Companies building or using artificial intelligence systems in Colorado face a compliance deadline that has already shifted twice. The state’s 2024 law, SB24-205, created the nation’s first duty-of-care framework for high-risk AI systems used in consequential decisions like hiring, lending, and housing. But before those obligations took full effect, legislators amended the timeline in a 2025 special session, then repealed and replaced the entire framework in 2026 with a new statute focused on automated decision-making technology. The result is a regulatory target that keeps moving, and businesses operating in Colorado need to know which rules actually apply.
Why the repeal-and-replace sequence matters for Colorado AI compliance
When Colorado passed SB24-205 in 2024, it became the first state to impose structured obligations on both developers and deployers of AI systems that make or substantially influence consequential decisions. The law required impact assessments, disclosure to consumers, and steps to prevent algorithmic discrimination. The Colorado Attorney General’s office set up a dedicated AI rulemaking portal to guide implementation and define enforcement expectations around high-risk systems.
That original timeline never reached full enforcement. During a 2025 special session, legislators passed a new deadline bill, SB25B-004, which pushed the compliance date for SB24-205 to June 30, 2026. The delay gave companies more time to prepare, but it also signaled that the original framework was already under pressure. Industry groups had raised concerns about the scope of covered systems and the cost of compliance, and federal agencies were simultaneously developing their own AI governance proposals, raising the prospect that state-level rules could conflict with or be preempted by national standards.
Before that June 2026 date arrived, the legislature acted again. SB26-189 repealed the SB24-205 framework and replaced it with an automated decision-making technology regime. The new law redefines which systems are covered and restructures the obligations that developers and deployers must meet. The official bill record confirms the repeal-and-replace approach, meaning the 2024 law’s specific duty-of-care requirements no longer stand as written and cannot be relied on as the operative standard going forward.
Three bills in three years: tracking Colorado’s shifting AI obligations
The legislative record tells a clear story of rapid revision. SB24-205 established the original high-risk AI system framework, targeting algorithmic discrimination in areas such as employment, credit, insurance, and housing. The statute placed affirmative duties on both the companies that build AI tools and the organizations that deploy them in decision-making that affects individuals. Its text, housed on the Colorado General Assembly’s bill page, remains the baseline reference for understanding what the state initially required, even though many of those provisions have now been superseded.
SB25B-004 then altered the effective date without changing the substance of those obligations. The bill moved the compliance deadline to June 30, 2026, buying time for rulemaking and industry preparation. That delay was itself telling: it acknowledged that neither regulators nor regulated entities were ready to operate under the original schedule, and it created an interim period during which companies could start building governance programs without yet facing enforcement risk under the 2024 statute.
SB26-189 went further. Rather than simply adjusting dates, it replaced the entire statutory architecture. The bill’s text shifts the regulatory vocabulary from “high-risk AI systems” to “automated decision-making technology,” a broader term that captures a wider range of algorithmic tools, including systems that may not use machine learning in a traditional sense but still automate or materially assist consequential decisions. The new law redefines what counts as a covered system and recalibrates the obligations for transparency, impact assessment, and anti-discrimination safeguards. For companies that had mapped their inventories and controls to the earlier high-risk categories, this change requires a fresh review of which products and workflows fall inside the Colorado regime.
This three-bill sequence, enacted across three consecutive legislative sessions, means that any business relying on guidance written for the 2024 law is working from an outdated playbook. The Attorney General’s rulemaking hub still references the anti-discrimination framework developed under the earlier statute, but the underlying law has been substantially rewritten. Until the portal is updated to reflect the automated decision-making technology standard, companies must treat existing materials as historical context rather than definitive compliance instructions.
Open questions for businesses and regulators after Colorado’s AI law rewrite
Several critical gaps remain in the public record. No primary enforcement guidance from the Attorney General’s office has been published that reflects the SB26-189 framework. Companies looking for sample compliance filings, model impact assessments, or safe-harbor benchmarks will not find them in the current regulatory materials. The AG’s existing portal addresses the earlier high-risk AI system concept, but the shift to automated decision-making technology creates new definitional questions that have not yet been answered in formal guidance.
The legislative history also lacks direct statements from bill sponsors explaining why the 2024 framework was abandoned rather than amended. Without those explanations, the most visible evidence points to a combination of industry resistance and uncertainty about federal action on AI governance. Lobbying disclosures and amendment timelines across the three bills could clarify how much of the rewrite was driven by regulated entities seeking lighter obligations versus legislators trying to avoid conflict with potential federal rules. That comparison has not been published by any official source, leaving companies to infer legislative intent from the structure of the new statute rather than from explicit policy statements.
No public cost-benefit analysis or impact estimate accompanies the amended effective dates or the 2026 replacement statute. Businesses operating AI-driven hiring platforms, credit-scoring tools, or insurance underwriting systems in Colorado cannot yet calculate what compliance will cost under the new regime because the specific regulatory requirements have not been finalized. That uncertainty complicates budgeting for legal review, technical remediation, and governance staffing, and it may deter smaller firms from deploying advanced automated tools in Colorado until the enforcement picture is clearer.
Practical steps for companies navigating Colorado’s moving AI target
In the absence of detailed regulations, companies can still take several concrete steps. First, they should maintain an up-to-date inventory of any tools that qualify as automated decision-making technology under the new statutory language, with particular attention to systems used in employment, credit, housing, insurance, education, and access to essential services. Even if definitions evolve, knowing where automated decision-making occurs inside the organization will make it easier to adapt once formal rules arrive.
Second, organizations can build on the core concepts that appeared in the 2024 framework and are likely to persist in some form: risk assessments, documentation of training data and model behavior, mechanisms to detect and mitigate discriminatory outcomes, and clear notices to affected individuals when automated tools play a material role in decisions. These practices align with broader trends in AI governance and will remain useful even if specific Colorado requirements change again.
Third, companies should monitor both the legislature and the Attorney General’s office for updates. Because the AG’s portal still reflects the earlier law, any new rulemaking dockets, FAQs, or policy statements that reference automated decision-making technology will be important indicators of how SB26-189 will be interpreted in practice. Legal and compliance teams may want to designate a point person to track these developments and coordinate internal responses.
Finally, businesses should document their good-faith efforts to anticipate and manage AI-related risks in Colorado. Even without finalized regulations, records of internal reviews, bias testing, and consumer-facing disclosures can demonstrate that the organization is taking the evolving statutory landscape seriously. When enforcement guidance does arrive, those foundations can be adapted rather than built from scratch, reducing both compliance costs and legal exposure.
Colorado’s rapid sequence of AI laws underscores how fluid state-level governance of automated decision-making remains. The repeal-and-replace of SB24-205 with a new statutory model does not eliminate the state’s interest in preventing algorithmic discrimination; it reshapes the tools regulators will use to pursue that goal. Until the implementing rules are in place, companies should treat Colorado as a jurisdiction in transition: one where the direction of travel is clear, but the exact contours of the road are still being drawn.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
