State AI Laws Compliance May 18, 2026 · 6 min read

Colorado Repealed the First US State AI Law. The Replacement Takes Effect January 1, 2027.

The new Colorado SB 189 strips out the original AI Act's duty of care and risk management requirements — but it creates real obligations around AI disclosure, adverse-outcome notices, and human review that enterprise deployments must satisfy.

The First US State AI Law Just Got Replaced

On May 12, 2026, the Colorado legislature passed SB 189, which repeals and replaces the Colorado AI Act (SB 205) — the first comprehensive state AI regulation in the United States. The bill passed by a bipartisan 34-1 vote in the Senate and 57-6 in the House. Governor Jared Polis is expected to sign it.

The headline is seductive: Colorado replaced its sweeping first-in-the-nation AI law with something simpler. But enterprise compliance teams should not confuse "simpler than SB 205" with "nothing to do." According to analysis published by Troutman Pepper Locke, Colorado "still will have the most far-reaching legislatively enacted deployer/private sector AI law of any state."

And SB 189's effective date is January 1, 2027.

What the Original Law Demanded

The Colorado AI Act (SB 205) required deployers of high-risk AI systems to maintain risk management programs, conduct impact assessments, disclose AI use to consumers, provide rights to appeal adverse decisions, and notify the attorney general about discovered algorithmic discrimination. Developers had to supply detailed documentation on how their AI systems were trained and operated.

The law covered consequential decisions in financial or lending services, health care services, housing, and employment — decisions affecting Colorado residents.

The law attracted immediate criticism for its compliance complexity. The legislature delayed its original February 2026 effective date. Governor Polis convened a workgroup to draft a replacement.

What SB 189 Requires Instead

SB 189 removes the duty of care, risk management programs, and impact assessments. What remains is a disclosure-and-remedy framework built around three concrete obligations for deployers.

Pre-use notice. Before using a covered automated decision-making technology (ADMT) to materially influence a consequential decision, the deployer must provide a clear and conspicuous notice that AI is being used and how consumers can obtain more information. SB 189 allows compliance via a "prominent public notice that is reasonably accessible at points of consumer interaction." This notice must be proximate to the actual interaction — not a footnote in a privacy policy.

Post-adverse outcome notice. When a covered ADMT produces an adverse outcome for a consumer — a denial, a restriction, materially worse terms — the deployer must notify the affected consumer within 30 days. The notice must describe the role the AI played, the categories of data used, and how the consumer can exercise their rights.

Meaningful human review. Consumers experiencing an adverse outcome must be offered the opportunity for review by a real human — specifically, an individual "who has authority to approve, modify, or override a consequential decision" and who "does not default to the system output." A supervisor who rubber-stamps AI decisions does not qualify.

Deployers must also retain records necessary to show compliance for three years from the date of each consequential decision.

Which Domains Are Covered

SB 189 applies to consequential decisions in seven covered domains:

  1. Education enrollment or educational opportunity
  2. Employment or employment opportunities that create an employer-employee relationship
  3. Residential real estate (lease or purchase in Colorado)
  4. Financial or lending services
  5. Insurance — including underwriting, pricing, coverage, and claims adjudication
  6. Health care services
  7. Essential government services and public benefits

If your AI systems influence any of these decisions for Colorado residents — or for individuals physically present in Colorado — SB 189 likely applies.

Note: GLBA-regulated financial institutions and HIPAA-covered entities have specific exemptions under SB 189. These are not blanket exemptions and depend on the entity being subject to federal regulatory oversight. Carefully review the exemption language for your specific context.

The Chat Feature Exemption Doesn't Cover What You Think

SB 189 excludes technology that communicates with consumers in natural language if the system is not "contracted, advertised, marketed, configured, or intended by a person to be used in a consequential decision."

This sounds like a broad carveout for general-purpose AI assistants. It is not. If employees use enterprise AI tools — Copilot, Claude, Gemini, ChatGPT Enterprise — to assist in hiring decisions, credit assessments, or insurance coverage determinations, the exemption is unlikely to apply. The AI was used to materially influence a consequential decision regardless of how the vendor markets the product.

This is the same pattern in every state AI law: the regulation governs use, not intent.

The Compliance Stack Is Growing

SB 189 enters a regulatory landscape that has grown substantially since the Colorado AI Act was enacted in 2024. Since then, California finalized automated decision-making regulations under the CPPA, Texas passed the Responsible AI Governance Act (TRAIGA), Illinois amended its Human Rights Act for AI-in-employment, and Connecticut advanced comparable employment AI legislation.

As Troutman Pepper Locke noted in their analysis: "SB 189 only adds to the increasingly complex state regulatory landscape for AI."

Compliance programs designed for a single framework will crack under this multi-state load. Enterprises need governance infrastructure that operates across AI surfaces — not bespoke responses to each state law.

What Enterprises Need to Do Before January 1, 2027

The Colorado attorney general is required to adopt implementing rules — including rules for the post-adverse outcome notice — before the effective date. But the core obligations are final now. Start here:

  1. Inventory AI-assisted decisions touching Colorado. Identify every AI system that influences decisions in the seven covered domains for Colorado residents or employees.

  2. Build the disclosure layer. Map every consumer interaction point where AI is used in a covered domain. The notice must be proximate to that interaction.

  3. Design the adverse-outcome workflow. Build a process to detect adverse outcomes, generate the required notice within 30 days, and route consumers to a human reviewer with real override authority.

  4. Enforce record retention. Three years from the date of each consequential decision. Your AI governance platform needs to log covered decisions, the ADMT version, and the categories of data used.

The common thread across SB 189, TRAIGA, California's ADMT rules, and the EU AI Act is consistent: AI that makes high-stakes decisions must be disclosed, logged, and overridable by a human. That is not a compliance documentation exercise — it is a runtime enforcement problem.

Containment.AI enforces AI governance policies at the point of use, across every AI surface your organization deploys, with the audit trails and access controls state AI compliance requires. Talk to us about automated decision-making governance.

Ready to close the gap?

Talk to us about runtime AI governance for regulated environments.

Schedule a Conversation →