From the journal

Colorado Enacts Senate Bill 26-189 Replacing Colorado AI Act with ADMT Law, 14 May 2026

On 14 May 2026, Colorado Governor Jared Polis signed Senate Bill 26-189, repealing the 2024 Colorado AI Act and replacing it with the Colorado Automated Decision-Making Technology in Consequential Decisions Act. The new law takes effect 1 January 2027. It preserves consumer notice requirements but eliminates mandatory risk management program obligations and annual impact assessments.

3 min read

On 14 May 2026, Colorado Governor Jared Polis signed Senate Bill 26-189 into law, repealing Senate Bill 24-205 (the Colorado AI Act) and replacing it with the Colorado Automated Decision-Making Technology in Consequential Decisions Act. The new law takes effect 1 January 2027. Colorado enacted the first broad US state AI law in 2024 targeting automated decision-making; SB 26-189 represents the state legislature's revision of that approach after businesses raised concerns about compliance burden.

Senate Bill 26-189 applies to developers and deployers of covered ADMT, defined as automated decision-making technology used to materially influence a consequential decision. Consequential decisions include those affecting employment, housing, credit, education, access to healthcare, and access to essential services. Effective 1 January 2027, developers of covered ADMT must provide deployers with technical documentation specifying intended uses, categories of training data, known limitations, and instructions for appropriate human review. Deployers must give consumers clear and conspicuous notice at the point of interaction with a covered ADMT.

AI developers selling automated decision-making tools to Colorado-based employers, lenders, insurers, housing providers, and healthcare entities are within scope regardless of where the developer is incorporated. Deployers in those sectors must implement the consumer notice mechanism and confirm that developer documentation obligations have been fulfilled before deploying a covered system. Deployers retain responsibility for ensuring that human review processes are in place where required under the Act.

Senate Bill 26-189 eliminates three obligations from SB 24-205: the requirement for a risk management program aligned to the NIST AI RMF or ISO 42001; the requirement for annual impact assessments within 90 days of deployment; and the duty to self-report algorithmic discrimination harms to the Attorney General. The Colorado Attorney General has stated he will not enforce SB 24-205 or SB 26-189 until after the rulemaking process concludes. No rulemaking timeline has been announced. The precise scope of consequential decision and the threshold for a system to materially influence such a decision are expected to be addressed in rulemaking.

Licentium advises AI developers and deployers on US state-level AI regulatory compliance, including obligations under SB 26-189 and equivalent laws in Texas, Connecticut, and other jurisdictions. We assist with consequential decision mapping, developer and deployer obligation analysis, and consumer notice implementation. Work we undertake includes AI regulatory compliance assessments, US state AI law comparison analysis, automated decision-making governance advice, and rulemaking response preparation.

Source: Colorado General Assembly, Senate Bill 26-189, Automated Decision-Making Technology in Consequential Decisions Act, signed 14 May 2026

AI Regulatory

More from the journal

See all

Illinois signs Artificial Intelligence Safety Measures Act into law, effective January 2027

Governor JB Pritzker signed the Illinois Artificial Intelligence Safety Measures Act on 6 July 2026, making Illinois the first US state to require mandatory annual third-party audits of frontier AI model developers. The Act applies to large frontier developers operating or deploying models in Illinois, requires transparency reports before each new or substantially modified frontier model deployment, and establishes civil penalties. Core obligations take effect 1 January 2027.

UK consults on modernising payment services regulation covering stablecoins and AI agents, 2026

HM Treasury launched a consultation on modernising the UK payment services regulatory regime, with responses due by 6 October 2026. The consultation addresses how to adapt regulation for tokenised payments including qualifying stablecoins, Open Banking expansion, and agentic AI systems authorised to conduct payments. It follows the February 2026 Payments Forward Plan and the government's decision to transfer Payment Systems Regulator functions to the Financial Conduct Authority.

Hong Kong SFC mandates phishing-resistant authentication for internet brokers and VATPs, July 2026

The Hong Kong Securities and Futures Commission issued a circular on 9 July 2026 requiring licensed corporations engaged in electronic trading and SFC-licensed virtual asset trading platform operators to replace one-time passwords with phishing-resistant authentication methods. Covered firms must implement passkeys or bound-device recognition for client login and device binding. Large internet brokers must act immediately. All other in-scope firms have up to 12 months to comply.