Two years after passing the nation's first comprehensive artificial intelligence law, Colorado has torn it up and started over. Governor Jared Polis signed Senate Bill 26-189 on May 14, scrapping the sweeping obligations of the original Colorado AI Act and replacing them with a narrower, transparency-focused framework that reflects months of intense industry pressure, a federal lawsuit from Elon Musk's xAI, and intervention from the Trump administration. The new law takes effect January 1, 2027.

"This is a big step in the right direction for Colorado, and a model for the rest of the country," Governor Polis said upon signing the bill. "Replacing the old law that hasn't taken effect yet will boost Colorado innovation and entrepreneurship."

The retreat is striking. The original law, SB 205, was signed in May 2024 as a first-of-its-kind statute requiring developers and deployers of high-risk AI systems to exercise a duty of care against algorithmic discrimination, conduct annual impact assessments, maintain risk management programs, and report violations to the state attorney general. It was meant to be a regulatory template for the nation.

Instead, it became a cautionary tale. Business groups attacked SB 205 as unworkable almost immediately after passage. Governor Polis himself expressed reservations at the signing ceremony, urging the legislature to revisit the law before its original February 2026 effective date. The legislature tried and failed to agree on amendments in the 2025 session, managing only to push the effective date to June 2026 during a special session. Then came the federal pressure: President Trump's December 2025 executive order on AI policy singled out SB 205 as an example of "excessive State regulation," and in April 2026, xAI filed a federal lawsuit challenging the law's constitutionality. The Department of Justice intervened on xAI's side.

What Changed

SB 189 replaces the AI Act's entire regulatory architecture. Gone are the duty of care, mandatory risk management programs, annual impact assessments, and algorithmic discrimination reporting requirements. In their place is a disclosure-based regime centered on a new term: "automated decision-making technology," or ADMT. The law covers technology used to materially influence "consequential decisions" in seven domains: education, employment, real estate, financial services, insurance, healthcare, and essential government services.

Developers -- companies that build or substantially modify covered systems -- must provide deployers with documentation about intended uses, training data categories, known limitations, and instructions for human review. Deployers -- the businesses that actually use these systems -- must give consumers clear notice before ADMT influences a consequential decision and, within 30 days of an adverse outcome, provide a plain-language explanation of the decision, the technology's role, and the consumer's rights.

Consumers who receive an adverse outcome can request correction of inaccurate personal data and "meaningful human review" -- defined as review by someone with authority to override the automated decision, who is trained, does not simply defer to the system output, and has access to information about the system's inputs and limitations. Both developers and deployers must retain compliance records for at least three years.

The bill passed with overwhelming bipartisan support: 34-1 in the Senate and 57-6 in the House. But not everyone was satisfied. Senate Majority Leader Robert Rodriguez, who sponsored the original AI Act, acknowledged the compromise was imperfect. "I've whittled this bill down to more of a discrimination decision bill," Rodriguez said. "It's not as comprehensive and I am not happy with that. But as you hear from everybody, sometimes when everybody's not happy, you're in a good place."

Enforcement and Liability

The Colorado Attorney General retains exclusive enforcement authority, with no private right of action. Violations are treated as deceptive trade practices under the Colorado Consumer Protection Act. Before taking action, the AG must issue a notice of violation and allow a 60-day cure period -- unless the violation was knowing or repeated. That cure provision sunsets on January 1, 2030. The AG is also required to finalize rules clarifying post-adverse-outcome disclosure requirements by January 1, 2027, the same day the law takes effect.

SB 189 introduces a new liability framework for discrimination claims. Developers and deployers can be held liable under state anti-discrimination laws for consequential decisions materially influenced by ADMT, with fault allocated based on relative responsibility. There is no joint and several liability. Notably, the law voids contract provisions in which a developer or deployer attempts to indemnify itself against liability for its own discriminatory acts -- a provision that legal analysts say will force immediate review of AI vendor contracts across every covered industry.

Why This Matters

Colorado's rewrite sends a clear signal to other states wrestling with AI regulation: the comprehensive, governance-heavy approach may be politically unsustainable. Its replacement with a lighter-touch transparency regime -- under pressure from industry, the federal government, and litigation -- will likely embolden opponents of similar bills elsewhere.

But the national landscape is also getting more complex, not simpler. California has finalized its own ADMT regulations under the state privacy act. Illinois and Connecticut have passed AI-in-employment laws. Texas enacted its Responsible AI Governance Act. Over a dozen states now have laws requiring disclosure when consumers interact with AI. Colorado's SB 189, though narrower than its predecessor, still gives the state what privacy attorney David Stauss of Troutman Pepper Locke calls the most far-reaching legislatively enacted deployer AI law of any state.

What to Watch

The xAI federal lawsuit is not over. The company has signaled it may file a new motion for preliminary injunction against SB 189 itself, with a deadline of June 11. If the court grants injunctive relief, the January 1, 2027, effective date could slip. Meanwhile, the Colorado AG must finalize implementing rules by that same date -- a compressed timeline that will shape how broadly the law's key terms, especially "materially influence," are interpreted in practice. For businesses deploying AI in any of the seven covered domains, the compliance clock is already ticking.