/ADMT inventory. Identify which tools process personal data and generate outputs used in decisions about people. (See Post 3 for how to do this.)
  • Identify consequential decision workflows. Where in your business are decisions being made about hiring, compensation, eligibility, access, or pricing that involve technology?
  • Start vendor outreach. Ask vendors for SB26-189-aligned documentation on AI/ADMT features, intended use, limitations, and human review guidance. (See Post 4 for the full checklist.)
  • Assign ownership. Someone in your firm should be responsible for coordinating this work.

September through November 2026: Build

  • Design your consumer notice process. If you use covered ADMT in consequential decisions, you will need to provide clear notice before the decision is made.
  • Design your adverse outcome disclosure process. If a consumer receives an adverse outcome, you need a way to explain what happened, what role the technology played, and what rights they have. The law requires this within 30 days.
  • Build your human review workflow. Identify who will conduct reviews, what training they need, and what authority they have to override system outputs.
  • Implement record retention. Set up a process for retaining compliance documentation for at least three years.

December 2026: Test and confirm

  • Review AG rulemaking. The Attorney General is required to adopt implementing rules by January 1, 2027. Watch for clarifications on disclosure requirements and enforcement expectations.
  • Confirm vendor documentation is in hand. By this point, you should have received documentation from your key vendors.
  • Brief leadership. Make sure decision-makers understand what the firm is doing, why, and who owns it.

January 1, 2027: Compliance date

The law applies to decisions made on or after this date.

My take on what this means for South Denver businesses

I have been watching this evolve for over a year now.

SB26-189 is a better law for small and mid-size businesses. It is more focused, more practical, and more predictable. The removal of mandatory impact assessments and broad risk management programs eliminates a significant compliance burden.

But the core obligations are real. If your firm uses technology that influences decisions about people in the covered domains, you need awareness of what tools are in play, vendor documentation, consumer notices before decisions are made, a process for explaining adverse outcomes, a real human review pathway, and records kept for three years.

For most law firms, financial advisors, consultancies, and other professional services firms across the Denver Tech Center, Centennial, Greenwood Village, Littleton, Lone Tree, and Highlands Ranch, the most common trigger will be hiring and employment decisions. That is where AI-enabled tools are most likely to be influencing consequential outcomes today.

If you have been following this series and doing the work, you are already ahead. Inventory, vendor review, policy, and documentation are still the right foundation. The new question is whether you have a consumer notice and human review workflow ready by January. That is where I would focus next.

How we can help

I work with professional services firms across South Denver that want to get ahead of this without drama or over-complication.

If you need help with an ADMT inventory and workflow mapping, vendor documentation requests and review, consumer notice and adverse outcome disclosure design, human review process planning, or record retention setup tied to your existing IT and security program, we can help.

This connects directly to the managed IT services and vendor governance work we already do for firms in Greenwood Village, Centennial, Littleton, Lone Tree, Highlands Ranch, and the Denver Tech Center.

Book an AI Compliance Assessment →

Frequently Asked Questions About Colorado SB26-189

Does the original Colorado AI Act (SB24-205) still apply?

No. SB26-189 repeals and replaces SB24-205 entirely. The new law takes effect January 1, 2027. All compliance efforts should now be based on SB26-189.

Our firm has fewer than 40 employees. Does this law apply to us?

SB26-189 includes a carve-out for employers with 40 or fewer employees that generally means you are not treated as a “deployer” under the statute. However, the carve-out is conditional. If you are using ADMT to materially influence consequential decisions, particularly in hiring and compensation, you may still be in scope. The safest approach is to review your tools and confirm where automated decisioning is happening. If it is not, you are almost certainly out. Consult qualified counsel if you are uncertain.

What is “ADMT” and how is it different from “AI”?

ADMT stands for Automated Decision-Making Technology. It is defined as technology that processes personal data and uses computation to generate outputs such as predictions, recommendations, rankings, scores, or classifications used to make, guide, or assist decisions about individuals. It covers any computational decisioning tool, not just machine learning. But it only triggers obligations when used in consequential decisions.

What counts as a “consequential decision” under the new law?

A decision that affects a person’s access to, eligibility for, or compensation related to employment, education, housing, financial services, lending, insurance, healthcare, or essential government services. It also includes decisions that differentiate pricing or material terms in ways that materially limit or deny access in those domains.

Can consumers sue my business under SB26-189?

No. SB26-189 explicitly states there is no private right of action. Only the Colorado Attorney General can enforce the law. Violations are treated as deceptive trade practices under the Colorado Consumer Protection Act.

What do I need to provide consumers if they get an adverse outcome?

Within 30 days, you must provide a plain-language description of the decision and the role ADMT played, instructions for requesting more information, and an explanation of the consumer’s rights, including the right to correct inaccurate data and request meaningful human review.

Are my cybersecurity tools (antivirus, firewalls, spam filters) covered?

No. SB26-189 explicitly excludes anti-malware, anti-virus, firewalls, spam filtering, and cybersecurity tools from the ADMT definition. These tools are not subject to the law’s requirements.

What should I ask my vendors for under the new law?

SB26-189 requires developers to provide documentation on intended uses, known harmful uses, categories of training data, known limitations, instructions for appropriate use and monitoring, guidance for meaningful human review, and notice of material updates. You can point vendors to this statutory requirement when requesting documentation.

Is the work I already did under the original law wasted?

No. If you inventoried your AI tools, identified high-risk workflows, started vendor outreach, assigned ownership, and documented your decisions, all of that remains directly applicable under SB26-189. You are ahead. The next step is building consumer notice and human review processes by January 2027.

Disclaimer: This article is provided for general informational purposes only and is not legal advice. Businesses should consult qualified legal counsel regarding their specific compliance obligations under SB26-189 or any other applicable law.

Last updated: May 14, 2026

Back to Blog

Share:

Related Posts

Project manager reviewing digital blueprints for a Denver jobsite.

Cybersecurity for Construction in South Denver: That $10.5 Trillion Threat Is Targeting Your Job Sites

October is Cybersecurity Awareness Month This October, Cybersecurity Awareness Month. there’s a…

Read More

Cybersecurity for Law Firms in South Denver: Don’t Let a Digital Flat Tire Derail Your Practice

October is Cybersecurity Awareness Month A funny thing happened on the way…

Read More
Employees in a South Denver office participating in cybersecurity awareness training session.

Security Awareness Training in South Denver: Empower Your Team, Protect Your Business

October is Cybersecurity Awareness Month Here in South Denver, we are surrounded…

Read More